Configuring TLS settings in domain configurations
Note
This feature is not available in China.
Amazon IoT Core provides predefined security polices for
you to customize your Transport Layer Security (TLS) settings for TLS 1.2
The following table describes the security policies, their TLS versions, and supported regions:
Security policy name | Supported Amazon Web Services Regions |
---|---|
IoTSecurityPolicy_TLS13_1_3_2022_10 | All Amazon Web Services Regions |
IoTSecurityPolicy_TLS13_1_2_2022_10 | All Amazon Web Services Regions |
IoTSecurityPolicy_TLS12_1_2_2022_10 | All Amazon Web Services Regions |
IoTSecurityPolicy_TLS12_1_0_2016_01 | ap-east-1, ap-northeast-2, ap-south-1, ap-southeast-2, ca-central-1, cn-north-1, cn-northwest-1, eu-north-1, eu-west-2, eu-west-3, me-south-1, sa-east-1, us-east-2, us-west-1 |
IoTSecurityPolicy_TLS12_1_0_2015_01 | ap-northeast-1, ap-southeast-1, eu-central-1, eu-west-1, us-east-1, us-west-2 |
The names of the security policies in Amazon IoT Core include version information based on the
year and month that they were released. If you create a new domain configuration, the
security policy will default to IoTSecurityPolicy_TLS13_1_2_2022_10
. For a
complete table of security policies with details of protocols, TCP ports, and ciphers, see
Security polices. Amazon IoT Core doesn't support
custom security policies. For more information, see Transport security in Amazon IoT Core.
To configure TLS settings in domain configurations, you can use the Amazon IoT console or the Amazon CLI.
Contents
Configure TLS settings in domain configurations (console)
To configure TLS settings using the Amazon IoT console
-
Sign in to the Amazon Web Services Management Console and open the Amazon IoT console
. -
To configure TLS settings when you create a new domain configuration, follow these steps.
-
In the left navigation pane, choose Settings, and then, from the Domain configurations section, choose Create domain configuration.
-
In the Create domain configuration page, in the Custom domain settings - optional section, choose a security policy from Select security policy.
-
Follow the widget and complete the rest of the steps. Choose Create domain configuration.
-
-
To update TLS settings in an existing domain configuration, follow these steps.
-
In the left navigation pane, choose Settings, and then, under Domain configurations, choose a domain configuration.
-
In the Domain configuration details page, choose Edit. Then, in the Custom domain settings - optional section, under Select security policy, choose a security policy.
-
Choose Update domain configuration.
-
For more information, see Create a domain configuration and Manage domain configurations.
Configure TLS settings in domain configurations (CLI)
You can use the create-domain-configuration and update-domain-configuration CLI commands to configure your TLS settings in domain configurations.
-
To specify TLS settings using the create-domain-configuration CLI command:
aws iot create-domain-configuration \ --domain-configuration-name
domainConfigurationName
\--tls-config securityPolicy=
IoTSecurityPolicy_TLS13_1_2_2022_10
The output of this command can look like the following:
{ "domainConfigurationName": "test", "domainConfigurationArn": "arn:aws:iot:us-west-2:123456789012:domainconfiguration/test/34ga9" }
If you create a new domain configuration without specifying the security policy, the value will default to:
IoTSecurityPolicy_TLS13_1_2_2022_10
. -
To describe TLS settings using the describe-domain-configuration CLI command:
aws iot describe-domain-configuration \ --domain-configuration-name
domainConfigurationName
This command can return the domain configuration details that include the TLS settings like the following:
{ "tlsConfig": { "securityPolicy": "IoTSecurityPolicy_TLS13_1_2_2022_10" }, "domainConfigurationStatus": "ENABLED", "serviceType": "DATA", "domainType": "AWS_MANAGED", "domainName": "d1234567890abcdefghij-ats.iot.us-west-2.amazonaws.com", "serverCertificates": [], "lastStatusChangeDate": 1678750928.997, "domainConfigurationName": "test", "domainConfigurationArn": "arn:aws:iot:us-west-2:123456789012:domainconfiguration/test/34ga9" }
-
To update TLS settings using the update-domain-configuration CLI command:
aws iot update-domain-configuration \ --domain-configuration-name
domainConfigurationName
\ --tls-config securityPolicy=IoTSecurityPolicy_TLS13_1_2_2022_10
The output of this command can look like the following:
{ "domainConfigurationName": "test", "domainConfigurationArn": "arn:aws:iot:us-west-2:123456789012:domainconfiguration/test/34ga9" }
-
To update the TLS settings for your ATS endpoint, run the update-domain-configuration CLI command. The domain configuration name for your ATS endpoint is
iot:Data-ATS
.aws iot update-domain-configuration \ --domain-configuration-name "iot:Data-ATS" \
--tls-config securityPolicy=
IoTSecurityPolicy_TLS13_1_2_2022_10
The output of the command can look like the following:
{ "domainConfigurationName": "iot:Data-ATS", "domainConfigurationArn": "arn:aws:iot:us-west-2:123456789012:domainconfiguration/iot:Data-ATS" }
For more information, see CreateDomainConfiguration and UpdateDomainConfiguration in the Amazon API Reference.