Ensure that your AWS Cloudfront Content Delivery Network distributions are not using insecure SSL protocols (i.e. SSLv3) for HTTPS communication between CloudFront edge locations and your custom origins. Cloud Conformity strongly recommends using TLSv1.0 or later (ideally use only TLSv1.2 if you origins support it) and avoid using the SSLv3 protocol.
Using insecure and deprecated SSL protocols for your Cloudfront distributions could make the connection between the Cloudfront CDN and the origin server vulnerable to exploits such as POODLE (Padding Oracle on Downgraded Legacy Encryption) which allows an attacker to eavesdrop your Cloudfront traffic over a secure channel (encrypted with the SSLv3 protocol) by implementing a man-in-the-middle tactic.
To determine if your Cloudfront CDN distributions are using insecure SSL protocols (SSLv3) for their origins, perform the following:
To remove the deprecated SSLv3 protocol from your Cloudfront distributions origin, perform the following: