Introducing TLS 1.3 help in AWS IoT Core


We’re more than happy to announce that AWS IoT Core now helps Transport Layer Safety (TLS) model 1.3 amongst its transport safety choices. TLS 1.3 presents clients enhanced safety and efficiency as in comparison with TLS 1.2. Prospects can configure the TLS model for his or her default Amazon Belief Providers (ATS) knowledge airplane endpoint and for his or her configurable endpoints, be they AWS-managed domains or customized domains. Prospects can concurrently function each TLS 1.2 and TLS 1.3 on both a single knowledge endpoint, or throughout a number of knowledge endpoints, to help and handle a heterogenous fleet of gadgets.

“We’re completely satisfied to be the primary buyer utilizing TLS 1.3 on AWS IoT Core, connecting hundreds of thousands of autos globally. The safety of our autos and automobile knowledge is our high precedence,” stated Brian Black, Supervisor Cloud Transport & Networking – Mercedes-Benz Analysis & Growth North America Inc. “Our newer fashions use the most recent TLS model, 1.3, when connecting to our related automobile platform constructed on AWS IoT Core, making certain any communication is very safe. Nonetheless, we even have older fashions that also use TLS 1.2. AWS IoT Core presents the flexibility to help each TLS variations. It provides our clients flexibility to find out once they wish to replace their vehicles for added safety.”

Help for TLS 1.3 can be prolonged to AWS IoT Core System Advisor. System Advisor now routinely detects and handles the TLS model utilized by the machine. The TLS check instances can be utilized for both TLS 1.2 or 1.3.

On this weblog put up, we summarize the enhancements provided by TLS 1.3, clarify how the characteristic is built-in into AWS IoT Core, and stroll you thru how you can get began with TLS 1.3 endpoints.

TLS 1.3 enhancements

TLS 1.3 presents a number of benefits over 1.2, together with:

  1. Improved safety: stronger cryptographic algorithms and key trade mechanisms.
  2. Quicker handshake: reduces the variety of spherical journeys required for the handshake course of, for sooner connection.
  3. Diminished latency: features a zero round-trip time (0-RTT) mode.
  4. Higher privateness: previous classes can’t be decrypted even when the non-public secret’s compromised sooner or later.
  5. Simplified design: removes some legacy options, making it simpler to implement and keep.
  6. Improved resilience to visitors evaluation: encrypts extra knowledge than earlier variations.

Integration with AWS IoT Core

AWS IoT Core already presents versatile knowledge endpoint and area configuration choices so that you can join your gadgets to the AWS IoT Core knowledge service. You need to use the default Amazon Belief Providers (ATS) knowledge airplane endpoint, or select to configure extra knowledge endpoints. These might have alternate authentication strategies or use a customized area with a user-managed certificates. AWS IoT Core now provides the idea of a configurable TLS safety coverage related to every knowledge endpoint.

Figure 1: Domain configurations with TLS security policies

Determine 1: Area configurations with TLS safety insurance policies

The TLS safety coverage can have one among as much as 5 settings:

  1. TLS 1.2+1.3                            IoTSecurityPolicy_TLS13_1_2_2022_10
  2. TLS 1.3 solely                           IoTSecurityPolicy_TLS13_1_3_2022_10
  3. TLS 1.2 solely                           IoTSecurityPolicy_TLS12_1_2_2022_10
  4. TLS 1+1.1+1.2 (legacy)         IoTSecurityPolicy_TLS12_1_0_2016_01
  5. TLS 1+1.1+1.2 (legacy)         IoTSecurityPolicy_TLS12_1_0_2015_01

Please seek the advice of the TLS coverage desk for full particulars on the TLS variations, TCP ports and cipher suites supported by every coverage.

Present domains and knowledge endpoints default to TLS 1.2 for compatibility with current machine fleets. New domains and knowledge endpoints default to TLS 1.2+1.3. The legacy insurance policies are solely accessible in choose areas and shouldn’t be utilized in new designs.

Utilizing TLS 1.3 with AWS IoT Core

To assign the TLS safety coverage on your knowledge endpoints, chances are you’ll select both the AWS Console or the AWS CLI.

This part covers:

  • Apply TLS 1.3 to your default ATS area machine knowledge endpoint utilizing the AWS Console
  • Apply TLS 1.3 to your AWS-managed area configurable endpoint utilizing the AWS Console
  • Apply TLS 1.3 to your default ATS area machine knowledge endpoint utilizing the AWS CLI
  • Apply TLS 1.3 to your AWS-managed area configurable endpoint utilizing the AWS CLI


AWS IoT Core permissions to:

  • describe-endpoint
  • list-domain-configurations
  • describe-domain-configuration
  • update-domain-configuration

AWS CLI 2.11.17 or better, configured on your native terminal, AWS account, and on your area

Apply TLS 1.3 to your default ATS area machine knowledge airplane endpoint utilizing the AWS Console

Step 1: Replace your ATS knowledge airplane endpoint

  1. Open the AWS IoT console
  2. Within the menu, choose Settings
  3. In System knowledge endpoint, choose the Safety Coverage within the dropdown
Figure 2: Device data endpoint - Select Security Policy

Determine 2: System knowledge endpoint – Choose Safety Coverage

The choice you make within the dropdown routinely saves to the System knowledge endpoint.

