[ACTION REQUIRED] - Update your S3 object access to maintain connectivity

[themightymo]

I received the email below from Amazon. They don't make it clear what the offending code is, however, it's possible that Media Cloud is the issue. Do you know if the Media Cloud plugin supports the TLS 1.2 setting out of the box (as described below)?

Thanks,
Toby

Hello,

We have identified TLS 1.0 or TLS 1.1 connections to Amazon Simple Storage Service (Amazon S3) objects hosted in your account, which must be immediately updated for these connections to maintain their access to your S3 objects. Please update your client software as soon as possible to use TLS 1.2 or higher to avoid an availability impact. We recommend considering the time needed to verify your changes in a staging environment before introducing them into production.

As of June 28, 2023, we have begun deploying updates to the TLS configuration for all AWS API endpoints to a minimum of version TLS 1.2 even if you still have connections using these versions. These deployments will complete by no later than December 31, 2023. This update removes the ability to use TLS versions 1.0 and 1.1 with all AWS APIs in all AWS Regions [1].

What actions can I take to maintain access?
To avoid potential interruption, you must update all client software accessing your Amazon S3 objects using TLS 1.0 or 1.1, to use TLS 1.2 or higher. If you are unable or would prefer to not update all impacted clients, we recommend replacing direct client access to the S3 objects with use of a proxy, such as an Amazon CloudFront distribution. This will allow clients to access your S3 objects via Amazon CloudFront using any TLS version you choose to allow. Amazon CloudFront will forward the calls to your S3 objects using TLS 1.2 or higher. For more guidance for how to setup your CloudFront distribution to front your S3 object access, please review this Knowledge Center article [2].

How can I determine the client(s) I need to update?
We have provided the affected S3 bucket(s) in your account following this messaging. In order to gather additional information about the affected objects and user agents performing these calls, we recommend enabling Amazon CloudTrail data events on the affected S3 bucket(s) [3] [4]. The information contained in the S3 data events will help you pinpoint your client software that is responsible for using TLS 1.0 or TLS 1.1, so you may update it accordingly. Additionally, our related AWS Security blog post [1] provides information on how you may use TLS information in the CloudTrail tlsDetails field. Please note there is an associated cost for enabling CloudTrail data events, please see the CloudTrail pricing page for more detail [5]. Another alternative is to use Amazon S3 server-access logs, see the S3 Logging options page for more details and pricing information [6].

How can I enforce connections to my bucket(s) be over TLSv1.2 and above?
As a best practice, and to prepare for our enforcement of TLS 1.2 or higher, we recommend you proactively enforce a minimum of TLS 1.2 directly on all of your shared S3 bucket(s). You may do this by applying a bucket policy with the s3:TlsVersion condition key as per the documented this Knowledge Center article [7].

If you need further guidance or assistance, please contact AWS Support [8] or your Technical Account Manager.

[1] https://www.google.com/url?q=https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints&source=gmail-imap&ust=1693196467000000&usg=AOvVaw0JzAs1MigW5KuhslHBe6jg
[2] https://www.google.com/url?q=https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-old-tls/&source=gmail-imap&ust=1693196467000000&usg=AOvVaw22jHJEkIxbumEUVjYkN82B
[3] https://www.google.com/url?q=https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html%23cloudtrail-object-level-tracking&source=gmail-imap&ust=1693196467000000&usg=AOvVaw3kp1sHlWAkvBBcQsrdR038
[4] https://www.google.com/url?q=https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html%23enable-cloudtrail-events&source=gmail-imap&ust=1693196467000000&usg=AOvVaw3CVEKqn4SR9wIU-Nj3ALGi
[5] https://www.google.com/url?q=https://aws.amazon.com/cloudtrail/pricing/&source=gmail-imap&ust=1693196467000000&usg=AOvVaw0WMfDGlUum0WsXbYehFSW6
[6] https://www.google.com/url?q=https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html&source=gmail-imap&ust=1693196467000000&usg=AOvVaw2up_MJy8JPSee3QzQbHOc4
[7] https://www.google.com/url?q=https://aws.amazon.com/premiumsupport/knowledge-center/s3-enforce-modern-tls/&source=gmail-imap&ust=1693196467000000&usg=AOvVaw2ri13iLJaPBDhahYa-aE3E
[8] https://www.google.com/url?q=https://aws.amazon.com/support&source=gmail-imap&ust=1693196467000000&usg=AOvVaw1YXM0k9ywXLTHAAcsaiH1P

Please see the following for S3 buckets in which object-level calls were made over TLS 1.0 or TLS 1.1 connections between July 30, 2023 and August 14, 2023 (the UserAgent may be truncated due to a limit in the number of characters that can be displayed):

Connections details will be in the following format:
Region | Bucket name(s) | APIAction | TLSVersion | NumCalls | UserAgent
us-east-1 | lavendermagazine-site | REST.GET.BUCKET | TLSv1 | 1 | []

Sincerely,
Amazon Web Services

Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210

[jawngee]

This isn't because of Media Cloud, it's because viewers or users or bots (probably bots) are hitting your buckets using outdated browsers. Media Cloud uses whatever TLS is configured at your server level via whatever curl/openssl package you have installed, so if that's out of date then that might be a problem, so you may want to contact whoever admins or devops your server. But most likely you are getting this because the public is accessing your bucket with an old broken browser. We get these emails all the time to support. Thanks, Jon.

