If you believe that the tunnel credentials for your Site-to-Site VPN connection have been compromised, you can change the IKE pre-shared key or change the ACM certificate. The method you use depends on the authentication option you used for your VPN tunnels. For more information, see AWS Site-to-Site VPN tunnel authentication options.
To change the IKE pre-shared key
You can modify the tunnel options for the VPN connection and specify a new IKE pre-shared key for each tunnel. For more information, see Modify AWS Site-to-Site VPN tunnel options.
Alternatively, you can delete the VPN connection. For more information, see Delete a VPN connection and gateway. You don't need to delete the VPC or the virtual private gateway. Then, create a new VPN connection using the same virtual private gateway, and configure the new keys on your customer gateway device. You can specify your own pre-shared keys for the tunnels or let AWS generate new pre-shared keys for you. For more information, see Create a VPN connection. The tunnel's inside and outside addresses might change when you recreate the VPN connection.
To change the certificate for the AWS side of the tunnel endpoint
Rotate the certificate. For more information, see Rotate VPN tunnel endpoint certificates.
To change the certificate on the customer gateway device
-
Create a new certificate. For information, see Issuing and managing certificates in the AWS Certificate Manager User Guide.
-
Add the certificate to the customer gateway device.
