CloudFront Insecure Origin SSL Protocols

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features

Knowledge Base Amazon Web Services Amazon CloudFront CloudFront Insecure Origin SSL Protocols

Risk level: Medium (should be achieved)

Rule ID: CF-002

Ensure that your AWS Cloudfront Content Delivery Network distributions are not using insecure SSL protocols (i.e. SSLv3) for HTTPS communication between CloudFront edge locations and your custom origins. Cloud Conformity strongly recommends using TLSv1.0 or later (ideally use only TLSv1.2 if you origins support it) and avoid using the SSLv3 protocol.

This rule can help you with the following compliance standards:

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Using insecure and deprecated SSL protocols for your Cloudfront distributions could make the connection between the Cloudfront CDN and the origin server vulnerable to exploits such as POODLE (Padding Oracle on Downgraded Legacy Encryption) which allows an attacker to eavesdrop your Cloudfront traffic over a secure channel (encrypted with the SSLv3 protocol) by implementing a man-in-the-middle tactic.

Audit

To determine if your Cloudfront CDN distributions are using insecure SSL protocols (SSLv3) for their origins, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.

03 On the Distributions page, select the CDN distribution that you want to examine.

04 Click the Distribution Settings button from the dashboard top menu to access the selected distribution configuration page.

05 Select the Origins tab and choose the distribution origin that you want to verify from the Origins list.

06 Click the Edit button to access the selected origin configuration page.

07 On the Origin Settings page, verify the protocols enabled within the Origin SSL Protocols category. If the SSLv3 protocol is currently enabled:

If the SSLv3 protocol is currently enabled

the selected distribution origin is using an insecure SSL protocol for HTTPS traffic, therefore the Cloudfront CDN current configuration is vulnerable to exploits.

08 Repeat steps no. 5 – 7 for each origin created for the selected distribution.

09 Repeat steps no. 3 – 8 for each Cloudfront CDN distribution available in your AWS account.

Using AWS CLI

01 Run list-distributions command (OSX/Linux/UNIX) with appropriate filters to list the IDs of all Cloudfront distributions available in your account:

aws cloudfront list-distributions
    --output table
    --query 'DistributionList.Items[*].Id'

02 The command output should return a table with the requested metadata:

--------------------
|ListDistributions |
+------------------+
|  E2RX3E6TS8SFB9  |
|  G41A16G5KZMUBD  |
|  UXE6G5KZMPDT8M  |
+------------------+

03 Run get-distribution command (OSX/Linux/UNIX) using necessary filters and the ID of the distribution that you want to examine as parameters to expose the Cloudfront distribution custom origin HTTPS configuration:

aws cloudfront get-distribution
    --id E2RX3E6TS8SFB9
    --query 'Distribution.DistributionConfig.Origins.Items[*].CustomOriginConfig'

04 The command output should return the requested HTTPS configuration metadata:

[
    {
        "OriginProtocolPolicy": "https-only",
        "HTTPPort": 80,
        "OriginSslProtocols": {
            "Items": [
                "SSLv3",
                "TLSv1",
                "TLSv1.1",
                "TLSv1.2"
            ],
            "Quantity": 4
        },
        "HTTPSPort": 443
    }
]

If the OriginSslProtocols array includes SSLv3 protocol as value (as shown in the example above), the selected distribution origin is using an insecure/deprecated SSL protocol for the HTTPS traffic, therefore the Cloudfront CDN configuration is vulnerable to exploits.

05 Repeat step no. 3 and 4 to examine other CDN distributions available within your AWS account.

Remediation / Resolution

To remove the deprecated SSLv3 protocol from your Cloudfront distributions origin, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.

03 On the Distributions page, select the CDN distribution that is using insecure protocols for its origin(s).

04 Click the Distribution Settings button from the dashboard top menu to access the selected distribution configuration page.

05 Select the Origins tab and choose the distribution origin that you want to update from the Origins list.

06 Click the Edit button to access the selected origin configuration page.

07 On the Origin Settings page, uncheck the SSLv3 checkbox within the Origin SSL Protocols section to remove the insecure SSL protocol from the current configuration.

08 Click Yes, Edit to save the changes. On the Distributions page, the selected distribution status will change from In Progress to Deployed once the configuration change is deployed through the CDN network (it should take less than 15 minutes).

09 Repeat steps no. 5 – 8 to update other custom origins (if any) created for the current distribution.

10 Repeat steps no. 3 – 9 to update other Cloudfront distributions available in your AWS account in order to disable the deprecated SSLv3 protocol.

Using AWS CLI

01 Run get-distribution-config command (OSX/Linux/UNIX) to extract the configuration information from the Cloudfront distribution(s) marked as insecure (see Audit section, part II). The following command returns the configuration of an insecure distribution identified by the ID E2RX3E6TS8SFB9:

aws cloudfront get-distribution-config
    --id E2RX3E6TS8SFB9

02The command output should return the selected distribution configuration information:

{
    "ETag": "E5TUH6VDXMQ72",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Quantity": 0
        },

        ...

        "Origins": {
            "Items": [
                {
                    "OriginPath": "/static/images",
                    "CustomOriginConfig": {
                        "OriginProtocolPolicy": "https-only",
                        "HTTPPort": 80,
                        "OriginSslProtocols": {
                            "Items": [
                                "SSLv3",
                                "TLSv1",
                                "TLSv1.1",
                                "TLSv1.2"
                            ],
                            "Quantity": 4
                        },
                        "HTTPSPort": 443
                    },
                    "CustomHeaders": {
                        "Quantity": 0
                    },
                    "Id": "custom-cloudconformity.com-images",
                    "DomainName": "cloudconformity.com"
                }
            ],
            "Quantity": 1
        },

        ...

