CloudFront distribution custom origin does not use secure TLS protocol version (1.2 and above) Affecting CloudFront service in AWS

Snyk CCSS

Data/ Encryption Protocols

Is your environment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Frameworks

AWS-Well-ArchitectedCSA-CCMISO-27001NIST-800-53PCI-DSSSOC-2

Snyk IDSNYK-CC-00203
creditSnyk Research Team

Report a new misconfiguration Found a mistake?

Description

Encryption should be set with the latest version of TLS where possible. Versions prior to TLS 1.2 are deprecated and usage may pose security risks.

How to fix?

Set the origin.custom_origin_config.origin_ssl_protocols attribute to include only TLSv1.2 or later.

Invalid values:

SSLv2
SSLv3
TLSv1
TLSv1.1

Example Configuration

resource "aws_cloudfront_distribution" "distro" {
  origin {
    domain_name = "example.com"
    origin_id   = "${local.origin_id}"

    custom_origin_config {
      http_port = "80"
      https_port = "443"
      origin_ssl_protocols = ["TLSv1.2"]
      origin_protocol_policy = "https-only"
    }
  }

  enabled = true
  
  restrictions {
    geo_restriction {
      restriction_type = "whitelist"
      locations        = ["US", "CA", "GB", "DE"]
    }
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }

  default_cache_behavior {
    allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = "${local.origin_id}"

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }

    viewer_protocol_policy = "redirect-to-https"
    min_ttl                = 0
    default_ttl            = 3600
    max_ttl                = 86400
  }
}

Terraform

Resource: aws_cloudfront_distribution

References

Values that you specify when you create or update a distribution