Ensure that your Amazon CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2 and appropriate security ciphers for HTTPS viewer connections. An AWS CloudFront security policy determines two settings: the SSL/TLS protocol that CloudFront uses to communicate with the users and the cipher that CloudFront uses to encrypt the content that it returns to users. Cloud Conformity recommends that you use TLSv1.1 as minimum protocol version for your CloudFront distribution security policies, unless your users are using browsers or devices that do not support TLSv1.1 or later.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using a predefined security policy that enforces TLS version 1.1 or 1.2 as the minimum protocol version for CloudFront distributions can improve further the security of the web applications that utilize these distributions. For example, if you select a security policy that enforces TLS version 1.1, weak ciphers such as RC4 and 3DES will be automatically excluded.
NOTE: You have the ability to implement improved security policies (with TLSv1.1 and TLSv1.2) only for CloudFront distributions that use custom SSL certificates to serve HTTPS requests using SNI.
To determine if your Cloudfront web distributions are using improved security policies, perform the following:
To enable security policies that enforce TLS version 1.1 or 1.2 as the minimum protocol version for your Amazon CloudFront distributions, perform the following: