The aws:networkfirewall/tlsInspectionConfiguration:TlsInspectionConfiguration resource, part of the Pulumi AWS provider, defines TLS inspection configurations that decrypt and inspect encrypted traffic passing through Network Firewall. This guide focuses on four capabilities: inbound inspection with server certificates, outbound inspection with certificate authorities, customer-managed encryption, and bidirectional inspection.
TLS inspection configurations require ACM certificates for inbound traffic, ACM Private CA for outbound traffic, and optionally KMS keys for encryption. The examples are intentionally small. Combine them with your own certificates, firewall policies, and network infrastructure.
Inspect inbound TLS traffic with server certificates
Network Firewall can decrypt and inspect inbound TLS connections to protect internal services from encrypted threats.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.networkfirewall.TlsInspectionConfiguration("example", {
name: "example",
description: "example",
encryptionConfigurations: [{
keyId: "AWS_OWNED_KMS_KEY",
type: "AWS_OWNED_KMS_KEY",
}],
tlsInspectionConfiguration: {
serverCertificateConfiguration: {
serverCertificates: [{
resourceArn: example1.arn,
}],
scopes: [{
protocols: [6],
destinationPorts: [{
fromPort: 443,
toPort: 443,
}],
destinations: [{
addressDefinition: "0.0.0.0/0",
}],
sourcePorts: [{
fromPort: 0,
toPort: 65535,
}],
sources: [{
addressDefinition: "0.0.0.0/0",
}],
}],
},
},
});
import pulumi
import pulumi_aws as aws
example = aws.networkfirewall.TlsInspectionConfiguration("example",
name="example",
description="example",
encryption_configurations=[{
"key_id": "AWS_OWNED_KMS_KEY",
"type": "AWS_OWNED_KMS_KEY",
}],
tls_inspection_configuration={
"server_certificate_configuration": {
"server_certificates": [{
"resource_arn": example1["arn"],
}],
"scopes": [{
"protocols": [6],
"destination_ports": [{
"from_port": 443,
"to_port": 443,
}],
"destinations": [{
"address_definition": "0.0.0.0/0",
}],
"source_ports": [{
"from_port": 0,
"to_port": 65535,
}],
"sources": [{
"address_definition": "0.0.0.0/0",
}],
}],
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkfirewall"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := networkfirewall.NewTlsInspectionConfiguration(ctx, "example", &networkfirewall.TlsInspectionConfigurationArgs{
Name: pulumi.String("example"),
Description: pulumi.String("example"),
EncryptionConfigurations: networkfirewall.TlsInspectionConfigurationEncryptionConfigurationArray{
&networkfirewall.TlsInspectionConfigurationEncryptionConfigurationArgs{
KeyId: pulumi.String("AWS_OWNED_KMS_KEY"),
Type: pulumi.String("AWS_OWNED_KMS_KEY"),
},
},
TlsInspectionConfiguration: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationArgs{
ServerCertificateConfiguration: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs{
ServerCertificates: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArgs{
ResourceArn: pulumi.Any(example1.Arn),
},
},
Scopes: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs{
Protocols: pulumi.IntArray{
pulumi.Int(6),
},
DestinationPorts: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs{
FromPort: pulumi.Int(443),
ToPort: pulumi.Int(443),
},
},
Destinations: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs{
AddressDefinition: pulumi.String("0.0.0.0/0"),
},
},
SourcePorts: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs{
FromPort: pulumi.Int(0),
ToPort: pulumi.Int(65535),
},
},
Sources: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs{
AddressDefinition: pulumi.String("0.0.0.0/0"),
},
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkFirewall.TlsInspectionConfiguration("example", new()
{
Name = "example",
Description = "example",
EncryptionConfigurations = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationEncryptionConfigurationArgs
{
KeyId = "AWS_OWNED_KMS_KEY",
Type = "AWS_OWNED_KMS_KEY",
},
},
TlsInspectionConfig = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationArgs
{
ServerCertificateConfiguration = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs
{
ServerCertificates = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArgs
{
ResourceArn = example1.Arn,
},
},
Scopes = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs
{
Protocols = new[]
{
6,
},
DestinationPorts = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs
{
FromPort = 443,
ToPort = 443,
},
},
Destinations = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs
{
AddressDefinition = "0.0.0.0/0",
},
},
SourcePorts = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs
{
FromPort = 0,
ToPort = 65535,
},
},
Sources = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs
{
AddressDefinition = "0.0.0.0/0",
},
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.TlsInspectionConfiguration;
import com.pulumi.aws.networkfirewall.TlsInspectionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationEncryptionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new TlsInspectionConfiguration("example", TlsInspectionConfigurationArgs.builder()
.name("example")
.description("example")
.encryptionConfigurations(TlsInspectionConfigurationEncryptionConfigurationArgs.builder()
.keyId("AWS_OWNED_KMS_KEY")
.type("AWS_OWNED_KMS_KEY")
.build())
.tlsInspectionConfiguration(TlsInspectionConfigurationTlsInspectionConfigurationArgs.builder()
.serverCertificateConfiguration(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs.builder()
.serverCertificates(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArgs.builder()
.resourceArn(example1.arn())
.build())
.scopes(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs.builder()
.protocols(6)
.destinationPorts(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs.builder()
.fromPort(443)
.toPort(443)
.build())
.destinations(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs.builder()
.addressDefinition("0.0.0.0/0")
.build())
.sourcePorts(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs.builder()
.fromPort(0)
.toPort(65535)
.build())
.sources(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs.builder()
.addressDefinition("0.0.0.0/0")
.build())
.build())
.build())
.build())
.build());
}
}
resources:
example:
type: aws:networkfirewall:TlsInspectionConfiguration
properties:
name: example
description: example
encryptionConfigurations:
- keyId: AWS_OWNED_KMS_KEY
type: AWS_OWNED_KMS_KEY
tlsInspectionConfiguration:
serverCertificateConfiguration:
serverCertificates:
- resourceArn: ${example1.arn}
scopes:
- protocols:
- 6
destinationPorts:
- fromPort: 443
toPort: 443
destinations:
- addressDefinition: 0.0.0.0/0
sourcePorts:
- fromPort: 0
toPort: 65535
sources:
- addressDefinition: 0.0.0.0/0
For inbound inspection, Network Firewall terminates TLS connections using certificates you provide. The serverCertificateConfiguration block references ACM certificates via resourceArn. The scopes block defines which traffic to inspect: protocol 6 (TCP), destination port 443 (HTTPS), and address ranges. Network Firewall decrypts matching traffic, inspects it against your firewall rules, then re-encrypts before forwarding.
Inspect outbound TLS traffic with certificate authority
For outbound inspection, Network Firewall acts as a man-in-the-middle, generating certificates on the fly.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.networkfirewall.TlsInspectionConfiguration("example", {
name: "example",
description: "example",
encryptionConfigurations: [{
keyId: "AWS_OWNED_KMS_KEY",
type: "AWS_OWNED_KMS_KEY",
}],
tlsInspectionConfiguration: {
serverCertificateConfiguration: {
certificateAuthorityArn: example1.arn,
checkCertificateRevocationStatus: {
revokedStatusAction: "REJECT",
unknownStatusAction: "PASS",
},
scopes: [{
protocols: [6],
destinationPorts: [{
fromPort: 443,
toPort: 443,
}],
destinations: [{
addressDefinition: "0.0.0.0/0",
}],
sourcePorts: [{
fromPort: 0,
toPort: 65535,
}],
sources: [{
addressDefinition: "0.0.0.0/0",
}],
}],
},
},
});
import pulumi
import pulumi_aws as aws
example = aws.networkfirewall.TlsInspectionConfiguration("example",
name="example",
description="example",
encryption_configurations=[{
"key_id": "AWS_OWNED_KMS_KEY",
"type": "AWS_OWNED_KMS_KEY",
}],
tls_inspection_configuration={
"server_certificate_configuration": {
"certificate_authority_arn": example1["arn"],
"check_certificate_revocation_status": {
"revoked_status_action": "REJECT",
"unknown_status_action": "PASS",
},
"scopes": [{
"protocols": [6],
"destination_ports": [{
"from_port": 443,
"to_port": 443,
}],
"destinations": [{
"address_definition": "0.0.0.0/0",
}],
"source_ports": [{
"from_port": 0,
"to_port": 65535,
}],
"sources": [{
"address_definition": "0.0.0.0/0",
}],
}],
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkfirewall"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := networkfirewall.NewTlsInspectionConfiguration(ctx, "example", &networkfirewall.TlsInspectionConfigurationArgs{
Name: pulumi.String("example"),
Description: pulumi.String("example"),
EncryptionConfigurations: networkfirewall.TlsInspectionConfigurationEncryptionConfigurationArray{
&networkfirewall.TlsInspectionConfigurationEncryptionConfigurationArgs{
KeyId: pulumi.String("AWS_OWNED_KMS_KEY"),
Type: pulumi.String("AWS_OWNED_KMS_KEY"),
},
},
TlsInspectionConfiguration: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationArgs{
ServerCertificateConfiguration: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs{
CertificateAuthorityArn: pulumi.Any(example1.Arn),
