AWS Security ChangesHomeSearch

AWS AmazonS3 documentation change

Service: AmazonS3 · 2025-05-25 · Documentation low

File: AmazonS3/latest/userguide/network-isolation.md

Summary

Added clarification note about TLS 1.3 support limitations in AWS PrivateLink and Multi-Region Access Points

Security assessment

The change documents TLS version support limitations but does not address a specific vulnerability. It adds security-related documentation about TLS implementation details.

Diff

diff --git a/AmazonS3/latest/userguide/network-isolation.md b/AmazonS3/latest/userguide/network-isolation.md
index 3545b7178..5c170ecc8 100644
--- a//AmazonS3/latest/userguide/network-isolation.md
+++ b//AmazonS3/latest/userguide/network-isolation.md
@@ -9 +9,7 @@ As a managed service, Amazon S3 is protected by the AWS global network security
-Access to Amazon S3 via the network is through AWS published APIs. Clients must support Transport Layer Security (TLS) 1.2. We recommend also supporting TLS 1.3. (For more information about this recommendation, see [Faster AWS cloud connections with TLS 1.3](https://aws.amazon.com/blogs/security/faster-aws-cloud-connections-with-tls-1-3/) on the _AWS Security Blog_.) Clients must also support cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Diffie-Hellman Ephemeral (ECDHE). Additionally, requests must be signed using AWS Signature V4 or AWS Signature V2, requiring valid credentials to be provided.
+Access to Amazon S3 via the network is through AWS published APIs. Clients must support Transport Layer Security (TLS) 1.2. We recommend also supporting TLS 1.3. (For more information about this recommendation, see [Faster AWS cloud connections with TLS 1.3](https://aws.amazon.com/blogs/security/faster-aws-cloud-connections-with-tls-1-3/) on the _AWS Security Blog_.)
+
+###### Note
+
+TLS 1.3 is supported in all S3 endpoints, except for AWS PrivateLink for Amazon S3 and Multi-Region Access Points.
+
+Clients must also support cipher suites with Perfect Forward Secrecy (PFS) such as Ephemeral Diffie-Hellman (DHE) or Elliptic Curve Diffie-Hellman Ephemeral (ECDHE). Additionally, requests must be signed using AWS Signature V4 or AWS Signature V2, requiring valid credentials to be provided.