AWS ses documentation change
Summary
Added documentation for mTLS ingress endpoints including configuration requirements, service names, and updated TLS policy details to include mTLS on private networks. Removed restriction that mTLS is only for public endpoints.
Security assessment
This change adds documentation for mTLS (mutual TLS) authentication feature for ingress endpoints, which is a security enhancement that requires client certificate authentication. The update expands mTLS support to private networks (VPC endpoints) where it was previously documented as unavailable. This improves security documentation but doesn't indicate a specific security issue was fixed.
Diff
diff --git a/ses/latest/dg/eb-ingress.md b/ses/latest/dg/eb-ingress.md index a92d4db8f..7a946a996 100644 --- a//ses/latest/dg/eb-ingress.md +++ b//ses/latest/dg/eb-ingress.md @@ -170,0 +171,10 @@ Configuration requirements: + * mTLS ingress endpoint – Mail sent to your domain must come from clients that present a TLS client certificate signed by one of the CAs in the ingress endpoint's trust store. See Mutual TLS (mTLS) authentication for ingress endpoints. + +Configuration requirements: + + * Create a private mTLS ingress endpoint by associating it with a VPC endpoint ID you own. + + * Supported ports: 25, 587 + + * Supports STARTTLS: Yes + @@ -187,0 +198,2 @@ To use a VPC endpoint with an SES ingress endpoint, the following requirements m + * mTLS ingress endpoint – `com.amazonaws.`region`.mail-manager-smtp.mtls` + @@ -191,0 +204,2 @@ To use a VPC endpoint with an SES ingress endpoint, the following requirements m + * FIPS mTLS ingress endpoint – `com.amazonaws.`region`.mail-manager-smtp.mtls.fips` + @@ -244 +258 @@ Not all TLS policy values are valid for every combination of ingress endpoint ty - * FIPS – Can be used with all ingress endpoint types (open, authenticated, and mTLS) on public networks, and with open and authenticated ingress endpoints on private networks, but only in US and Canada regions. Once set, `FIPS` cannot be changed to another value through an update. If you need a different TLS policy, you must create a new ingress endpoint. + * FIPS – Can be used with all ingress endpoint types (open, authenticated, and mTLS) on both public and private networks, but only in US and Canada regions. Once set, `FIPS` cannot be changed to another value through an update. If you need a different TLS policy, you must create a new ingress endpoint. @@ -246 +260 @@ Not all TLS policy values are valid for every combination of ingress endpoint ty - * REQUIRED – Can be used with all ingress endpoint types in all regions. However, for authenticated and mTLS ingress endpoints on public networks, `REQUIRED` can only be set at creation time—it cannot be changed through an update. For open ingress endpoints (public or private) and authenticated ingress endpoints on private networks, `REQUIRED` can be set at creation time and changed through an update. Note that `REQUIRED` is not available for authenticated or mTLS ingress endpoints on public networks in US and Canada regions, where `FIPS` is used instead. + * REQUIRED – Can be used with all ingress endpoint types in all regions. However, for authenticated and mTLS ingress endpoints on public networks, `REQUIRED` can only be set at creation time—it cannot be changed through an update. For open ingress endpoints (public or private) and authenticated or mTLS ingress endpoints on private networks, `REQUIRED` can be set at creation time and changed through an update. Note that `REQUIRED` is not available for authenticated or mTLS ingress endpoints on public networks in US and Canada regions, where `FIPS` is used instead. @@ -270,4 +283,0 @@ Mutual TLS (mTLS) authentication requires connecting SMTP clients to present a T -###### Important - -mTLS authentication is only available for public ingress endpoints. Amazon VPC endpoints do not support mTLS authentication. -