AWS – AWS Site-to-Site VPN introduces three new capabilities for enhanced security

AWS Site-to-Site VPN, a fully managed service that allows you to create a secure connection between your data center or branch office and your AWS resources using IP Security (IPSec) tunnels, is adding three new capabilities for enhanced security and ease of configuration.

• AWS Secrets Manager Integration: With the AWS Secrets Manager integration, when customers store their pre-shared keys (PSKs) in Secrets Manager, VPN connection API responses will redact the PSK and instead display the Secrets Manager ARN (Amazon Resource Name), providing enhanced security.
• New API to track VPN algorithms: You can now easily track the currently negotiated internet key exchange (IKE) version, Diffie-Hellman (DH) groups, encryption algorithms, and integrity algorithms using the “GetActiveVpnTunnelStatus” API. This new API eliminates the need for you to enable Site-to-Site VPN logs to get this information, saving time and reducing operational overhead.
• Recommended Configuration: “GetVpnConnectionDeviceSampleConfiguration” API now includes “recommended” parameter to help you use the best-practices security configuration – IKE version 2, DH group 20, SHA-384 integrity algorithm, and AES-GCM-256 encryption algorithm – on your customer gateway devices, reducing configuration time and potential errors.

There is no additional charge for using these capabilities. These capabilities are available in all AWS commercial Regions where AWS Site-to-Site VPN is available, except Europe (Milan) Region. To learn more and get started, visit the AWS Site-to-Site VPN documentation.

Read More for the details.