Risk Level: High
Cloud Entity: Amazon CloudFront
CloudGuard Rule ID: D9.AWS.CRY.16
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

CloudFront should have ( ( distributionConfig.viewerCertificate.minimumProtocolVersion like 'TLSv1.1%') or ( distributionConfig.viewerCertificate.minimumProtocolVersion like 'TLSv1.2%') )

REMEDIATION

From Portal
Use following steps to configure HTTPS between CloudFront and your custom origin

Sign in to the AWS Management Console and open the CloudFront console.
In the top pane of the CloudFront console, choose the ID for the distribution that you want to update.
On the Origins tab, choose the origin that you want to update, and then choose Edit.
Update the following settings:
Origin SSL Protocols - Choose the Minimum origin SSL protocol for the applicable origins in your distribution. The SSLv3 protocol is less secure, so we recommend that you choose SSLv3 only if your origin does not support TLSv1 or later. The TLSv1 handshake is both backwards and forwards compatible with SSLv3, but TLSv1.1 and TLSv1.2 are not. When you choose SSLv3, CloudFront only sends SSLv3 handshake requests.
Click Save changes.

From TF

resource "aws_cloudfront_distribution" "test" {
	viewer_certificate {
		cloudfront_default_certificate = false
		minimum_protocol_version = "TLSv1.2_2021"
	}
}

From Command Line

Run following command to extract the configuration for selected Amazon CloudFront distribution.

aws cloudfront get-distribution-config --id DISTRIBUTION_ID --query DISTRIBUTION_CONFIG

Run following command to describe the current version for selected Amazon CloudFront distribution

aws cloudfront get-distribution-config --id DISTRIBUTION_ID --query DISTRIBUTION_CONFIG

Change the configuration document extracted from above command to change the security policy for selected CloudFront distribution. Use MinimumProtocolVersion as TLSv1.2_2021 and save the document to a JSON file.
Run following command using json file saved in step 3 to upgrade the security group for Amazon CloudFront distribution

Note --if-match parameter is used to check the current version of the configuration.

aws cloudfront update-distribution --id DISTRIBUTION_ID --if-match PUT_VALUE --distribution-config JSON_FILE_PATH

References

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html#using-https-cloudfront-to-origin-certificate
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html
https://docs.aws.amazon.com/cli/latest/reference/cloudfront/update-distribution.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution

Amazon CloudFront

Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css, .php, image, and media files, to end users. CloudFront delivers your content through a worldwide network of edge locations. When an end user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so content is delivered with the best possible performance. If the content is already in that edge location, CloudFront delivers it immediately.

Compliance Frameworks

AWS CSA CCM v.3.0.1
AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS HIPAA
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO 27001:2013
AWS ISO27001:2022
AWS ITSG-33
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-171
AWS NIST 800-53 Rev 4
AWS NIST 800-53 Rev 5
AWS NIST CSF v1.1
AWS PCI-DSS 3.2
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset