Use secure ciphers in CloudFront distribution

Enforce the use of secure ciphers TLS v1.1 and TLS v1.2 in a CloudFront Distribution certificate configuration. This is a best security practice. This signature scans for any deviations from this practice and returns the results.

Risk Level: High
Cloud Entity: Amazon CloudFront
CloudGuard Rule ID: D9.AWS.CRY.16
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

CloudFront should have ( ( distributionConfig.viewerCertificate.minimumProtocolVersion like 'TLSv1.1%') or ( distributionConfig.viewerCertificate.minimumProtocolVersion like 'TLSv1.2%') )

REMEDIATION

From Portal
Use following steps to configure HTTPS between CloudFront and your custom origin

  1. Sign in to the AWS Management Console and open the CloudFront console.
  2. In the top pane of the CloudFront console, choose the ID for the distribution that you want to update.
  3. On the Origins tab, choose the origin that you want to update, and then choose Edit.
  4. Update the following settings:
    Origin SSL Protocols - Choose the Minimum origin SSL protocol for the applicable origins in your distribution. The SSLv3 protocol is less secure, so we recommend that you choose SSLv3 only if your origin does not support TLSv1 or later. The TLSv1 handshake is both backwards and forwards compatible with SSLv3, but TLSv1.1 and TLSv1.2 are not. When you choose SSLv3, CloudFront only sends SSLv3 handshake requests.
  5. Click Save changes.

From TF

resource "aws_cloudfront_distribution" "test" {
	viewer_certificate {
		cloudfront_default_certificate = false
		minimum_protocol_version = "TLSv1.2_2021"
	}
}

From Command Line

  1. Run following command to extract the configuration for selected Amazon CloudFront distribution.
aws cloudfront get-distribution-config --id DISTRIBUTION_ID --query DISTRIBUTION_CONFIG
  1. Run following command to describe the current version for selected Amazon CloudFront distribution
aws cloudfront get-distribution-config --id DISTRIBUTION_ID --query DISTRIBUTION_CONFIG
  1. Change the configuration document extracted from above command to change the security policy for selected CloudFront distribution. Use MinimumProtocolVersion as TLSv1.2_2021 and save the document to a JSON file.
  2. Run following command using json file saved in step 3 to upgrade the security group for Amazon CloudFront distribution

Note --if-match parameter is used to check the current version of the configuration.

aws cloudfront update-distribution --id DISTRIBUTION_ID --if-match PUT_VALUE --distribution-config JSON_FILE_PATH

References

  1. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html
  2. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html#using-https-cloudfront-to-origin-certificate
  3. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html
  4. https://docs.aws.amazon.com/cli/latest/reference/cloudfront/update-distribution.html
  5. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution

Amazon CloudFront

Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css, .php, image, and media files, to end users. CloudFront delivers your content through a worldwide network of edge locations. When an end user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so content is delivered with the best possible performance. If the content is already in that edge location, CloudFront delivers it immediately.

Compliance Frameworks

  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HIPAA
  • AWS HITRUST
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset