AWS AmazonRDS high security documentation change
Summary
Updated TLS version support (deprecated TLS 1.0/1.1), added new ciphers, and removed DHE-RSA ciphers
Security assessment
The changes enforce modern encryption standards by deprecating insecure TLS versions and ciphers, directly addressing potential cryptographic vulnerabilities. The removal of DHE-RSA ciphers and emphasis on TLS 1.2+ improves security posture.
Diff
diff --git a/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.md b/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.md index f2075a184..8d1e2bca9 100644 --- a//AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.md +++ b//AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.md @@ -115,2 +115,2 @@ Aurora MySQL version | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | Default -Aurora MySQL version 2 | Supported | Supported | Supported | Not supported | All supported TLS versions -Aurora MySQL version 3 (lower than 3.04.0) | Supported | Supported | Supported | Not supported | All supported TLS versions +Aurora MySQL version 2 | Deprecated | Deprecated | Supported | Not supported | All supported TLS versions +Aurora MySQL version 3 (lower than 3.04.0) | Deprecated | Deprecated | Supported | Not supported | All supported TLS versions @@ -142 +142 @@ Set the `tls_version` DB cluster parameter to one of the following values: -You can also set the `tls_version` parameter as a string of comma-separated list. If you want to use both TLS 1.2 and TLS 1.0 protocols, the `tls_version` parameter must include all protocols from the lowest to the highest protocol. In this case, `tls_version` is set as: +You can also set the `tls_version` parameter as a string of comma-separated list. If you want to use both TLS 1.2 and TLS 1.3 protocols, the `tls_version` parameter must include all protocols from the lowest to the highest protocol. In this case, `tls_version` is set as: @@ -145 +145 @@ You can also set the `tls_version` parameter as a string of comma-separated list - tls_version=TLSv1,TLSv1.1,TLSv1.2 + tls_version=TLSv1.2,TLSv1.3 @@ -167,0 +168,3 @@ Cipher | Encryption protocol | Supported Aurora MySQL versions +`ECDHE-RSA-CHACHA20-POLY1305` | TLS 1.2 | 3.04.0 and higher, 2.11.0 and higher +`ECDHE-ECDSA-AES128-SHA` | TLS 1.0 | 3.04.0 and higher, 2.11.0 and higher +`ECDHE-ECDSA-AES256-SHA` | TLS 1.0 | 3.04.0 and higher, 2.11.0 and higher @@ -175,4 +177,0 @@ Cipher | Encryption protocol | Supported Aurora MySQL versions -###### Important - -`DHE-RSA` ciphers are not supported by Aurora MySQL versions starting from 2.11.0. in Aurora MySQL 2, and starting from 3.04.0 in Aurora MySQL 3. - @@ -189 +188 @@ You can also use the [describe-engine-default-cluster-parameters](https://docs.a - "ParameterValue": "DHE-RSA-AES128-SHA,DHE-RSA-AES128-SHA256,DHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-SHA,DHE-RSA-AES256-SHA256,DHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES128-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-SHA,ECDHE-RSA-AES256-SHA384,ECDHE-RSA-AES256-GCM-SHA384", + "ParameterValue": "ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES128-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-SHA,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA", @@ -194 +193 @@ You can also use the [describe-engine-default-cluster-parameters](https://docs.a - "AllowedValues": "DHE-RSA-AES128-SHA,DHE-RSA-AES128-SHA256,DHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-SHA,DHE-RSA-AES256-SHA256,DHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES128-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-SHA,ECDHE-RSA-AES256-SHA384,ECDHE-RSA-AES256-GCM-SHA384", + "AllowedValues": "ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES128-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-SHA,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA",