TLS inspection configuration settings - Amazon Network Firewall
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

TLS inspection configuration settings

A TLS inspection configuration has the following settings.

  • Name – The identifier for the TLS inspection configuration. You assign a unique name to every TLS inspection configuration. You can't change the name of a TLS inspection configuration after you create it.

  • Description – Optional additional information about the TLS inspection configuration. Fill in information that might help you to remember the purpose of the TLS inspection configuration and how you want to use it. The description is included in TLS inspection configuration lists in the console and the APIs.

  • Associate SSL/TLS certificates – The certificates to associate with the TLS inspection configuration for inbound and outbound inspection. Network Firewall uses certificates to decrypt and re-encrypt the SSL/TLS traffic that's going to your firewall.

  • Define scope – Defines the scope of the traffic to decrypt based on source and destination addresses and port ranges in a scope configuration. For each scope configuration that you add, Network Firewall adds a mirrored scope configuration with reverse sources and destinations when it creates the TLS inspection configuration. This allows Network Firewall to decrypt—and subsequently inspect—traffic in both directions, which is required for TLS termination.

  • Customer managed key (Optional) – Network Firewall encrypts and decrypts the TLS inspection configuration, to protect against unauthorized access. By default, Network Firewall uses Amazon owned keys for this. If you want to use your own keys, you can configure customer managed keys from Amazon Key Management Service and provide them to Network Firewall. For information about this option, see Encryption at rest with Amazon Key Management Service.

  • Certificate revocation status (Optional) – Network Firewall checks if the certificate that's presented by the server in the TLS session is revoked or has an unknown status. If this is turned on, Network Firewall handles the outbound traffic based on the actions that you configure in the certificate revocation check.

  • Tags – A tag is an optional label that you assign to an Amazon resource. You can use tags to search and filter your resources and to track your Amazon costs. For more information about tags, see Tagging Amazon Network Firewall resources.