2015/01/07 8:30 AM PST - Update -

Amazon CloudFront:

We have disabled SSLv3 for all customers who use SSL with the default CloudFront domain name (*.cloudfront.net).

----------------------------------------------------------------------------------------

2014/10/24 7:30 PM PDT - Update -

Amazon CloudFront:

Today, we launched the feature that allows customers to disable or enable SSLv3 for Dedicated IP Custom SSL Certificates. Existing distributions created before the launch of this feature will continue to allow SSLv3 by default; customers who want to disable SSLv3 on existing distributions that use Dedicated IP custom SSL can do so using the CloudFront API or AWS Management Console. We recommend that customers disable SSLv3 if their use case allows it. You can read more about how to do this in our documentation.



As a reminder, on November 3rd, 2014, we will begin disabling SSLv3 for ALL customers who use SSL with the default CloudFront domain name (*.cloudfront.net).



----------------------------------------------------------------------------------------

2014/10/17 5:00 PM PDT - Update

Amazon CloudFront:

We'd like to provide three updates regarding our plans for support of SSLv3 in Amazon CloudFront.

Next week, we will add the ability for customers who use Dedicated IP Custom SSL Certificates to choose whether SSLv3 connections are accepted



• Customers can disable or enable SSLv3 for Dedicated IP Custom SSL Certificates via configuration parameters in the Amazon CloudFront API and AWS Management Console.



• Existing distributions created before the launch of this feature will continue to allow SSLv3 by default; customers who want to disable SSLv3 on existing distributions that use Dedicated IP custom SSL can do so using the CloudFront API or AWS Management Console.

Next week, we will also complete deployment of TLS_FALLBACK_SCSV to all the servers in our CloudFront edge locations. With this update, clients that also support TLS_FALLBACK_SCSV cannot have their connections externally downgraded to SSLv3.

Starting on November 3rd, 2014, we will begin disabling SSLv3 for ALL customers who utilize SSL using the default CloudFront (*.cloudfront.net)



• After this point, it will be Amazon CloudFront policy to only allow SSLv3 on Dedicated IP Custom SSL certificates







As indicated in our previous update, customers who use Dedicated IP Custom SSL Certificates can immediately disallow SSLv3 by switching to SNI-Only Custom SSL. SNI-Only Custom SSL distributions deny all SSLv3 connections.

2014/10/15 3:10PM PDT - Update -

We have reviewed all of our services with respect to the recently announced POODLE issue with SSL (CVE-2014-3566). As a security precaution, we recommend that our customers disable SSLv3 where it is possible for them to do so. This includes disabling SSLv3 on both server and client implementations.





AWS API endpoints are not affected by the attack described in the POODLE paper. Instead of using cookies to authenticate users, a unique signature is computed for every request. No action is required from customers that use the AWS SDK or other SDKs to access our API endpoints.





Amazon Linux AMI:

The Amazon Linux AMI repositories now include patches for POODLE (CVE-2014-3566) as well as for the additional OpenSSL issues (CVE-2014-3513, CVE-2014-3568, CVE-2014-3567) that were released on 2014-10-15. Please see https://alas.aws.amazon.com/ALAS-2014-426.html and https://alas.aws.amazon.com/ALAS-2014-427.html for additional information.



Amazon Elastic Load Balancing:

All load balancers created after 10/14/2014 5:00 PM PDT will use a new SSL Negotiation Policy that will by default no longer enable SSLv3.

Customers that require SSLv3 can reenable it by selecting the 2014-01 SSL Negotiation Policy or manually configuring the SSL ciphers and protocols used by the load balancer. For existing load balancers, please follow the steps below to disable SSLv3 via the ELB Management

Console:

1. Select your load balancer (EC2 > Load Balancers).

2. In the Listeners tab, click "Change" in the Cipher column.

3. Ensure that the radio button for "Predefined Security Policy" is selected

4. In the dropdown, select the "ELBSecurityPolicy-2014-10" policy.

5. Click "Save" to apply the settings to the listener.

6. Repeat these steps for each listener that is using HTTPS or SSL for each load balancer.



For more information, please see http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-ssl-security-policy.html.



Amazon CloudFront:

Customers who are using Custom SSL certificates with Amazon CloudFront can disable SSLv3 by following the steps below in the CloudFront Management Console:

1. Select your distribution, click "Distribution Settings."

2. Click the "Edit" button on the "General" tab.

3. In the "Custom SSL Client Support" section, select the option that says: "Only Clients that Support Server Name Indication (SNI)"

4. Click "Yes, Edit" to save these revised settings.



For more information, please see http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html#cnames-https-dedicated-ip-or-sni



-----------------------------------------------------------------

2014/10/14 7:05PM PDT - Update -

We are reviewing all of our services with respect to the recently announced POODLE issue with SSL (CVE-2014-3566). As a security precaution, we recommend that our customers disable SSLv3 where it is possible for them to do so. This includes disabling SSLv3 on both server and client implementations.