CheckCertificateRevocationStatus: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationCheckCertificateRevocationStatusArgs{
RevokedStatusAction: pulumi.String("REJECT"),
UnknownStatusAction: pulumi.String("PASS"),
},
Scopes: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs{
Protocols: pulumi.IntArray{
pulumi.Int(6),
},
DestinationPorts: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs{
FromPort: pulumi.Int(443),
ToPort: pulumi.Int(443),
},
},
Destinations: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs{
AddressDefinition: pulumi.String("0.0.0.0/0"),
},
},
SourcePorts: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs{
FromPort: pulumi.Int(0),
ToPort: pulumi.Int(65535),
},
},
Sources: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs{
AddressDefinition: pulumi.String("0.0.0.0/0"),
},
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkFirewall.TlsInspectionConfiguration("example", new()
{
Name = "example",
Description = "example",
EncryptionConfigurations = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationEncryptionConfigurationArgs
{
KeyId = "AWS_OWNED_KMS_KEY",
Type = "AWS_OWNED_KMS_KEY",
},
},
TlsInspectionConfig = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationArgs
{
ServerCertificateConfiguration = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs
{
CertificateAuthorityArn = example1.Arn,
CheckCertificateRevocationStatus = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationCheckCertificateRevocationStatusArgs
{
RevokedStatusAction = "REJECT",
UnknownStatusAction = "PASS",
},
Scopes = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs
{
Protocols = new[]
{
6,
},
DestinationPorts = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs
{
FromPort = 443,
ToPort = 443,
},
},
Destinations = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs
{
AddressDefinition = "0.0.0.0/0",
},
},
SourcePorts = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs
{
FromPort = 0,
ToPort = 65535,
},
},
Sources = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs
{
AddressDefinition = "0.0.0.0/0",
},
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.TlsInspectionConfiguration;
import com.pulumi.aws.networkfirewall.TlsInspectionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationEncryptionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationCheckCertificateRevocationStatusArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new TlsInspectionConfiguration("example", TlsInspectionConfigurationArgs.builder()
.name("example")
.description("example")
.encryptionConfigurations(TlsInspectionConfigurationEncryptionConfigurationArgs.builder()
.keyId("AWS_OWNED_KMS_KEY")
.type("AWS_OWNED_KMS_KEY")
.build())
.tlsInspectionConfiguration(TlsInspectionConfigurationTlsInspectionConfigurationArgs.builder()
.serverCertificateConfiguration(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs.builder()
.certificateAuthorityArn(example1.arn())
.checkCertificateRevocationStatus(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationCheckCertificateRevocationStatusArgs.builder()
.revokedStatusAction("REJECT")
.unknownStatusAction("PASS")
.build())
.scopes(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs.builder()
.protocols(6)
.destinationPorts(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs.builder()
.fromPort(443)
.toPort(443)
.build())
.destinations(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs.builder()
.addressDefinition("0.0.0.0/0")
.build())
.sourcePorts(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs.builder()
.fromPort(0)
.toPort(65535)
.build())
.sources(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs.builder()
.addressDefinition("0.0.0.0/0")
.build())
.build())
.build())
.build())
.build());
}
}
resources:
example:
type: aws:networkfirewall:TlsInspectionConfiguration
properties:
name: example
description: example
encryptionConfigurations:
- keyId: AWS_OWNED_KMS_KEY
type: AWS_OWNED_KMS_KEY
tlsInspectionConfiguration:
serverCertificateConfiguration:
certificateAuthorityArn: ${example1.arn}
checkCertificateRevocationStatus:
revokedStatusAction: REJECT
unknownStatusAction: PASS
scopes:
- protocols:
- 6
destinationPorts:
- fromPort: 443
toPort: 443
destinations:
- addressDefinition: 0.0.0.0/0
sourcePorts:
- fromPort: 0
toPort: 65535
sources:
- addressDefinition: 0.0.0.0/0
Outbound inspection uses a certificate authority instead of specific certificates. The certificateAuthorityArn points to an ACM Private CA that Network Firewall uses to generate certificates for each destination domain. The checkCertificateRevocationStatus block controls how Network Firewall handles revoked or unknown certificate status: REJECT blocks revoked certificates, PASS allows connections with unknown status.