Apply TLS 1.3 to your AWS-managed area configurable endpoint utilizing the AWS Console

Step 1: Create a website configuration

  1. Open the AWS IoT console
  2. Within the menu, choose Settings
  3. Click on Create area configuration
  4. Enter Area configuration identify
  5. In Customized area settings panel choose Safety Coverage within the dropdown
  6. Click on Create area configuration to save lots of the brand new configuration
Figure 3: Create domain configuration with TLS1.3 only

Determine 3: Create area configuration with TLS1.3 solely

View new Area configuration in major settings panel.

Figure 4: Saved domain configuration

Determine 4: Saved area configuration

Apply TLS 1.3 to your default ATS area machine knowledge airplane endpoint utilizing the AWS CLI

Step 1: Retrieve your default machine knowledge endpoint utilizing the AWS CLI.

aws iot describe-endpoint --endpoint-type iot:Knowledge-ATS

This returns an endpoint tackle to use your TLS configuration to.

    "endpointAddress": ""

Step 2: Examine the present TLS configuration on your default machine knowledge endpoint.

aws iot describe-domain-configuration --domain-configuration-name "iot:Knowledge-ATS"

This returns the present endpoint configuration particulars together with the safety coverage TLS model:

    "domainConfigurationName": "iot:Knowledge-ATS",     
    "domainConfigurationArn": "arn:aws:iot:us-west-2:AWSACCOUNTID:domainconfiguration/iot:Knowledge-ATS",
    "domainName": "",
    "serverCertificates": [],     
    "domainConfigurationStatus": "ENABLED",
    "serviceType": "DATA",
    "domainType": "ENDPOINT",     
    "lastStatusChangeDate": "2023-03-16T17:57:59.194000+08:00",
    "tlsConfig": {
         "securityPolicy": "IoTSecurityPolicy_TLS12_1_2_2022_10" 

On this instance, the Safety Coverage worth reveals a TLS 1.2 solely coverage. That is the case for endpoints that existed earlier than the discharge of the TLS 1.3 characteristic. All new endpoints default to TLS 1.2 and above. You possibly can select to improve older endpoints to TLS 1.2+1.3 (which permits the server and machine to decide on the very best attainable) or implement TLS 1.3 solely (which might finish in an unsuccessful TLS handshake if the machine is unable to simply accept TLS 1.3).

Step 3: To replace your endpoint configuration to TLS 1.2+1.3 enter the next

aws iot update-domain-configuration --domain-configuration-name "iot:Knowledge-ATS" --tls-config securityPolicy="IoTSecurityPolicy_TLS13_1_2_2022_10"

Step 4: To check your endpoint TLS model compatibility

curl --insecure --verbose --tlsv1.2 --tls-max 1.3

This returns a profitable handshake on the highest degree accessible (TLS 1.3) if configured accurately, together with output just like this:

* SSL connection utilizing TLSv1.3 / AEAD-AES128-GCM-SHA256 

Apply TLS 1.3 to your AWS-managed area configurable endpoint utilizing the AWS CLI

If you happen to use an AWS-managed or customized area for a set of your gadgets, you too can set the endpoint configuration for that area configurable endpoint. Repeat the steps above, changing domain-configuration-name “iot:Knowledge-ATS” together with your customized area configuration identify. For Absolutely-Certified Area identify (FQDN) endpoints, ensure you use the FQDN endpoint URL. See Creating and Configuring AWS-managed domains and Creating and configuring customized domains.

aws iot update-domain-configuration --domain-configuration-name "foobar" --tls-config securityPolicy="IoTSecurityPolicy_TLS13_1_2_2022_10"


On this weblog we launched the advantages of TLS 1.3 and the way it’s built-in into AWS IoT Core. We then walked you thru the method of configuring the TLS model for the various kinds of knowledge endpoints and domains. TLS safety insurance policies allow customers to configure the specified TLS model for the default ATS knowledge airplane endpoint, but additionally for the person’s configurable endpoints and customized domains.

To get began with connecting your TLS 1.2 and 1.3 gadgets to AWS IoT Core, please seek the advice of the developer information or watch “TLS safety insurance policies for AWS IoT Core”.

To be taught extra about AWS IoT companies and options, please go to AWS IoT or contact us.

Concerning the Authors

Greg BreenGreg Breen is a Senior IoT Specialist Options Architect at Amazon Internet Providers. Primarily based in Australia, he helps clients all through Asia Pacific to construct their IoT options. With deep expertise in embedded techniques, he has a specific curiosity in helping product improvement groups to convey their gadgets to market.
Jen O'HehirJen O’Hehir is a Senior Options Architect at Amazon Internet Providers. With a robust background in Mining in Western Australia, Jen enjoys serving to clients new to AWS construct revolutionary and operationally optimized cloud and hybrid options. She has a ardour for liberating OT Knowledge to empower knowledge pushed operational selections and working mannequin enhancements.

Leave a Reply

Your email address will not be published. Required fields are marked *