Skip to main content

TLS configuration plugin for AWS CLI

Project description

awscli-plugin-tls

A plugin for configuring TLS parameters advertised by awscli

This awscli plugin allows users to configure TLS versions and cipher suites used when connecting to AWS services via the CLI. It can additionally be used by boto3 applications to enable those configurations through their ~/.aws/config.

Most users will not need this plugin, as the urllib3 utilizes secure defaults for these settings.

Disclaimer

You are responsible for properly configuring this plugin to ensure secure cipher suites are used when negotiating the TLS connection. Using this plugin, it is possible for clients to configure less-secure cipher suites than what is provided by default. Please only use this plugin if you have a requirement to enforce specific cipher suites or TLS versions in your applications, and are familiar with how to utilize OpenSSL's cipherlist to select cipher suites. Be sure to test and ensure you are not advertising insecure cipher suites before using in a production setting.

Installation

pip install .

Configuration

Edit your ~/.aws/config to include the following plugin definition:

If you are using the v1 AWS CLI, you can just add the plugin:

[plugins]
tls = awscli_plugin_tls

If you are using the v2 AWS CLI, you need to also specify the cli_legacy_plugin_path, which should specify where your pip packages are installed.

[plugins]
cli_legacy_plugin_path = <path to your python3.7/site-packages>
tls = awscli_plugin_tls

Additionally, under any profile (either a named profile or [default], configure the appropriate settings:

[default]
tls_ciphers = ECDHE+AES256+AESGCM
tls_version = 1.2
...other settings

Usage

AWS CLI

Once configured, you can use your AWS CLI as normal:

aws s3 ls

Boto3

You can also patch boto3 applications by calling the patch_botocore method directly:

import boto3
from awscli_plugin_tls import patch_botocore
patch_botocore()

s3 = boto3.client('s3')
print(s3.list_buckets())

If your boto3 application needs to use a named profile, you can pass in your own session object using that profile name:

import boto3
from awscli_plugin_tls import patch_botocore
session = botocore.session.Session(profile="your-named-profile")
patch_botocore(session)

s3 = boto3.client('s3')
print(s3.list_buckets())
botocore.session.Session(profile=profile)

Security

See CONTRIBUTING for more information.

License

This project is licensed under the Apache-2.0 License.

Project details


Release history Release notifications | RSS feed

This version

0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

awscli-plugin-tls-0.1.tar.gz (3.2 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page