Replace compromised credentials for your Site-to-Site VPN connection

If you believe that the tunnel credentials for your Site-to-Site VPN connection have been compromised, you can change the IKE pre-shared key or change the ACM certificate. The method you use depends on the authentication option you used for your VPN tunnels. For more information, see Site-to-Site VPN tunnel authentication options.

To change the IKE pre-shared key

You can modify the tunnel options for the VPN connection and specify a new IKE pre-shared key for each tunnel. For more information, see Modify Site-to-Site VPN tunnel options.

Alternatively, you can delete the VPN connection. For more information, see Delete a VPN connection. You don't need to delete the VPC or the virtual private gateway. Then, create a new VPN connection using the same virtual private gateway, and configure the new keys on your customer gateway device. You can specify your own pre-shared keys for the tunnels or let AWS generate new pre-shared keys for you. For more information, see Create a VPN connection. The tunnel's inside and outside addresses might change when you recreate the VPN connection.

To change the certificate for the AWS side of the tunnel endpoint

Rotate the certificate. For more information, see Rotate VPN tunnel endpoint certificates.

To change the certificate on the customer gateway device

Create a new certificate. For information, see Issuing and managing certificates in the AWS Certificate Manager User Guide.
Add the certificate to the customer gateway device.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Change the customer gateway for a VPN connection

Rotate VPN tunnel endpoint certificates