Table of contents
Topics on this page

Configure TLS inspection for AWS

Use the following steps to configure TLS using the AWS platform.

  1. Configure the appropriate IAM role for the policy. Refer to Create an IAM policy and role.

  2. Optionally configure an AWS Certificate Manager (ACM). Learn more at Getting Started with AWS Certificate Manager.

  3. Connect to a hardware security module (HSM). Use the region selector to ensure that your HSM IP address resides in the same geographical region of your virtual appliance. Learn more.

  4. Go to Policy > TLS Inspection and click Configure TLS Inspection to enter the configuration wizard.

From the Configure TLS Inspection wizard:

  1. Select a managed virtual appliances on which you want to enable decryption and inbound TLS traffic inspection. Click Provide Server.


    You can enable TLS inspection on up to four managed virtual appliances, but only one at a time. If you require more than four appliances with this functionality, open a support report. If the version of the appliance you select does not support multiple-appliance TLS configuration, the wizard will notify you and prevent you from moving forward with that selection.

  2. You can configure multiple server proxies, but only one at a time. If you require more than 100 proxies, open a support report. In the Server IP field, enter the IP address of the server to be protected. To retrieve this IP address, click EC2 from the AWS navigation, and click Instances (running) under Resources. The IP address that is accessible only by AWS is listed under Private IP addresses. Click Provide Public Certificate.

  3. In the Certificate ARN field, enter your server’s public certificate S3 ARN or ACM. Click Choose Key Access Method.


    If you get an Unable to retrieve certificate error, go to AWS Services and click IAM > Roles to confirm that your Network Security role has the correct permissions. Click your configured Network Security role from the list, edit the policy that is listed, click Add additional permissions, and add Certificate Manager from the available services. Specify List and Read access level permissions. After you specify a Resource, click Review policy and the Save changes.

  4. Specify whether you will use AWS CloudHSM to provide your server's private key or whether you will manually upload it. Click Provide Resource.

    • If you elected to use AWS CloudHSM, a dialog prompts you to provide a secret ARN using AWS Secrets Manager. The secret ARN contains connection information that enables the HSM to retrieve private key information for the public certificate, which is then stored on your appliance. In order to generate the secret, you must complete the following items in the dialog:

      • Provide a username for the crypto user (CU) account. The username cannot be more than 31 characters, and the underscore (_) is the only special character permitted.
      • Provide a password for the crypto user (CU) account. The password cannot be less than 7 characters or more than 32 characters.
      • Paste the issuing certificate (begins with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----). The certificate size cannot exceed 65 KB.
      • Provide the IP of the AWS CloudHSM.
      • Click Generate Secret. After the secret is generated, click Copy to Clipboard. In AWS Secrets Manager, go to Secrets and click Store a new secret. Click Other type of secret, select Plain Text, and paste the secret that you generated in the field. Make sure you select the DefaultEncryptionKey option, and then click Next. Learn more at Tutorial: Creating and retrieving a secret. Then paste the resulting secret ARN in the wizard's Secret ARN field and click Provide Keystore Key.
    • If you elect to upload the private key directly, a dialog is displayed where you can paste your server certificate’s private key in the Private Key field. Be sure that what you paste begins with -----BEGIN RSA PRIVATE KEY----- and ends with -----END RSA PRIVATE KEY-----. If your private key is encrypted, enter a passphrase to enable decryption. The passphrase can be one to 255 characters. Click Provide Keystore Key.


    If you get an error stating that the certificate you entered does not match, there is an issue with your certificate or key. Reload your certificate and key to make sure you have the correct ones.

  5. Use AWS Key Management Service to create a symmetric customer master key (CMK) and add your Network Security role as a key user so that your private key can be stored encrypted on your appliance. Limit the IAM role so that only your appliance's specific KMS resources can be accessed. Paste the resulting ARN in the wizard's Key Management ARN field and click Confirm and Deploy.


    If you get an error, go to AWS Services and click Key Management Service > Customer managed keys to confirm that your Network Security role has the correct permissions. Click your configured Customer master key from the list, scroll to Key users, and, click Add. Select your Network Security role, and click Add. Learn more about configuring key policies.

  6. Review your configuration and click Deploy and Close to start inspecting encrypted traffic.

  7. Go to Policy > TLS Inspection and confirm that the TLS Inspection field displays Inspecting. For more information on the inspection status, click anywhere on the row to expand it and trace the source of any issues:

    • Issue found – Indicates that encrypted and nonencrypted traffic continue to be inspected despite one or more configuration issues, such as an expired certificate. As a best practice, ensure all your cryptographic assets are present, valid, and current.
    • Not inspecting – Indicates that encrypted and nonencrypted traffic are not being inspected because your virtual appliance might be in fallback mode (either user-initiated or automatic), or your proxy server might be missing or disabled (because of missing cryptographic assets, for example).
    • Unknown – Indicates that your virtual appliance is not communicating with your proxy server for an unknown reason. Before a complete status of inspection can be provided, you must resolve this communication issue. Verify that your proxy server is not missing or disabled, and that the virtual appliance is not in fallback mode.

Note: After a TLS inspection policy has been configured on a virtual appliance, you cannot edit the TLS policy. Your TLS settings remain in effect until you completely delete the policy. If you want to change your TLS inspection strategy, delete the existing policy by clicking the delete icon and create a new one.

Optionally, you can verify that your TLS configuration is working by enabling the sslInspection log in your CloudWatch log settings. Learn more.