AWS Security ChangesHomeSearch

AWS AmazonRDS high security documentation change

Service: AmazonRDS · 2025-08-01 · Security-related high

File: AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.md

Summary

Updated TLS version support (deprecated TLS 1.0/1.1), added new ciphers, and removed DHE-RSA ciphers

Security assessment

The changes enforce modern encryption standards by deprecating insecure TLS versions and ciphers, directly addressing potential cryptographic vulnerabilities. The removal of DHE-RSA ciphers and emphasis on TLS 1.2+ improves security posture.

Diff

diff --git a/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.md b/AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.md
index f2075a184..8d1e2bca9 100644
--- a//AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.md
+++ b//AmazonRDS/latest/AuroraUserGuide/AuroraMySQL.Security.md
@@ -115,2 +115,2 @@ Aurora MySQL version | TLS 1.0 | TLS 1.1 | TLS 1.2 | TLS 1.3 | Default
-Aurora MySQL version 2 | Supported | Supported |  Supported | Not supported | All supported TLS versions  
-Aurora MySQL version 3 (lower than 3.04.0) | Supported  | Supported  | Supported | Not supported | All supported TLS versions  
+Aurora MySQL version 2 | Deprecated | Deprecated |  Supported | Not supported | All supported TLS versions  
+Aurora MySQL version 3 (lower than 3.04.0) | Deprecated | Deprecated | Supported | Not supported | All supported TLS versions  
@@ -142 +142 @@ Set the `tls_version` DB cluster parameter to one of the following values:
-You can also set the `tls_version` parameter as a string of comma-separated list. If you want to use both TLS 1.2 and TLS 1.0 protocols, the `tls_version` parameter must include all protocols from the lowest to the highest protocol. In this case, `tls_version` is set as:
+You can also set the `tls_version` parameter as a string of comma-separated list. If you want to use both TLS 1.2 and TLS 1.3 protocols, the `tls_version` parameter must include all protocols from the lowest to the highest protocol. In this case, `tls_version` is set as:
@@ -145 +145 @@ You can also set the `tls_version` parameter as a string of comma-separated list
-    tls_version=TLSv1,TLSv1.1,TLSv1.2
+    tls_version=TLSv1.2,TLSv1.3
@@ -167,0 +168,3 @@ Cipher | Encryption protocol | Supported Aurora MySQL versions
+`ECDHE-RSA-CHACHA20-POLY1305` | TLS 1.2 | 3.04.0 and higher, 2.11.0 and higher  
+`ECDHE-ECDSA-AES128-SHA` | TLS 1.0 | 3.04.0 and higher, 2.11.0 and higher  
+`ECDHE-ECDSA-AES256-SHA` | TLS 1.0 | 3.04.0 and higher, 2.11.0 and higher  
@@ -175,4 +177,0 @@ Cipher | Encryption protocol | Supported Aurora MySQL versions
-###### Important
-
-`DHE-RSA` ciphers are not supported by Aurora MySQL versions starting from 2.11.0. in Aurora MySQL 2, and starting from 3.04.0 in Aurora MySQL 3.
-
@@ -189 +188 @@ You can also use the [describe-engine-default-cluster-parameters](https://docs.a
-    		"ParameterValue": "DHE-RSA-AES128-SHA,DHE-RSA-AES128-SHA256,DHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-SHA,DHE-RSA-AES256-SHA256,DHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES128-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-SHA,ECDHE-RSA-AES256-SHA384,ECDHE-RSA-AES256-GCM-SHA384",
+            "ParameterValue": "ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES128-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-SHA,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA",
@@ -194 +193 @@ You can also use the [describe-engine-default-cluster-parameters](https://docs.a
-    		"AllowedValues": "DHE-RSA-AES128-SHA,DHE-RSA-AES128-SHA256,DHE-RSA-AES128-GCM-SHA256,DHE-RSA-AES256-SHA,DHE-RSA-AES256-SHA256,DHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES128-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-SHA,ECDHE-RSA-AES256-SHA384,ECDHE-RSA-AES256-GCM-SHA384",
+            "AllowedValues": "ECDHE-RSA-AES128-SHA,ECDHE-RSA-AES128-SHA256,ECDHE-RSA-AES128-GCM-SHA256,ECDHE-RSA-AES256-SHA,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-SHA,ECDHE-ECDSA-CHACHA20-POLY1305,ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-ECDSA-AES128-GCM-SHA256,ECDHE-ECDSA-AES128-SHA",