Add docs for new security policy, TLSv1.2_2019

doc_source/ChargesForHTTPSConnections.md

@@ -1,3 +1,3 @@
-# Charges for HTTPS Connections<a name="ChargesForHTTPSConnections"></a>
+# Charges for HTTPS connections<a name="ChargesForHTTPSConnections"></a>
 
 You always incur a surcharge for HTTPS requests\. For more information, see [Amazon CloudFront Pricing](http://aws.amazon.com/cloudfront/pricing)\.

doc_source/RequestAndResponseBehaviorCustomOrigin.md

@@ -107,7 +107,7 @@ If the origin is an Amazon S3 bucket, CloudFront always uses TLSv1\.2\.
 **Important**  
 Other versions of SSL and TLS are not supported\.
 
-For more information about using HTTPS with CloudFront, see [Using HTTPS with CloudFront](using-https.md)\. For lists of the ciphers that CloudFront supports for HTTPS communication between viewers and CloudFront, and between CloudFront and your origin, see [Supported SSL/TLS Protocols and Ciphers for Communication Between Viewers and CloudFront](secure-connections-supported-viewer-protocols-ciphers.md#secure-connections-supported-ciphers)\.
+For more information about using HTTPS with CloudFront, see [Using HTTPS with CloudFront](using-https.md)\. For lists of the ciphers that CloudFront supports for HTTPS communication between viewers and CloudFront, and between CloudFront and your origin, see [Supported SSL/TLS protocols and ciphers for communication between viewers and CloudFront](secure-connections-supported-viewer-protocols-ciphers.md#secure-connections-supported-ciphers)\.
 
 ### GET Requests That Include a Body<a name="RequestCustom-get-body"></a>
 

doc_source/WhatsNew.md

@@ -7,6 +7,7 @@ The following entries describe important changes made to the CloudFront document
 
 | Change | Description | Date Changed | 
 | --- | --- | --- | 
+|  New security policy  |  CloudFront now supports a new security policy, **TLSv1\.2\_2019**, with a smaller set of supported ciphers\. For more information, see [Supported SSL/TLS protocols and ciphers for communication between viewers and CloudFront](secure-connections-supported-viewer-protocols-ciphers.md#secure-connections-supported-ciphers)\.  |  July 8, 2020  | 
 |  New settings to control origin timeouts and attempts  |  CloudFront added new settings that control origin timeouts and attempts\. For more information, see [Controlling Origin Timeouts and Attempts](high_availability_origin_failover.md#controlling-attempts-and-timeouts)\.  |  June 5, 2020  | 
 |  New documentation for getting started with CloudFront by creating a secure static website  |  Get started with CloudFront by creating a secure static website using Amazon S3, CloudFront, Lambda@Edge, and more, all deployed with AWS CloudFormation\. For more information, see [Getting Started with a Secure Static Website](getting-started-secure-static-website-cloudformation-template.md)\.  |  June 2, 2020  | 
 |  Lambda@Edge supports newer runtime versions  |  Lambda@Edge now supports Lambda functions with the Node\.js 12 and Python 3\.8 runtimes\. For more information, see [Lambda Function Supported Runtimes and Configuration](lambda-requirements-limits.md#lambda-requirements-lambda-function-configuration)\.  |  February 27, 2020  | 

doc_source/distribution-web-values-specify.md

@@ -653,7 +653,7 @@ For more information, see [Choosing How CloudFront Serves HTTPS Requests](cnames
 
 ### Security Policy<a name="DownloadDistValues-security-policy"></a>
 
-Specify the security policy that you want CloudFront to use for HTTPS connections with viewers \(clients\)\. A security policy determines two settings: 
+Specify the security policy that you want CloudFront to use for HTTPS connections with viewers \(clients\)\. A security policy determines two settings:
 + The minimum SSL/TLS protocol that CloudFront uses to communicate with viewers\.
 + The ciphers that CloudFront can use to encrypt the content that it returns to viewers\.
 
@@ -662,22 +662,21 @@ For more information about the security policies, including the protocols and ci
 The security policies that are available depend on the values that you specify for **SSL Certificate** and **Custom SSL Client Support** \(known as `CloudFrontDefaultCertificate` and `SSLSupportMethod` in the CloudFront API\):
 + When **SSL Certificate** is **Default CloudFront Certificate \(\*\.cloudfront\.net\)** \(when `CloudFrontDefaultCertificate` is `true` in the API\), CloudFront automatically sets the security policy to TLSv1\.
 + When **SSL Certificate** is **Custom SSL Certificate \(example\.com\)** *and* **Custom SSL Client Support** is **Clients that Support Server Name Indication \(SNI\) \- \(Recommended\)** \(when `CloudFrontDefaultCertificate` is `false` *and* `SSLSupportMethod` is `sni-only` in the API\), you can choose from the following security policies:
-  + TLSv1
-  + TLSv1\_2016
-  + TLSv1\.1\_2016
+  + TLSv1\.2\_2019
   + TLSv1\.2\_2018
-
-  We recommend that you choose TLSv1\.2\_2018 unless your viewers are using browsers or devices that don’t support TLSv1\.2\.
+  + TLSv1\.1\_2016
+  + TLSv1\_2016
+  + TLSv1
 + When **SSL Certificate** is **Custom SSL Certificate \(example\.com\)** *and* **Custom SSL Client Support** is **Legacy Clients Support** \(when `CloudFrontDefaultCertificate` is `false` *and* `SSLSupportMethod` is `vip` in the API\), you can choose from the following security policies:
   + TLSv1
   + SSLv3
 
