2014/10/14 7:05PM PDT - Update -
We are reviewing all of our services with respect to the recently announced POODLE issue with SSL (CVE-2014-3566). As a security precaution, we recommend that our customers disable SSLv3 where it is possible for them to do so. This includes disabling SSLv3 on both server and client implementations.
AWS API endpoints are not affected by this issue, and no action is required from customers that use the AWS SDK or other SDKs to access our API endpoints.
We are examining all AWS owned websites for exposure, and we will update this bulletin.
Amazon Linux AMI:
We are evaluating the issue and when patches are available, we will place them in our repository and issue a security bulletin at https://alas.aws.amazon.com/
Amazon Elastic Load Balancing:
All load balancers created after 10/14/2014 5:00 PM PDT will use a new SSL Negotiation Policy that will by default no longer enable SSLv3.
Customers that require SSLv3 can reenable it by selecting the 2014-01 SSL Negotiation Policy or manually configuring the SSL ciphers and protocols used by the load balancer. For existing load balancers, please follow the steps below to disable SSLv3 via the ELB Management
Console:
1. Select your load balancer (EC2 > Load Balancers).
2. In the Listeners tab, click "Change" in the Cipher column.
3. Ensure that the radio button for "Predefined Security Policy" is selected
4. In the dropdown, select the "ELBSecurityPolicy-2014-10" policy.
5. Click "Save" to apply the settings to the listener.
6. Repeat these steps for each listener that is using HTTPS or SSL for each load balancer.
For more information, please see http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-ssl-security-policy.html.
Amazon CloudFront:
Customers who are using Custom SSL certificates with Amazon CloudFront can disable SSLv3 by following the steps below in the CloudFront Management Console:
1. Select your distribution, click "Distribution Settings."
2. Click the "Edit" button on the "General" tab.
3. In the "Custom SSL Client Support" section, select the option that says: "Only Clients that Support Server Name Indication (SNI)"
4. Click "Yes, Edit" to save these revised settings.
For more information, please see http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html#cnames-https-dedicated-ip-or-sni
-----------------------------------------------------------------
2014/10/14 5:00PM PDT - Update -
We are reviewing all of our services with respect to the recently announced POODLE issue with SSL (CVE-2014-3566). As a security precaution, we recommend that our customers disable SSLv3 where it is possible for them to do so. This includes disabling SSLv3 on both server and client implementations.
AWS API endpoints are not affected by this issue, and no action is required from customers that use the AWS SDK or other SDKs to access our API endpoints.
We are examining all AWS owned websites for exposure, and we will update this bulletin by 7:00 PM Pacific Time October 14, 2014.
Amazon Elastic Load Balancing:
All load balancers created after 10/14/2014 5:00 PM PDT will use a new SSL Negotiation Policy that will by default no longer enable SSLv3.
Customers that require SSLv3 can reenable it by selecting the 2014-01 SSL Negotiation Policy or manually configuring the SSL ciphers and protocols used by the load balancer. For existing load balancers, please follow the steps below to disable SSLv3 via the ELB Management
Console:
1. Select your load balancer (EC2 > Load Balancers).
2. In the Listeners tab, click "Change" in the Cipher column.
3. Ensure that the radio button for "Predefined Security Policy" is selected
4. In the dropdown, select the "ELBSecurityPolicy-2014-10" policy.
5. Click "Save" to apply the settings to the listener.
6. Repeat these steps for each listener that is using HTTPS or SSL for each load balancer.
For more information, please see http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-ssl-security-policy.html.
Amazon CloudFront:
Customers who are using Custom SSL certificates with Amazon CloudFront can disable SSLv3 by following the steps below in the CloudFront Management Console:
1. Select your distribution, click "Distribution Settings."
2. Click the "Edit" button on the "General" tab.
3. In the "Custom SSL Client Support" section, select the option that says: "Only Clients that Support Server Name Indication (SNI)"
4. Click "Yes, Edit" to save these revised settings.
For more information, please see http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html#cnames-https-dedicated-ip-or-sni
-----------------------------------------------------------------
2014/10/14 3:30PM PDT
We are reviewing all of our services with respect to the recently announced POODLE issue with SSL (CVE-2014-3566). We will update this bulletin by 5:00 PM Pacific Time October 14, 2014
As a security recommendation, we recommend that our customers disable SSLv3 where it is possible for them to do so. This includes disabling SSLv3 on both server and client implementations.
Customers of Elastic Load Balancing can disable SSLv3 for their ELBs by following the steps below to disable SSLv3 via the ELB Management Console:
1. Select your load balancer (EC2 > Load Balancers).
2. In the Listeners tab, click “Change” in the Cipher column.
3. Ensure that the radio button for “Custom Security Policy” is selected.
4. In the “SSL Protocols” section uncheck “Protocol-SSLv3”.
5. Click "Save" to apply the settings to the listener.
6. Repeat these steps for each listener that is using HTTPS or SSL for each load balancer.
For more information, please see http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-ssl-security-policy.html