AWS API endpoints are not affected by this issue, and no action is required from customers that use the AWS SDK or other SDKs to access our API endpoints.

We are examining all AWS owned websites for exposure, and we will update this bulletin.

Amazon Linux AMI:

We are evaluating the issue and when patches are available, we will place them in our repository and issue a security bulletin at https://alas.aws.amazon.com/

Amazon Elastic Load Balancing:

All load balancers created after 10/14/2014 5:00 PM PDT will use a new SSL Negotiation Policy that will by default no longer enable SSLv3.

Customers that require SSLv3 can reenable it by selecting the 2014-01 SSL Negotiation Policy or manually configuring the SSL ciphers and protocols used by the load balancer. For existing load balancers, please follow the steps below to disable SSLv3 via the ELB Management

Console:

1. Select your load balancer (EC2 > Load Balancers).

2. In the Listeners tab, click "Change" in the Cipher column.

3. Ensure that the radio button for "Predefined Security Policy" is selected

4. In the dropdown, select the "ELBSecurityPolicy-2014-10" policy.

5. Click "Save" to apply the settings to the listener.

6. Repeat these steps for each listener that is using HTTPS or SSL for each load balancer.

For more information, please see http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-ssl-security-policy.html.

Amazon CloudFront:

Customers who are using Custom SSL certificates with Amazon CloudFront can disable SSLv3 by following the steps below in the CloudFront Management Console:

1. Select your distribution, click "Distribution Settings."

2. Click the "Edit" button on the "General" tab.

3. In the "Custom SSL Client Support" section, select the option that says: "Only Clients that Support Server Name Indication (SNI)"

4. Click "Yes, Edit" to save these revised settings.

For more information, please see http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html#cnames-https-dedicated-ip-or-sni

-----------------------------------------------------------------



2014/10/14 5:00PM PDT - Update -



We are reviewing all of our services with respect to the recently announced POODLE issue with SSL (CVE-2014-3566). As a security precaution, we recommend that our customers disable SSLv3 where it is possible for them to do so. This includes disabling SSLv3 on both server and client implementations.

AWS API endpoints are not affected by this issue, and no action is required from customers that use the AWS SDK or other SDKs to access our API endpoints.

We are examining all AWS owned websites for exposure, and we will update this bulletin by 7:00 PM Pacific Time October 14, 2014.

Amazon Elastic Load Balancing:

All load balancers created after 10/14/2014 5:00 PM PDT will use a new SSL Negotiation Policy that will by default no longer enable SSLv3.

Customers that require SSLv3 can reenable it by selecting the 2014-01 SSL Negotiation Policy or manually configuring the SSL ciphers and protocols used by the load balancer. For existing load balancers, please follow the steps below to disable SSLv3 via the ELB Management

Console:

1. Select your load balancer (EC2 > Load Balancers).

2. In the Listeners tab, click "Change" in the Cipher column.

3. Ensure that the radio button for "Predefined Security Policy" is selected

4. In the dropdown, select the "ELBSecurityPolicy-2014-10" policy.

5. Click "Save" to apply the settings to the listener.

6. Repeat these steps for each listener that is using HTTPS or SSL for each load balancer.



For more information, please see http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-ssl-security-policy.html.



Amazon CloudFront:

Customers who are using Custom SSL certificates with Amazon CloudFront can disable SSLv3 by following the steps below in the CloudFront Management Console:

1. Select your distribution, click "Distribution Settings."

2. Click the "Edit" button on the "General" tab.

3. In the "Custom SSL Client Support" section, select the option that says: "Only Clients that Support Server Name Indication (SNI)"

4. Click "Yes, Edit" to save these revised settings.



For more information, please see http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html#cnames-https-dedicated-ip-or-sni



-----------------------------------------------------------------

2014/10/14 3:30PM PDT



We are reviewing all of our services with respect to the recently announced POODLE issue with SSL (CVE-2014-3566). We will update this bulletin by 5:00 PM Pacific Time October 14, 2014

As a security recommendation, we recommend that our customers disable SSLv3 where it is possible for them to do so. This includes disabling SSLv3 on both server and client implementations.



Customers of Elastic Load Balancing can disable SSLv3 for their ELBs by following the steps below to disable SSLv3 via the ELB Management Console:

1. Select your load balancer (EC2 > Load Balancers).

2. In the Listeners tab, click “Change” in the Cipher column.

3. Ensure that the radio button for “Custom Security Policy” is selected.

4. In the “SSL Protocols” section uncheck “Protocol-SSLv3”.

5. Click "Save" to apply the settings to the listener.

6. Repeat these steps for each listener that is using HTTPS or SSL for each load balancer.

For more information, please see http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-ssl-security-policy.html