        "Aliases": {
            "Items": [
                "media.cloudconformity.com"
            ],
            "Quantity": 1
        }
    }
}

03 Modify the configuration information returned at the previous step to disable the origin SSLv3 protocol by editing the OriginSslProtocols config object (highlighted) and save the new configuration in a JSON document named distconfig-secure-origin.json:

{
    "ETag": "E5TUH6VDXMQ72",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Quantity": 0
        },
        "Logging": {
            "Bucket": "aws-cf-access-logs.s3.amazonaws.com",
            "Prefix": "cloudconformity",
            "Enabled": true,
            "IncludeCookies": false
        },
        "WebACLId": "",
        "Origins": {
            "Items": [
                {
                    "OriginPath": "/static/images",
                    "CustomOriginConfig": {
                        "OriginProtocolPolicy": "https-only",
                        "HTTPPort": 80,
                        "OriginSslProtocols": {
                            "Items": [
                                "TLSv1",
                                "TLSv1.1",
                                "TLSv1.2"
                            ],
                            "Quantity": 3
                        },
                        "HTTPSPort": 443
                    },
                    "CustomHeaders": {
                        "Quantity": 0
                    },
                    "Id": "custom-cloudconformity.com-images",
                    "DomainName": "cloudconformity.com"
                }
            ],
            "Quantity": 1
        },
        "DefaultRootObject": "index.html",
        "PriceClass": "PriceClass_All",
        "Enabled": true,
        "DefaultCacheBehavior": {
            "TrustedSigners": {
                "Enabled": false,
                "Quantity": 0
            },
            "TargetOriginId": "custom-cloudconformity.com-images",
            "ViewerProtocolPolicy": "https-only",
            "ForwardedValues": {
                "Headers": {
                    "Quantity": 0
                },
                "Cookies": {
                    "Forward": "none"
                },
                "QueryString": false
            },
            "MaxTTL": 31536000,
            "SmoothStreaming": false,
            "DefaultTTL": 86400,
            "AllowedMethods": {
                "Items": [
                    "HEAD",
                    "DELETE",
                    "POST",
                    "GET",
                    "OPTIONS",
                    "PUT",
                    "PATCH"
                ],
                "CachedMethods": {
                    "Items": [
                        "HEAD",
                        "GET",
                        "OPTIONS"
                    ],
                    "Quantity": 3
                },
                "Quantity": 7
            },
            "MinTTL": 0,
            "Compress": false
        },
        "CallerReference": "my-cf-web-distribution-2016-08-05",
        "ViewerCertificate": {
            "CloudFrontDefaultCertificate": true,
            "MinimumProtocolVersion": "SSLv3",
            "CertificateSource": "cloudfront"
        },
        "CustomErrorResponses": {
            "Quantity": 0
        },
        "Restrictions": {
            "GeoRestriction": {
                "RestrictionType": "none",
                "Quantity": 0
            }
        },
        "Aliases": {
            "Items": [
                "media.cloudconformity.com"
            ],
            "Quantity": 1
        }
    }
}

04Run update-distribution command (OSX/Linux/UNIX) to update the required AWS Cloudfront distribution. The following command example updates a CloudFront CDN web distribution with the ID E2RX3E6TS8SFB9 and the ETag E5TUH6VDXMQ72 (an ETag is a header ID exposed when a CDN distribution configuration is retrieved, e.g. "ETag": " E5TUH6VDXMQ72"), using a JSON configuration document with the file name distconfig-secure-origin.json:

aws cloudfront update-distribution
--id E2RX3E6TS8SFB9
--distribution-config file://distconfig-secure-origin.json
--if-match E5TUH6VDXMQ72

05The command output should return the metadata for the updated distribution:

{
    "Distribution": {
        "Status": "InProgress",
        "DomainName": "d1ams0mx9tn8g.cloudfront.net",

        ...

            "Origins": {
                "Items": [
                    {
                        "OriginPath": "/static/images",
                        "CustomOriginConfig": {
                            "OriginProtocolPolicy": "https-only",
                            "HTTPPort": 80,
                            "OriginSslProtocols": {
                                "Items": [
                                    "TLSv1",
                                    "TLSv1.1",
                                    "TLSv1.2"
                                ],
                                "Quantity": 3
                            },
                            "HTTPSPort": 443
                        },
                        "CustomHeaders": {
                            "Quantity": 0
                        },
                        "Id": "custom-cloudconformity.com-images",
                        "DomainName": "cloudconformity.com"
                    }
                ],
                "Quantity": 1
            },

        ...

        "LastModifiedTime": "2016-08-27T10:32:39.561Z",
        "Id": "E2RX3E6TS8SFB9"
    },
    "ETag": "E5TUH6VDXMQ72"
}

References

AWS Documentation
Using an HTTPS Connection to Access Your Objects
Amazon CloudFront Adds New Origin Security Features

AWS Command Line Interface (CLI) Documentation
cloudfront
list-distributions
get-distribution
get-distribution-config
update-distribution

Publication date Aug 27, 2016

CloudFront Insecure Origin SSL Protocols

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related CloudFront rules