Ensure that your Amazon CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2 and appropriate security ciphers for HTTPS viewer connections. An AWS CloudFront security policy determines two settings: the SSL/TLS protocol that CloudFront uses to communicate with the users and the cipher that CloudFront uses to encrypt the content that it returns to users. Cloud Conformity recommends that you use TLSv1.1 as minimum protocol version for your CloudFront distribution security policies, unless your users are using browsers or devices that do not support TLSv1.1 or later.
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- MAS
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using a predefined security policy that enforces TLS version 1.1 or 1.2 as the minimum protocol version for CloudFront distributions can improve further the security of the web applications that utilize these distributions. For example, if you select a security policy that enforces TLS version 1.1, weak ciphers such as RC4 and 3DES will be automatically excluded.
NOTE: You have the ability to implement improved security policies (with TLSv1.1 and TLSv1.2) only for CloudFront distributions that use custom SSL certificates to serve HTTPS requests using SNI.
Audit
To determine if your Cloudfront web distributions are using improved security policies, perform the following:
Remediation / Resolution
To enable security policies that enforce TLS version 1.1 or 1.2 as the minimum protocol version for your Amazon CloudFront distributions, perform the following:
References
- AWS Documentation
- Using HTTPS with CloudFront
- Amazon CloudFront Now Lets You Select a Security Policy with Minimum TLS V1.1, V1.2, and Security Ciphers for Viewer Connections
- Supported Protocols and Ciphers
- Values That You Specify When You Create or Update a Web Distribution
- AWS Command Line Interface (CLI) Documentation
- cloudfront
- list-distributions
- get-distribution
- get-distribution-config
- update-distribution
Unlock the Remediation Steps
Gain free unlimited access
to our full Knowledge Base
Over 750 rules & best practices
for and
Get started for FREE
You are auditing:
CloudFront Security Policy
Risk level: Medium