Verify CloudFront Distribution Viewer Certificate is using TLS v1.2
ID |
cloudfront_tls_version |
Severity |
high |
Vendor |
AWS |
Resource |
CloudFront |
Tags |
reachable |
Description
AWS CloudFront is a web service that speeds up distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations. When a user requests content that you’re serving with CloudFront, the request is routed to the edge location that provides the lowest latency (time delay), so that content is delivered with the best possible performance.
AWS CloudFront web distributions should be configured with secure TLS versions (TLSv1.2_2018 or later) for HTTPS communication between viewers and CloudFront.
Examples
CloudFormation
{
"Resources": {
"cloudfrontdistribution": { (1)
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"Enabled": true
}
}
}
}
}| 1 | Missing ViewerCertificate/MinimumProtocolVersion property means that an insecure TLS version is used. |
Resources:
cloudfrontdistribution: (1)
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: true| 1 | Missing ViewerCertificate/MinimumProtocolVersion property means that an insecure TLS version is used. |
Mitigation / Fix
Buildtime
CloudFormation
{
"Resources": {
"cloudfrontdistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"Enabled": true,
"ViewerCertificate": {
"AcmCertificateArn": "cert-test",
"MinimumProtocolVersion": "TLSv1.2_2018", (1)
"SslSupportMethod": "sni-only"
}
}
}
}
}
}| 1 | MinimumProtocolVersion is set to a secure TLS version. |
Resources:
cloudfrontdistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: true
ViewerCertificate:
AcmCertificateArn: "cert-test"
MinimumProtocolVersion: TLSv1.2_2018 (1)
SslSupportMethod: sni-only| 1 | MinimumProtocolVersion is set to a secure TLS version. |