Encrypt inspection data with customer-managed KMS keys
By default, Network Firewall uses AWS-owned keys to encrypt inspection configuration data. For compliance requirements, you can specify your own KMS key.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.kms.Key("example", {
description: "example",
deletionWindowInDays: 7,
});
const exampleTlsInspectionConfiguration = new aws.networkfirewall.TlsInspectionConfiguration("example", {
name: "example",
description: "example",
encryptionConfigurations: [{
keyId: example.arn,
type: "CUSTOMER_KMS",
}],
tlsInspectionConfiguration: {
serverCertificateConfiguration: {
serverCertificates: [{
resourceArn: example1.arn,
}],
scopes: [{
protocols: [6],
destinationPorts: [{
fromPort: 443,
toPort: 443,
}],
destinations: [{
addressDefinition: "0.0.0.0/0",
}],
sourcePorts: [{
fromPort: 0,
toPort: 65535,
}],
sources: [{
addressDefinition: "0.0.0.0/0",
}],
}],
},
},
});
import pulumi
import pulumi_aws as aws
example = aws.kms.Key("example",
description="example",
deletion_window_in_days=7)
example_tls_inspection_configuration = aws.networkfirewall.TlsInspectionConfiguration("example",
name="example",
description="example",
encryption_configurations=[{
"key_id": example.arn,
"type": "CUSTOMER_KMS",
}],
tls_inspection_configuration={
"server_certificate_configuration": {
"server_certificates": [{
"resource_arn": example1["arn"],
}],
"scopes": [{
"protocols": [6],
"destination_ports": [{
"from_port": 443,
"to_port": 443,
}],
"destinations": [{
"address_definition": "0.0.0.0/0",
}],
"source_ports": [{
"from_port": 0,
"to_port": 65535,
}],
"sources": [{
"address_definition": "0.0.0.0/0",
}],
}],
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/kms"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkfirewall"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
example, err := kms.NewKey(ctx, "example", &kms.KeyArgs{
Description: pulumi.String("example"),
DeletionWindowInDays: pulumi.Int(7),
})
if err != nil {
return err
}
_, err = networkfirewall.NewTlsInspectionConfiguration(ctx, "example", &networkfirewall.TlsInspectionConfigurationArgs{
Name: pulumi.String("example"),
Description: pulumi.String("example"),
EncryptionConfigurations: networkfirewall.TlsInspectionConfigurationEncryptionConfigurationArray{
&networkfirewall.TlsInspectionConfigurationEncryptionConfigurationArgs{
KeyId: example.Arn,
Type: pulumi.String("CUSTOMER_KMS"),
},
},
TlsInspectionConfiguration: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationArgs{
ServerCertificateConfiguration: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs{
ServerCertificates: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArgs{
ResourceArn: pulumi.Any(example1.Arn),
},
},
Scopes: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs{
Protocols: pulumi.IntArray{
pulumi.Int(6),
},
DestinationPorts: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs{
FromPort: pulumi.Int(443),
ToPort: pulumi.Int(443),
},
},
Destinations: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs{
AddressDefinition: pulumi.String("0.0.0.0/0"),
},
},
SourcePorts: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs{
FromPort: pulumi.Int(0),
ToPort: pulumi.Int(65535),
},
},
Sources: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs{
AddressDefinition: pulumi.String("0.0.0.0/0"),
},
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.Kms.Key("example", new()
{
Description = "example",
DeletionWindowInDays = 7,
});
var exampleTlsInspectionConfiguration = new Aws.NetworkFirewall.TlsInspectionConfiguration("example", new()
{
Name = "example",
Description = "example",
EncryptionConfigurations = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationEncryptionConfigurationArgs
{
KeyId = example.Arn,
Type = "CUSTOMER_KMS",
},
},
TlsInspectionConfig = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationArgs
{
ServerCertificateConfiguration = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs
{
ServerCertificates = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArgs
{
ResourceArn = example1.Arn,
},
},
Scopes = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs
{
Protocols = new[]
{
6,
},
DestinationPorts = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs
{
FromPort = 443,
ToPort = 443,
},
},
Destinations = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs
{
AddressDefinition = "0.0.0.0/0",
},
},
SourcePorts = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs
{
FromPort = 0,
ToPort = 65535,
},
},
Sources = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs
{
AddressDefinition = "0.0.0.0/0",
},
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.kms.Key;
import com.pulumi.aws.kms.KeyArgs;
import com.pulumi.aws.networkfirewall.TlsInspectionConfiguration;
import com.pulumi.aws.networkfirewall.TlsInspectionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationEncryptionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new Key("example", KeyArgs.builder()
.description("example")
.deletionWindowInDays(7)
.build());
var exampleTlsInspectionConfiguration = new TlsInspectionConfiguration("exampleTlsInspectionConfiguration", TlsInspectionConfigurationArgs.builder()
.name("example")
.description("example")
.encryptionConfigurations(TlsInspectionConfigurationEncryptionConfigurationArgs.builder()
.keyId(example.arn())
.type("CUSTOMER_KMS")
.build())
.tlsInspectionConfiguration(TlsInspectionConfigurationTlsInspectionConfigurationArgs.builder()
.serverCertificateConfiguration(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs.builder()
.serverCertificates(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArgs.builder()
.resourceArn(example1.arn())
.build())
.scopes(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs.builder()
.protocols(6)
.destinationPorts(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs.builder()
.fromPort(443)
.toPort(443)
.build())
.destinations(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs.builder()
.addressDefinition("0.0.0.0/0")
.build())
.sourcePorts(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs.builder()
.fromPort(0)
.toPort(65535)
.build())
.sources(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs.builder()
.addressDefinition("0.0.0.0/0")
.build())
.build())
.build())
.build())
.build());
}
}
resources:
example:
type: aws:kms:Key
properties:
description: example
deletionWindowInDays: 7
exampleTlsInspectionConfiguration:
type: aws:networkfirewall:TlsInspectionConfiguration
name: example
properties:
name: example
description: example
encryptionConfigurations:
- keyId: ${example.arn}
type: CUSTOMER_KMS
tlsInspectionConfiguration:
serverCertificateConfiguration:
serverCertificates:
- resourceArn: ${example1.arn}
scopes:
- protocols:
- 6
destinationPorts:
- fromPort: 443
toPort: 443
destinations:
- addressDefinition: 0.0.0.0/0
sourcePorts:
- fromPort: 0
toPort: 65535
sources:
- addressDefinition: 0.0.0.0/0
The encryptionConfigurations block switches from AWS_OWNED_KMS_KEY to CUSTOMER_KMS, referencing your KMS key ARN. This gives you control over key rotation, access policies, and audit trails for the encryption keys protecting your inspection configuration.
Inspect both inbound and outbound TLS traffic
Most deployments need to inspect traffic in both directions.
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.networkfirewall.TlsInspectionConfiguration("example", {
name: "example",
description: "example",
encryptionConfigurations: [{
keyId: "AWS_OWNED_KMS_KEY",
type: "AWS_OWNED_KMS_KEY",
}],
tlsInspectionConfiguration: {
serverCertificateConfiguration: {
certificateAuthorityArn: example1.arn,
checkCertificateRevocationStatus: {
revokedStatusAction: "REJECT",
unknownStatusAction: "PASS",
},
serverCertificates: [{
resourceArn: example2.arn,
}],
scopes: [{
protocols: [6],
destinationPorts: [{
fromPort: 443,
toPort: 443,
}],
destinations: [{
addressDefinition: "0.0.0.0/0",
}],
sourcePorts: [{
fromPort: 0,
toPort: 65535,
}],
sources: [{
addressDefinition: "0.0.0.0/0",
}],
}],
},
},
});
import pulumi
import pulumi_aws as aws
example = aws.networkfirewall.TlsInspectionConfiguration("example",
name="example",
description="example",
encryption_configurations=[{
"key_id": "AWS_OWNED_KMS_KEY",
"type": "AWS_OWNED_KMS_KEY",
}],
tls_inspection_configuration={
"server_certificate_configuration": {
"certificate_authority_arn": example1["arn"],
"check_certificate_revocation_status": {
"revoked_status_action": "REJECT",
"unknown_status_action": "PASS",
},
"server_certificates": [{
"resource_arn": example2["arn"],
}],
"scopes": [{
"protocols": [6],
"destination_ports": [{
"from_port": 443,
"to_port": 443,
}],
"destinations": [{
"address_definition": "0.0.0.0/0",
}],
"source_ports": [{
"from_port": 0,
"to_port": 65535,
}],
"sources": [{
"address_definition": "0.0.0.0/0",
}],
}],
},
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkfirewall"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := networkfirewall.NewTlsInspectionConfiguration(ctx, "example", &networkfirewall.TlsInspectionConfigurationArgs{
Name: pulumi.String("example"),
Description: pulumi.String("example"),
