CloudFront Security Policy

Risk level: Medium (should be achieved)

Rule ID: CF-006

Ensure that your Amazon CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2 and appropriate security ciphers for HTTPS viewer connections. An AWS CloudFront security policy determines two settings: the SSL/TLS protocol that CloudFront uses to communicate with the users and the cipher that CloudFront uses to encrypt the content that it returns to users. Cloud Conformity recommends that you use TLSv1.1 as minimum protocol version for your CloudFront distribution security policies, unless your users are using browsers or devices that do not support TLSv1.1 or later.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Using a predefined security policy that enforces TLS version 1.1 or 1.2 as the minimum protocol version for CloudFront distributions can improve further the security of the web applications that utilize these distributions. For example, if you select a security policy that enforces TLS version 1.1, weak ciphers such as RC4 and 3DES will be automatically excluded.

NOTE: You have the ability to implement improved security policies (with TLSv1.1 and TLSv1.2) only for CloudFront distributions that use custom SSL certificates to serve HTTPS requests using SNI.

Audit

To determine if your Cloudfront web distributions are using improved security policies, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.

03 On the Distributions page, select the web distribution that you want to examine.

04 Click the Distribution Settings button from the dashboard top menu to access the selected distribution configuration page.

05 On the General tab, verify the Security Policy attribute value. If Security Policy is currently set to TLSv1 or TLSv1_2016 protocol, the selected Amazon Cloudfront distribution is not using an improved security policy that enforces TLS version 1.1 or 1.2 as the minimum protocol version, therefore the current configuration is vulnerable to exploits.

06 Repeat steps no. 3 – 5 to check the type of the security policy used by other Cloudfront distributions available in your AWS account.

Using AWS CLI

01 Run list-distributions command (OSX/Linux/UNIX) using custom query filters to list the IDs of all Cloudfront distributions available in your AWS account:

aws cloudfront list-distributions
	--output table
	--query 'DistributionList.Items[*].Id'

02 The command output should return a table with the requested distribution IDs:

--------------------
|ListDistributions |
+------------------+
|  E3RX0DT0Y3MUMZ  |
|  G41A16G5KZMUBD  |
|  UXE6G5KZMPDT8M  |
+------------------+

03 Run get-distribution command (OSX/Linux/UNIX) using the ID of the distribution that you want to examine as identifier and custom query filters to describe the minimum version of the TLS protocol used by the selected distribution security policy for HTTPS connections between viewers and AWS CloudFront:

aws cloudfront get-distribution
	--id E3RX0DT0Y3MUMZ
	--query 'Distribution.DistributionConfig.ViewerCertificate.MinimumProtocolVersion'

04 The command output should return the requested TLS protocol version:

"TLSv1"

If get-distribution command output returns either "TLSv1" or "TLSv1_2016" as protocol, the selected AWS Cloudfront distribution is not currently using an improved security policy that enforces TLSv1.1 or TLSv1.1 as minimum protocol version, therefore the current distribution configuration is vulnerable to exploits.

05 Repeat step no. 3 and 4 to check the TLS protocol version of the security policy used by other Cloudfront distributions created within your AWS account.

Remediation / Resolution

To enable security policies that enforce TLS version 1.1 or 1.2 as the minimum protocol version for your Amazon CloudFront distributions, perform the following:

Using AWS Console

01 Sign in to AWS Management Console.

02 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.

03 On the Distributions page, select the web distribution that you want to reconfigure (see Audit section part I to identify the right Cloudfront resource).

04 Click the Distribution Settings button from the dashboard top menu to access the selected distribution configuration page.

05 On the General tab, click Edit to update the settings for the selected AWS CloudFront distribution.

06 On the Edit Distribution page, select TLSv1.1_2016 (recommended) from the list of TLS protocols available within the Security Policy section. Based on your requirements, you can also choose TLSv1.2_2018 as the minimum protocol version.

07 Click Yes, Edit to apply the security policy changes and enable TLS version 1.1 (or 1.2) as the minimum protocol version for the selected CloudFront distribution.

08 Repeat steps no. 3 – 7 to change the security policy used by other Cloudfront distributions available in your AWS account.

