CloudFront distribution custom origin does not use secure TLS protocol version (1.2 and above) Affecting CloudFront service in AWS
Severity Framework
Snyk CCSS
Rule category
Data / Encryption Protocols
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
AWS-Well-Architected
CSA-CCM
ISO-27001
NIST-800-53
PCI-DSS
SOC-2
- Snyk ID SNYK-CC-00203
- credit Snyk Research Team
Description
Encryption should be set with the latest version of TLS where possible. Versions prior to TLS 1.2 are deprecated and usage may pose security risks.
How to fix?
Set the origin.custom_origin_config.origin_ssl_protocols attribute to include only TLSv1.2 or later.
Invalid values:
SSLv2SSLv3TLSv1TLSv1.1
Example Configuration
resource "aws_cloudfront_distribution" "distro" {
origin {
domain_name = "example.com"
origin_id = "${local.origin_id}"
custom_origin_config {
http_port = "80"
https_port = "443"
origin_ssl_protocols = ["TLSv1.2"]
origin_protocol_policy = "https-only"
}
}
enabled = true
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = ["US", "CA", "GB", "DE"]
}
}
viewer_certificate {
cloudfront_default_certificate = true
}
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "${local.origin_id}"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
}