EncryptionConfigurations: networkfirewall.TlsInspectionConfigurationEncryptionConfigurationArray{
&networkfirewall.TlsInspectionConfigurationEncryptionConfigurationArgs{
KeyId: pulumi.String("AWS_OWNED_KMS_KEY"),
Type: pulumi.String("AWS_OWNED_KMS_KEY"),
},
},
TlsInspectionConfiguration: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationArgs{
ServerCertificateConfiguration: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs{
CertificateAuthorityArn: pulumi.Any(example1.Arn),
CheckCertificateRevocationStatus: &networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationCheckCertificateRevocationStatusArgs{
RevokedStatusAction: pulumi.String("REJECT"),
UnknownStatusAction: pulumi.String("PASS"),
},
ServerCertificates: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArgs{
ResourceArn: pulumi.Any(example2.Arn),
},
},
Scopes: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs{
Protocols: pulumi.IntArray{
pulumi.Int(6),
},
DestinationPorts: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs{
FromPort: pulumi.Int(443),
ToPort: pulumi.Int(443),
},
},
Destinations: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs{
AddressDefinition: pulumi.String("0.0.0.0/0"),
},
},
SourcePorts: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs{
FromPort: pulumi.Int(0),
ToPort: pulumi.Int(65535),
},
},
Sources: networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArray{
&networkfirewall.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs{
AddressDefinition: pulumi.String("0.0.0.0/0"),
},
},
},
},
},
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkFirewall.TlsInspectionConfiguration("example", new()
{
Name = "example",
Description = "example",
EncryptionConfigurations = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationEncryptionConfigurationArgs
{
KeyId = "AWS_OWNED_KMS_KEY",
Type = "AWS_OWNED_KMS_KEY",
},
},
TlsInspectionConfig = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationArgs
{
ServerCertificateConfiguration = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs
{
CertificateAuthorityArn = example1.Arn,
CheckCertificateRevocationStatus = new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationCheckCertificateRevocationStatusArgs
{
RevokedStatusAction = "REJECT",
UnknownStatusAction = "PASS",
},
ServerCertificates = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArgs
{
ResourceArn = example2.Arn,
},
},
Scopes = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs
{
Protocols = new[]
{
6,
},
DestinationPorts = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs
{
FromPort = 443,
ToPort = 443,
},
},
Destinations = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs
{
AddressDefinition = "0.0.0.0/0",
},
},
SourcePorts = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs
{
FromPort = 0,
ToPort = 65535,
},
},
Sources = new[]
{
new Aws.NetworkFirewall.Inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs
{
AddressDefinition = "0.0.0.0/0",
},
},
},
},
},
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.TlsInspectionConfiguration;
import com.pulumi.aws.networkfirewall.TlsInspectionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationEncryptionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs;
import com.pulumi.aws.networkfirewall.inputs.TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationCheckCertificateRevocationStatusArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new TlsInspectionConfiguration("example", TlsInspectionConfigurationArgs.builder()
.name("example")
.description("example")
.encryptionConfigurations(TlsInspectionConfigurationEncryptionConfigurationArgs.builder()
.keyId("AWS_OWNED_KMS_KEY")
.type("AWS_OWNED_KMS_KEY")
.build())
.tlsInspectionConfiguration(TlsInspectionConfigurationTlsInspectionConfigurationArgs.builder()
.serverCertificateConfiguration(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationArgs.builder()
.certificateAuthorityArn(example1.arn())
.checkCertificateRevocationStatus(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationCheckCertificateRevocationStatusArgs.builder()
.revokedStatusAction("REJECT")
.unknownStatusAction("PASS")
.build())
.serverCertificates(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationServerCertificateArgs.builder()
.resourceArn(example2.arn())
.build())
.scopes(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeArgs.builder()
.protocols(6)
.destinationPorts(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationPortArgs.builder()
.fromPort(443)
.toPort(443)
.build())