Using AWS CLI

01 Run get-distribution-config command (OSX/Linux/UNIX) using the ID of the web distribution that you want to reconfigure (see Audit section part II to identify the right resource) to get the configuration information necessary for distribution update:

aws cloudfront get-distribution-config
	--id E3RX0DT0Y3MUMZ

02 The command output should return the configuration information available for the selected Cloudfront distribution:

{
    "ETag": "DX2YDEJ94HDYGD",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Quantity": 0
        },
        "IsIPV6Enabled": true,
        "Logging": {
            "Bucket": "",
            "Prefix": "",
            "Enabled": false,
            "IncludeCookies": false
        },

        ...

        "ViewerCertificate": {
            "SSLSupportMethod": "sni-only",
            "ACMCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-1fd6-4f13-ac04-aaabbbcccddd",
            "MinimumProtocolVersion": "TLSv1",
            "Certificate": "arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-1ec4-4f23-a32e-aaabbbcccddd",
            "CertificateSource": "acm"
        },
        "HttpVersion": "http2",
        "Restrictions": {
            "GeoRestriction": {
                "RestrictionType": "none",
                "Quantity": 0
            }
        },
        "Aliases": {
            "Quantity": 0
        }
    }
}

03 Modify the configuration information returned at the previous step to implement TLSv1.1 as the minimum protocol version for the selected distribution. Replace "MinimumProtocolVersion" attribute current value with "TLSv1.1_2016" (recommended) or "TLSv1.2_2018" and save the new configuration in a JSON document named distconfig-improved-security-policy.json:

{
    "ETag": "DX2YDEJ94HDYGD",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Quantity": 0
        },
        "IsIPV6Enabled": true,
        "Logging": {
            "Bucket": "",
            "Prefix": "",
            "Enabled": false,
            "IncludeCookies": false
        },

        ...

        "ViewerCertificate": {
            "SSLSupportMethod": "sni-only",
            "ACMCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-1fd6-4f13-ac04-aaabbbcccddd",
            "MinimumProtocolVersion": "TLSv1.1_2016",
            "Certificate": "arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-1ec4-4f23-a32e-aaabbbcccddd",
            "CertificateSource": "acm"
        },
        "HttpVersion": "http2",
        "Restrictions": {
            "GeoRestriction": {
                "RestrictionType": "none",
                "Quantity": 0
            }
        },
        "Aliases": {
            "Quantity": 0
        }
    }
}

04 Run update-distribution command (OSX/Linux/UNIX) to update the selected Cloudfront distribution configuration to utilize TLSv1.1 as the minimum protocol version. The following command example updates an AWS CloudFront web distribution identified by the ID E3RX0DT0Y3MUMZ and the ETag DX2YDEJ94HDYGD (an ETag is a header ID exposed when a CDN distribution configuration is retrieved), using a configuration document (JSON format) with the file name distconfig-improved-security-policy.json:

aws cloudfront update-distribution
	--id E3RX0DT0Y3MUMZ
	--distribution-config file://distconfig-improved-security-policy.json
	--if-match DX2YDEJ94HDYGD

05 The command output should return the metadata for the updated CloudFront distribution:

aws cloudfront update-distribution
{
    "Distribution": {
        "Status": "InProgress",
        "DomainName": "aaabbbcccdddeee.cloudfront.net",

        ...

        "ViewerCertificate": {
            "SSLSupportMethod": "sni-only",
            "ACMCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-1fd6-4f13-ac04-aaabbbcccddd",
            "MinimumProtocolVersion": "TLSv1.1_2016",
            "Certificate": "arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-1ec4-4f23-a32e-aaabbbcccddd",
            "CertificateSource": "acm"
        },

        ...

        "LastModifiedTime": "2017-09-10T14:54:39.561Z",
        "Id": "E3RX0DT0Y3MUMZ"
    },
    "ETag": "DX2YDEJ94HDYGD"
}

06 Repeat steps no. 1 – 5 to change the security policy used by other Cloudfront distributions available in your AWS account.

References

AWS Command Line Interface (CLI) Documentation
cloudfront
list-distributions
get-distribution
get-distribution-config
update-distribution

Publication date Oct 14, 2016

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

CloudFront Security Policy

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related CloudFront rules