CloudFront distribution viewer certificate does not enforce latest TLS/SSL policy Affecting CloudFront service in AWS
Severity Framework
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Snyk CCSS
Rule category
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Keys and Secrets/ Access
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsFrameworks
AWS-Well-ArchitectedCIS-ControlsCSA-CCMISO-27001NIST-800-53PCI-DSSSOC-2
- Snyk IDSNYK-CC-00209
- creditSnyk Research Team
Description
Encryption should be set with the latest version of TLS where possible. Versions prior to TLS 1.2 are deprecated and usage may pose security risks.
How to fix?
Set viewer_certificate.minimum_protocol_version attribute to TLSv1.2_2018 or later.
Invalid values:
SSLv3TLSv1TLSv1_2016TLSv1.1_2016
Example Configuration
resource "aws_cloudfront_distribution" "distro" {
origin {
domain_name = "example.com"
origin_id = "${local.origin_id}"
custom_origin_config {
http_port = "80"
https_port = "443"
origin_ssl_protocols = ["SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"]
origin_protocol_policy = "https-only" # valid due to https-only
}
}
enabled = true
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = ["US", "CA", "GB", "DE"]
}
}
viewer_certificate {
acm_certificate_arn = "arn:aws:acm:us-east-1:123456789012:certificate/cecbde21-a7ed-0000-abcd-abcd1234abcd"
minimum_protocol_version = "TLSv1.2_2018"
ssl_support_method = "sni-only"
}
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "${local.origin_id}"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "redirect-to-https"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
}
Set Properties.DistributionConfig.ViewerCertificate.MinimumProtocolVersion attribute to TLSv1.2_2019.