The CloudFront has an insecure protocol version

ID

aws_cloudfront_minimum_protocol

Severity

high

Vendor

AWS

Resource

Network

Tags

asvs50-v13.1.1, reachable

Description

The CloudFront has an insecure protocol version. The minimum protocol version consider secure is TLS 1.2.

To fix it you must configure viewer_certificate.minimum_protocol_version at least with TLS 1.2.

Learn more about this topic at AWS CloudFront secure connections.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create distribution
      community.aws.cloudfront_distribution:
        state: present
        default_origin_domain_name: www.my-cloudfront-origin.com
        tags:
          Name: example distribution
          Project: example project
          Priority: '1'
        viewer_certificate:
          minimum_protocol_version: TLSv1.1

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create distribution
      community.aws.cloudfront_distribution:
        state: present
        default_origin_domain_name: www.my-cloudfront-origin.com
        tags:
          Name: example distribution
          Project: example project
          Priority: '1'
        viewer_certificate:
          minimum_protocol_version: TLSv1.3