AWS Security ChangesHomeSearch

AWS vpc-lattice high security documentation change

Service: vpc-lattice · 2025-05-19 · Security-related high

File: vpc-lattice/latest/ug/https-listeners.md

Summary

Added support for TLS version 1.3 in HTTPS listeners and updated security policy documentation to include TLS 1.3 ciphers

Security assessment

The addition of TLS 1.3 support improves security by enabling stronger encryption protocols. TLS 1.3 removes obsolete cryptographic algorithms, enhances security, and reduces attack surface compared to TLS 1.2. The explicit listing of modern TLS 1.3 ciphers (AES-GCM and CHACHA20) demonstrates security-focused documentation updates.

Diff

diff --git a/vpc-lattice/latest/ug/https-listeners.md b/vpc-lattice/latest/ug/https-listeners.md
index 7bc7ccd1a..c52a24508 100644
--- a//vpc-lattice/latest/ug/https-listeners.md
+++ b//vpc-lattice/latest/ug/https-listeners.md
@@ -11 +11 @@ A listener is a process that checks for connection requests. You define a listen
-You can create an HTTPS listener, which uses TLS version 1.2 to terminate HTTPS connections with VPC Lattice directly. VPC Lattice will provision and manage a TLS certificate that is associated with the VPC Lattice generated Fully Qualified Domain Name (FQDN). VPC Lattice supports TLS on HTTP/1.1 and HTTP/2. When you configure a service with an HTTPS listener, VPC Lattice will automatically determine the HTTP protocol via Application-Layer Protocol Negotiation (ALPN). If ALPN is absent, VPC Lattice defaults to HTTP/1.1.
+You can create an HTTPS listener, which uses TLS version 1.2 or TLS version 1.3 to terminate HTTPS connections with VPC Lattice directly. VPC Lattice will provision and manage a TLS certificate that is associated with the VPC Lattice generated Fully Qualified Domain Name (FQDN). VPC Lattice supports TLS on HTTP/1.1 and HTTP/2. When you configure a service with an HTTPS listener, VPC Lattice will automatically determine the HTTP protocol via Application-Layer Protocol Negotiation (ALPN). If ALPN is absent, VPC Lattice defaults to HTTP/1.1.
@@ -32 +32 @@ To ensure that your application decrypts the traffic, create a TLS listener inst
-VPC Lattice uses a security policy that is a combination of the TLSv1.2 protocol and a list of SSL/TLS ciphers. The protocol establishes a secure connection between a client and a server and helps to ensure that all data passed between the client and your service in VPC Lattice is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. Protocols use several ciphers to encrypt data. During the connection negotiation process, the client and VPC Lattice present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the server's list that matches any one of the client's ciphers is selected for the secure connection.
+VPC Lattice uses a security policy that is a combination a TLSv1.2 protocol and a list of SSL/TLS ciphers. The protocol establishes a secure connection between a client and a server and helps to ensure that all data passed between the client and your service in VPC Lattice is private. A cipher is an encryption algorithm that uses encryption keys to create a coded message. Protocols use several ciphers to encrypt data. During the connection negotiation process, the client and VPC Lattice present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the server's list that matches any one of the client's ciphers is selected for the secure connection.
@@ -34 +34 @@ VPC Lattice uses a security policy that is a combination of the TLSv1.2 protocol
-VPC Lattice uses the TLSv1.2 protocol and the following SSL/TLS ciphers in this order of preference:
+VPC Lattice uses the following TLS 1.2 SSL/TLS ciphers in this order of preference:
@@ -54,0 +55,11 @@ VPC Lattice uses the TLSv1.2 protocol and the following SSL/TLS ciphers in this
+VPC Lattice also uses the following TLS 1.3 SSL/TLS ciphers in this order of preference:
+
+  * `TLS_AES_128_GCM_SHA256`
+
+  * `TLS_AES_256_GCM_SHA384`
+
+  * `TLS_CHACHA20_POLY1305_SHA256`
+
+
+
+