-  We recommend that you choose TLSv1\. In this configuration, the TLSv1\_2016, TLSv1\.1\_2016, and TLSv1\.2\_2018 security policies aren’t available in the CloudFront console or API\. If you want to use one of these security policies, you have the following options:
+  In this configuration, the TLSv1\.2\_2019, TLSv1\.2\_2018, TLSv1\.1\_2016, and TLSv1\_2016 security policies aren’t available in the CloudFront console or API\. If you want to use one of these security policies, you have the following options:
   + Evaluate whether your distribution needs Legacy Clients Support with dedicated IP addresses\. If your viewers support [server name indication \(SNI\)](https://en.wikipedia.org/wiki/Server_Name_Indication), we recommend that you update your distribution’s **Custom SSL Client Support** setting to **Clients that Support Server Name Indication \(SNI\)** \(set `SSLSupportMethod` to `sni-only` in the API\)\. This enables you to use any of the available TLS security policies, and it can also reduce your CloudFront charges\.
-  + If you must keep Legacy Clients Support with dedicated IP addresses, you can request one of the other TLS security policies \(TLSv1\_2016, TLSv1\.1\_2016, or TLSv1\.2\_2018\) by creating a case in the [AWS Support Center](https://console.aws.amazon.com/support/home)\.
+  + If you must keep Legacy Clients Support with dedicated IP addresses, you can request one of the other TLS security policies \(TLSv1\.2\_2019, TLSv1\.2\_2018, TLSv1\.1\_2016, or TLSv1\_2016\) by creating a case in the [AWS Support Center](https://console.aws.amazon.com/support/home)\.
 **Note**  
 Before you contact AWS Support to request this change, consider the following:  
-When you add one of these security policies \(TLSv1\_2016, TLSv1\.1\_2016, or TLSv1\.2\_2018\) to a Legacy Clients Support distribution, the security policy is applied to *all* non\-SNI viewer requests for *all* Legacy Clients Support distributions in your AWS account\. However, when viewers send SNI requests to a distribution with Legacy Clients Support, the security policy of that distribution applies\. To make sure that your desired security policy is applied to *all* viewer requests sent to *all* Legacy Clients Support distributions in your AWS account, add the desired security policy to each distribution individually\.
+When you add one of these security policies \(TLSv1\.2\_2019, TLSv1\.2\_2018, TLSv1\.1\_2016, or TLSv1\_2016\) to a Legacy Clients Support distribution, the security policy is applied to *all* non\-SNI viewer requests for *all* Legacy Clients Support distributions in your AWS account\. However, when viewers send SNI requests to a distribution with Legacy Clients Support, the security policy of that distribution applies\. To make sure that your desired security policy is applied to *all* viewer requests sent to *all* Legacy Clients Support distributions in your AWS account, add the desired security policy to each distribution individually\.
 By definition, the new security policy doesn’t support the same ciphers and protocols as the old one\. For example, if you chose to upgrade a distribution’s security policy from TLSv1 to TLSv1\.1\_2016, that distribution will no longer support the DES\-CBC3\-SHA cipher\. For more information about the ciphers and protocols that each security policy supports, see [Supported Protocols and Ciphers Between Viewers and CloudFront](secure-connections-supported-viewer-protocols-ciphers.md#secure-connections-supported-ciphers)\.
 
 ### Supported HTTP Versions<a name="DownloadDistValuesSupportedHTTPVersions"></a>

doc_source/index.md

@@ -55,8 +55,8 @@ Amazon's trademarks and trade dress may not be used in
       + [Requiring HTTPS for Communication Between Viewers and CloudFront](using-https-viewers-to-cloudfront.md)
       + [Requiring HTTPS for Communication Between CloudFront and Your Custom Origin](using-https-cloudfront-to-custom-origin.md)
       + [Requiring HTTPS for Communication Between CloudFront and Your Amazon S3 Origin](using-https-cloudfront-to-s3-origin.md)
-      + [Supported Protocols and Ciphers](secure-connections-supported-viewer-protocols-ciphers.md)
-      + [Charges for HTTPS Connections](ChargesForHTTPSConnections.md)
+      + [Supported protocols and ciphers](secure-connections-supported-viewer-protocols-ciphers.md)
+      + [Charges for HTTPS connections](ChargesForHTTPSConnections.md)
    + [Using Alternate Domain Names and HTTPS](using-https-alternate-domain-names.md)
       + [Choosing How CloudFront Serves HTTPS Requests](cnames-https-dedicated-ip-or-sni.md)
       + [Requirements for Using SSL/TLS Certificates with CloudFront](cnames-and-https-requirements.md)