CloudFront distribution viewer certificate does not enforce latest TLS/SSL policy Affecting CloudFront service in AWS
Severity Framework
Snyk CCSS
Rule category
Keys and Secrets / Access
Is your enviroment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
AWS-Well-Architected
CIS-Controls
CSA-CCM
ISO-27001
NIST-800-53
PCI-DSS
SOC-2
- Snyk ID SNYK-CC-00209
- credit Snyk Research Team
Description
Encryption should be set with the latest version of TLS where possible. Versions prior to TLS 1.2 are deprecated and usage may pose security risks.
How to fix?
Set viewer_certificate.minimum_protocol_version attribute to TLSv1.2_2018 or later.
Invalid values:
SSLv3TLSv1TLSv1_2016TLSv1.1_2016
Example Configuration
resource "aws_cloudfront_distribution" "distro" {
origin {
domain_name = "example.com"
origin_id = "${local.origin_id}"
custom_origin_config {
http_port = "80"
https_port = "443"
origin_ssl_protocols = ["SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"]
origin_protocol_policy = "https-only" # valid due to https-only
}
}
enabled = true
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = ["US", "CA", "GB", "DE"]
}
}
viewer_certificate {
acm_certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/cecbde21-a7ed-0000-abcd-abcd1234abcd"
minimum_protocol_version = "TLSv1.2_2018"
ssl_support_method = "sni-only"
}
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "${local.origin_id}"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
}