CloudFront distribution viewer certificate does not enforce latest TLS/SSL policy Affecting CloudFront service in AWS


Severity

0.0
medium
0
10
    Severity Framework
    Snyk CCSS
    Rule category
    Keys and Secrets / Access

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    AWS-Well-Architected CIS-Controls CSA-CCM ISO-27001 NIST-800-53 PCI-DSS SOC-2
  • Snyk ID SNYK-CC-00209
  • credit Snyk Research Team

Description

Encryption should be set with the latest version of TLS where possible. Versions prior to TLS 1.2 are deprecated and usage may pose security risks.

How to fix?

Set viewer_certificate.minimum_protocol_version attribute to TLSv1.2_2018 or later.

Invalid values:

  • SSLv3
  • TLSv1
  • TLSv1_2016
  • TLSv1.1_2016

Example Configuration

resource "aws_cloudfront_distribution" "distro" {
  origin {
    domain_name = "example.com"
    origin_id   = "${local.origin_id}"

    custom_origin_config {
      http_port = "80"
      https_port = "443"
      origin_ssl_protocols = ["SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"]
      origin_protocol_policy = "https-only" # valid due to https-only
    }
  }

  enabled = true
  
  restrictions {
    geo_restriction {
      restriction_type = "whitelist"
      locations        = ["US", "CA", "GB", "DE"]
    }
  }

  viewer_certificate {
    acm_certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/cecbde21-a7ed-0000-abcd-abcd1234abcd"
    minimum_protocol_version = "TLSv1.2_2018"
    ssl_support_method = "sni-only"
  }

  default_cache_behavior {
    allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = "${local.origin_id}"

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }

    viewer_protocol_policy = "redirect-to-https"
    min_ttl                = 0
    default_ttl            = 3600
    max_ttl                = 86400
  }
}