…

On Aug 21, 2023, at 10:21 PM, Toby Cryns ***@***.***> wrote: I received the email below from Amazon. They don't make it clear what the offending code is, however, it's possible that Media Cloud is the issue. Do you know if the Media Cloud plugin supports the TLS 1.2 setting out of the box (as described below)? Thanks, Toby Hello, We have identified TLS 1.0 or TLS 1.1 connections to Amazon Simple Storage Service (Amazon S3) objects hosted in your account, which must be immediately updated for these connections to maintain their access to your S3 objects. Please update your client software as soon as possible to use TLS 1.2 or higher to avoid an availability impact. We recommend considering the time needed to verify your changes in a staging environment before introducing them into production. As of June 28, 2023, we have begun deploying updates to the TLS configuration for all AWS API endpoints to a minimum of version TLS 1.2 even if you still have connections using these versions. These deployments will complete by no later than December 31, 2023. This update removes the ability to use TLS versions 1.0 and 1.1 with all AWS APIs in all AWS Regions [1]. What actions can I take to maintain access? To avoid potential interruption, you must update all client software accessing your Amazon S3 objects using TLS 1.0 or 1.1, to use TLS 1.2 or higher. If you are unable or would prefer to not update all impacted clients, we recommend replacing direct client access to the S3 objects with use of a proxy, such as an Amazon CloudFront distribution. This will allow clients to access your S3 objects via Amazon CloudFront using any TLS version you choose to allow. Amazon CloudFront will forward the calls to your S3 objects using TLS 1.2 or higher. For more guidance for how to setup your CloudFront distribution to front your S3 object access, please review this Knowledge Center article [2]. How can I determine the client(s) I need to update? We have provided the affected S3 bucket(s) in your account following this messaging. In order to gather additional information about the affected objects and user agents performing these calls, we recommend enabling Amazon CloudTrail data events on the affected S3 bucket(s) [3] [4]. The information contained in the S3 data events will help you pinpoint your client software that is responsible for using TLS 1.0 or TLS 1.1, so you may update it accordingly. Additionally, our related AWS Security blog post [1] provides information on how you may use TLS information in the CloudTrail tlsDetails field. Please note there is an associated cost for enabling CloudTrail data events, please see the CloudTrail pricing page for more detail [5]. Another alternative is to use Amazon S3 server-access logs, see the S3 Logging options page for more details and pricing information [6]. How can I enforce connections to my bucket(s) be over TLSv1.2 and above? As a best practice, and to prepare for our enforcement of TLS 1.2 or higher, we recommend you proactively enforce a minimum of TLS 1.2 directly on all of your shared S3 bucket(s). You may do this by applying a bucket policy with the s3:TlsVersion condition key as per the documented this Knowledge Center article [7]. If you need further guidance or assistance, please contact AWS Support [8] or your Technical Account Manager. [1] https://www.google.com/url?q=https://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints&source=gmail-imap&ust=1693196467000000&usg=AOvVaw0JzAs1MigW5KuhslHBe6jg <https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://aws.amazon.com/blogs/security/tls-1-2-required-for-aws-endpoints%26source%3Dgmail-imap%26ust%3D1693196467000000%26usg%3DAOvVaw0JzAs1MigW5KuhslHBe6jg&source=gmail-imap&ust=1693234194000000&usg=AOvVaw1Fu61V6YvEJ6g25PCnFgrq> [2] https://www.google.com/url?q=https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-old-tls/&source=gmail-imap&ust=1693196467000000&usg=AOvVaw22jHJEkIxbumEUVjYkN82B <https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://aws.amazon.com/premiumsupport/knowledge-center/s3-access-old-tls/%26source%3Dgmail-imap%26ust%3D1693196467000000%26usg%3DAOvVaw22jHJEkIxbumEUVjYkN82B&source=gmail-imap&ust=1693234194000000&usg=AOvVaw23GL9-bKwmWGmZ4TEUaOT2> [3] https://www.google.com/url?q=https://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html%23cloudtrail-object-level-tracking&source=gmail-imap&ust=1693196467000000&usg=AOvVaw3kp1sHlWAkvBBcQsrdR038 <https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://docs.aws.amazon.com/AmazonS3/latest/userguide/cloudtrail-logging-s3-info.html%2523cloudtrail-object-level-tracking%26source%3Dgmail-imap%26ust%3D1693196467000000%26usg%3DAOvVaw3kp1sHlWAkvBBcQsrdR038&source=gmail-imap&ust=1693234194000000&usg=AOvVaw3hTg3IpvVwNRG9CYU986zD> [4] https://www.google.com/url?q=https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html%23enable-cloudtrail-events&source=gmail-imap&ust=1693196467000000&usg=AOvVaw3CVEKqn4SR9wIU-Nj3ALGi <https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-cloudtrail-logging-for-s3.html%2523enable-cloudtrail-events%26source%3Dgmail-imap%26ust%3D1693196467000000%26usg%3DAOvVaw3CVEKqn4SR9wIU-Nj3ALGi&source=gmail-imap&ust=1693234194000000&usg=AOvVaw1K0qLDAt7pxgeG6JYgyrcX> [5] https://www.google.com/url?q=https://aws.amazon.com/cloudtrail/pricing/&source=gmail-imap&ust=1693196467000000&usg=AOvVaw0WMfDGlUum0WsXbYehFSW6 <https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://aws.amazon.com/cloudtrail/pricing/%26source%3Dgmail-imap%26ust%3D1693196467000000%26usg%3DAOvVaw0WMfDGlUum0WsXbYehFSW6&source=gmail-imap&ust=1693234194000000&usg=AOvVaw0lGRxYfr4veLVgJleR5DmF> [6] https://www.google.com/url?q=https://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html&source=gmail-imap&ust=1693196467000000&usg=AOvVaw2up_MJy8JPSee3QzQbHOc4 <https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://docs.aws.amazon.com/AmazonS3/latest/userguide/logging-with-S3.html%26source%3Dgmail-imap%26ust%3D1693196467000000%26usg%3DAOvVaw2up_MJy8JPSee3QzQbHOc4&source=gmail-imap&ust=1693234194000000&usg=AOvVaw3gz90pW_yQDDa3Xv7VgNo8> [7] https://www.google.com/url?q=https://aws.amazon.com/premiumsupport/knowledge-center/s3-enforce-modern-tls/&source=gmail-imap&ust=1693196467000000&usg=AOvVaw2ri13iLJaPBDhahYa-aE3E <https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://aws.amazon.com/premiumsupport/knowledge-center/s3-enforce-modern-tls/%26source%3Dgmail-imap%26ust%3D1693196467000000%26usg%3DAOvVaw2ri13iLJaPBDhahYa-aE3E&source=gmail-imap&ust=1693234194000000&usg=AOvVaw11qOqaniGHWntYz0YKiIoW> [8] https://www.google.com/url?q=https://aws.amazon.com/support&source=gmail-imap&ust=1693196467000000&usg=AOvVaw1YXM0k9ywXLTHAAcsaiH1P <https://www.google.com/url?q=https://www.google.com/url?q%3Dhttps://aws.amazon.com/support%26source%3Dgmail-imap%26ust%3D1693196467000000%26usg%3DAOvVaw1YXM0k9ywXLTHAAcsaiH1P&source=gmail-imap&ust=1693234194000000&usg=AOvVaw27AO139-pperaO15AK0z25> Please see the following for S3 buckets in which object-level calls were made over TLS 1.0 or TLS 1.1 connections between July 30, 2023 and August 14, 2023 (the UserAgent may be truncated due to a limit in the number of characters that can be displayed): Connections details will be in the following format: Region | Bucket name(s) | APIAction | TLSVersion | NumCalls | UserAgent us-east-1 | lavendermagazine-site | REST.GET.BUCKET | TLSv1 | 1 | [] Sincerely, Amazon Web Services Amazon Web Services, Inc. is a subsidiary of Amazon.com <https://www.google.com/url?q=http://Amazon.com&source=gmail-imap&ust=1693234194000000&usg=AOvVaw0EMFVMt25M2EJ8AYkarU1P>, Inc. Amazon.com <https://www.google.com/url?q=http://Amazon.com&source=gmail-imap&ust=1693234194000000&usg=AOvVaw0EMFVMt25M2EJ8AYkarU1P> is a registered trademark of Amazon.com <https://www.google.com/url?q=http://Amazon.com&source=gmail-imap&ust=1693234194000000&usg=AOvVaw0EMFVMt25M2EJ8AYkarU1P>, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210 — Reply to this email directly, view it on GitHub <#216>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAK3IPDDNMID7WNRAR36MTXWN4JLANCNFSM6AAAAAA3YRZIKE>. You are receiving this because you are subscribed to this thread.