Your AWS account has been identified as having a client (browser or application) that accessed an Amazon DynamoDB or Amazon DynamoDB Streams API in the last 30 days. The purpose of this upgrade notice is to communicate a change and actions you may need to take to continue to access these endpoints.
We will update the certificate authority(CA) for the certificates used by Amazon DynamoDB domains on May 14, 2018. At that time, the SSL/TLS certificates used by DynamoDB will be issued by Amazon Trust Services.
If your client machines already support the following CAs, no action is required:
- Amazon Root CA 1
- Starfield Services Root Certificate Authority - G2
- Starfield Class 2 Certification Authority
This upgrade notice covers the following endpoints:
Amazon DynamoDB Streams
If your clients already trust at least one of the above three CAs then they will trust our certificates and no action is required. However, if you do not already trust any of the above CAs and do not add them to your trusted CA list by May 14, 2018 at 9:00 AM PDT, HTTPS connections to the DynamoDB or DynamoDB Streams APIs will not be established. For more information about this AWS update, please visit this blog post: https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority/
For information on the Amazon root CA see: https://www.amazontrust.com/repository/
* Testing Your Programmatic Access to DynamoDB In December 2017, we launched the EU (Paris) Region(EU-WEST-3) with secure certificates issued by Amazon Trust Services. If you access DynamoDB or DynamoDB Streams programmatically, you can call the DynamoDB API or DynamoDB Streams API in the EU (Paris) Region(EU-WEST-3) to validate that the TLS handshake succeeds. If your API calls succeed in the EU (Paris) Region(EU-WEST-3), then they will continue to work as we deploy the CA changes to other AWS Regions. The specific endpoints you need to access in such a test are:
- DynamoDB: https://dynamodb.eu-west-3.amazonaws.com
- DynamoDB Streams: https://streams.dynamodb.eu-west-3.amazonaws.com
* Operating systems with Amazon Trust Services CA support
- Microsoft Windows versions that have January 2005 or later updates installed, Windows Vista, Windows 7, Windows Server 2008, and newer versions
- Mac OS X 10.4 with Java for Mac OS X 10.4 Release 5, Mac OS X 10.5 and newer versions
- Red Hat Enterprise Linux 5 (March 2007), Linux 6, and Linux 7 and CentOS 5, CentOS 6, and CentOS 7
- Ubuntu 8.10
- Debian 5.0
- Amazon Linux (all versions)
- Java 1.4.2_12, Java 5 update 2, and all newer versions, including Java 6, Java 7, and Java 8
* What to do if the Amazon Trust Services CAs are not in your trust store?
If you cannot access the DynamoDB API at https://dynamodb.eu-west-3.amazonaws.com or the DynamoDB Streams API at https://streams.dynamodb.eu-west-3.amazonaws.com and you need to upgrade your certificate bundle, you can upgrade your certificate bundle by importing at least one of the required CAs. You can find the required CAs at https://www.amazontrust.com/repository/ . Instructions for importing a root CA certificate into your certificate bundle vary, so see the documentation that came with your software if you have questions about importing a root CA certificate.
Thank you for using Amazon DynamoDB or Amazon DynamoDB Streams, and please contact AWS Support if you have any questions: https://aws.amazon.com/support
Amazon Web Services
Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210