.destinations(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeDestinationArgs.builder()
.addressDefinition("0.0.0.0/0")
.build())
.sourcePorts(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourcePortArgs.builder()
.fromPort(0)
.toPort(65535)
.build())
.sources(TlsInspectionConfigurationTlsInspectionConfigurationServerCertificateConfigurationScopeSourceArgs.builder()
.addressDefinition("0.0.0.0/0")
.build())
.build())
.build())
.build())
.build());
}
}
resources:
example:
type: aws:networkfirewall:TlsInspectionConfiguration
properties:
name: example
description: example
encryptionConfigurations:
- keyId: AWS_OWNED_KMS_KEY
type: AWS_OWNED_KMS_KEY
tlsInspectionConfiguration:
serverCertificateConfiguration:
certificateAuthorityArn: ${example1.arn}
checkCertificateRevocationStatus:
revokedStatusAction: REJECT
unknownStatusAction: PASS
serverCertificates:
- resourceArn: ${example2.arn}
scopes:
- protocols:
- 6
destinationPorts:
- fromPort: 443
toPort: 443
destinations:
- addressDefinition: 0.0.0.0/0
sourcePorts:
- fromPort: 0
toPort: 65535
sources:
- addressDefinition: 0.0.0.0/0
A single inspection configuration can include both serverCertificates for inbound traffic and certificateAuthorityArn for outbound traffic. Network Firewall applies the appropriate inspection mode based on traffic direction: it uses your server certificates for connections arriving at your services and generates certificates from your CA for connections leaving your network.
Beyond these examples
These snippets focus on specific TLS inspection features: inbound and outbound TLS inspection, certificate and certificate authority configuration, and customer-managed encryption keys. They’re intentionally minimal rather than full network security deployments.
The examples reference pre-existing infrastructure such as ACM certificates for inbound inspection, ACM Private CA for outbound inspection, and KMS keys for customer-managed encryption. They focus on configuring TLS inspection rather than provisioning certificates or network infrastructure.
To keep things focused, common inspection patterns are omitted, including:
- Scope refinement (specific IP ranges, ports, protocols beyond HTTPS)
- Certificate revocation handling variations
- Integration with firewall policies and rule groups
- Multi-region or cross-account certificate references
These omissions are intentional: the goal is to illustrate how TLS inspection is wired, not provide drop-in security modules. See the TLS Inspection Configuration resource reference for all available configuration options.
Let's configure AWS Network Firewall TLS Inspection
Get started with Pulumi Cloud, then follow our quick setup guide to deploy this infrastructure.
Try Pulumi Cloud for FREEFrequently Asked Questions
Configuration Requirements
Do I need to configure both inbound and outbound inspection?
No, you must configure at least one direction (inbound, outbound, or both), but not necessarily both.
Can I inspect both inbound and outbound traffic in the same configuration?
Yes, configure both
serverCertificates (for inbound) and certificateAuthorityArn (for outbound) in the same serverCertificateConfiguration block.Inspection Directions
What's the difference between inbound and outbound inspection?
Inbound (ingress) inspection uses
serverCertificates to inspect traffic coming into your resources. Outbound (egress) inspection uses certificateAuthorityArn to inspect traffic leaving your resources.Certificates & Certificate Authorities
What certificate do I need for inbound inspection?
Configure
serverCertificates with a resourceArn pointing to an AWS Certificate Manager (ACM) certificate.What certificate do I need for outbound inspection?
Configure
certificateAuthorityArn pointing to a certificate authority ARN for outbound traffic inspection.Encryption & KMS
What encryption options are available?
You can use
AWS_OWNED_KMS_KEY (AWS-managed) or CUSTOMER_KMS (your own KMS key). Set the type and keyId in encryptionConfigurations.How do I use my own KMS key for encryption?
Set
encryptionConfigurations with type: "CUSTOMER_KMS" and keyId pointing to your KMS key ARN.Certificate Revocation
How do I configure certificate revocation checking?
Use
checkCertificateRevocationStatus with revokedStatusAction (e.g., REJECT) and unknownStatusAction (e.g., PASS) in your outbound inspection configuration.What happens when a certificate's revocation status is unknown?
The
unknownStatusAction determines the behavior. Examples show using PASS to allow traffic when revocation status cannot be determined.