Ensure CloudFront origins don't use insecure SSL protocols

Elevate the security posture of your CloudFront origins by verifying that they refrain from utilizing insecure SSL protocols. This proactive measure mitigates potential vulnerabilities and reinforces the protection of data and communication channels within your infrastructure.

Risk Level: High
Cloud Entity: Amazon CloudFront
CloudGuard Rule ID: D9.AWS.NET.1002
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

CloudFront should not have distributionConfig.origins.items with [ customOriginConfig.originSslProtocols.items contain [ 'SSLv3' ] ]

REMEDIATION

From Portal

  1. Sign in to the AWS Management Console.

  2. Go to the Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/home#/distributions.

  3. Click on the name of the CloudFront distribution you want to modify.

  4. Choose the 'Origins' tab.

  5. Select the origin you want to reconfigure and click 'Edit' in the top left corner of the section.

  6. On the 'Edit origin' page, pick 'TLSv1.2' from the 'Minimum origin SSL protocol' list inside the 'Settings' tab to eliminate insecure SSLv3 and apply the latest supported TLS protocol.
    Click on 'Save changes' in the bottom of the page.

  7. Update each origin in the selected CloudFront distribution to the latest supported TLS protocol.

  8. Repeat these steps for all CloudFront distributions in your AWS account.

From TF

To set the origins to the latest TLS version (and don't use the insecure SSL protocol), use the template as shown below:

resource 'aws_cloudfront_distribution' 'example_name_distribution' {
	...
	origin {
		custom_origin_config {
			origin_ssl_protocols = ['The latest TLS version currently (TLSv1.2)']
		}
	}
}

From Command Line

Run the following command to extract all the configuration information from the Amazon CloudFront distribution that you want to reconfigure:
aws cloudfront get-distribution-config --id EXAMPLE_ID --query 'DistributionConfig'
Modify the configuration document that got returned by removing the deprecated SSLv3 protocol from the 'OriginSslProtocols' configuration object
and set the TLS protocol as the latest one available (that you can use).

MAKE SURE: when you remove any protocol from the 'OriginSslProtocols' in the configuration object - you need to change the 'Quantity' field accordingly!
if you only remove the SSLv3, decrease the quantity by 1, if you remove everything except the latest TLS version, change the quantity to 1, and etc.

Save the document with the modified distribution configuration to a JSON file named configure-protocols.json
Run the following command to get the current version of the configuration available for the selected distribution:
aws cloudfront get-distribution-config --id EXAMPLE_ID --query 'ETag'
Run the following command using the modified configuration document(i.e. configure-ssl-tls-protocols.json) as the distribution configuration document.
--if-match parameter represents the current version of the configuration, returned at last step:

aws cloudfront update-distribution --id EXAMPLE_ID --if-match ETAG_VALUE_RETURNED --distribution-config file://configure-protocols.json --query 'Distribution.Status'

The command output should return the status of the modified CloudFront distribution - 'InProgress',
Repeat these steps for each origin that you want to reconfigure, and for each CloudFront distribution deployed in your AWS cloud account.

References

  1. https://aws.amazon.com/about-aws/whats-new/2016/01/amazon-cloudfront-adds-new-origin-security-features/
  2. https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#origin_ssl_protocols

Amazon CloudFront

Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css, .php, image, and media files, to end users. CloudFront delivers your content through a worldwide network of edge locations. When an end user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so content is delivered with the best possible performance. If the content is already in that edge location, CloudFront delivers it immediately.

Compliance Frameworks

  • CloudGuard AWS All Rules Ruleset