Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that your Amazon CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2 and appropriate security ciphers for HTTPS viewer connections. An AWS CloudFront security policy determines two settings: the SSL/TLS protocol that CloudFront uses to communicate with the users and the cipher that CloudFront uses to encrypt the content that it returns to users. Cloud Conformity recommends that you use TLSv1.1 as minimum protocol version for your CloudFront distribution security policies, unless your users are using browsers or devices that do not support TLSv1.1 or later.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using a predefined security policy that enforces TLS version 1.1 or 1.2 as the minimum protocol version for CloudFront distributions can improve further the security of the web applications that utilize these distributions. For example, if you select a security policy that enforces TLS version 1.1, weak ciphers such as RC4 and 3DES will be automatically excluded.
NOTE: You have the ability to implement improved security policies (with TLSv1.1 and TLSv1.2) only for CloudFront distributions that use custom SSL certificates to serve HTTPS requests using SNI.
To determine if your Cloudfront web distributions are using improved security policies, perform the following:
01 Sign in to AWS Management Console.
02 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.
03 On the Distributions page, select the web distribution that you want to examine.
04 Click the Distribution Settings button from the dashboard top menu to access the selected distribution configuration page.
05 On the General tab, verify the Security Policy attribute value. If Security Policy is currently set to TLSv1 or TLSv1_2016 protocol, the selected Amazon Cloudfront distribution is not using an improved security policy that enforces TLS version 1.1 or 1.2 as the minimum protocol version, therefore the current configuration is vulnerable to exploits.
06 Repeat steps no. 3 – 5 to check the type of the security policy used by other Cloudfront distributions available in your AWS account.
01 Run list-distributions command (OSX/Linux/UNIX) using custom query filters to list the IDs of all Cloudfront distributions available in your AWS account:
aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id'
02 The command output should return a table with the requested distribution IDs:
-------------------- |ListDistributions | +------------------+ | E3RX0DT0Y3MUMZ | | G41A16G5KZMUBD | | UXE6G5KZMPDT8M | +------------------+
03 Run get-distribution command (OSX/Linux/UNIX) using the ID of the distribution that you want to examine as identifier and custom query filters to describe the minimum version of the TLS protocol used by the selected distribution security policy for HTTPS connections between viewers and AWS CloudFront:
aws cloudfront get-distribution --id E3RX0DT0Y3MUMZ --query 'Distribution.DistributionConfig.ViewerCertificate.MinimumProtocolVersion'
04 The command output should return the requested TLS protocol version:
"TLSv1"
05 Repeat step no. 3 and 4 to check the TLS protocol version of the security policy used by other Cloudfront distributions created within your AWS account.
To enable security policies that enforce TLS version 1.1 or 1.2 as the minimum protocol version for your Amazon CloudFront distributions, perform the following:
01 Sign in to AWS Management Console.
02 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.
03 On the Distributions page, select the web distribution that you want to reconfigure (see Audit section part I to identify the right Cloudfront resource).
04 Click the Distribution Settings button from the dashboard top menu to access the selected distribution configuration page.
05 On the General tab, click Edit to update the settings for the selected AWS CloudFront distribution.
06 On the Edit Distribution page, select TLSv1.1_2016 (recommended) from the list of TLS protocols available within the Security Policy section. Based on your requirements, you can also choose TLSv1.2_2018 as the minimum protocol version.
07 Click Yes, Edit to apply the security policy changes and enable TLS version 1.1 (or 1.2) as the minimum protocol version for the selected CloudFront distribution.
08 Repeat steps no. 3 – 7 to change the security policy used by other Cloudfront distributions available in your AWS account.
01 Run get-distribution-config command (OSX/Linux/UNIX) using the ID of the web distribution that you want to reconfigure (see Audit section part II to identify the right resource) to get the configuration information necessary for distribution update:
aws cloudfront get-distribution-config --id E3RX0DT0Y3MUMZ
02 The command output should return the configuration information available for the selected Cloudfront distribution:
|
{
"ETag": "DX2YDEJ94HDYGD",
"DistributionConfig": {
"Comment": "",
"CacheBehaviors": {
"Quantity": 0
},
"IsIPV6Enabled": true,
"Logging": {
"Bucket": "",
"Prefix": "",
"Enabled": false,
"IncludeCookies": false
},
...
"ViewerCertificate": {
"SSLSupportMethod": "sni-only",
"ACMCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-1fd6-4f13-ac04-aaabbbcccddd",
"MinimumProtocolVersion": "TLSv1",
"Certificate": "arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-1ec4-4f23-a32e-aaabbbcccddd",
"CertificateSource": "acm"
},
"HttpVersion": "http2",
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none",
"Quantity": 0
}
},
"Aliases": {
"Quantity": 0
}
}
}
03 Modify the configuration information returned at the previous step to implement TLSv1.1 as the minimum protocol version for the selected distribution. Replace "MinimumProtocolVersion" attribute current value with "TLSv1.1_2016" (recommended) or "TLSv1.2_2018" and save the new configuration in a JSON document named distconfig-improved-security-policy.json:
{
"ETag": "DX2YDEJ94HDYGD",
"DistributionConfig": {
"Comment": "",
"CacheBehaviors": {
"Quantity": 0
},
"IsIPV6Enabled": true,
"Logging": {
"Bucket": "",
"Prefix": "",
"Enabled": false,
"IncludeCookies": false
},
...
"ViewerCertificate": {
"SSLSupportMethod": "sni-only",
"ACMCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-1fd6-4f13-ac04-aaabbbcccddd",
"MinimumProtocolVersion": "TLSv1.1_2016",
"Certificate": "arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-1ec4-4f23-a32e-aaabbbcccddd",
"CertificateSource": "acm"
},
"HttpVersion": "http2",
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none",
"Quantity": 0
}
},
"Aliases": {
"Quantity": 0
}
}
}
04 Run update-distribution command (OSX/Linux/UNIX) to update the selected Cloudfront distribution configuration to utilize TLSv1.1 as the minimum protocol version. The following command example updates an AWS CloudFront web distribution identified by the ID E3RX0DT0Y3MUMZ and the ETag DX2YDEJ94HDYGD (an ETag is a header ID exposed when a CDN distribution configuration is retrieved), using a configuration document (JSON format) with the file name distconfig-improved-security-policy.json:
aws cloudfront update-distribution --id E3RX0DT0Y3MUMZ --distribution-config file://distconfig-improved-security-policy.json --if-match DX2YDEJ94HDYGD
05 The command output should return the metadata for the updated CloudFront distribution:
aws cloudfront update-distribution
{
"Distribution": {
"Status": "InProgress",
"DomainName": "aaabbbcccdddeee.cloudfront.net",
...
"ViewerCertificate": {
"SSLSupportMethod": "sni-only",
"ACMCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-1fd6-4f13-ac04-aaabbbcccddd",
"MinimumProtocolVersion": "TLSv1.1_2016",
"Certificate": "arn:aws:acm:us-east-1:123456789012:certificate/aaaabbbb-1ec4-4f23-a32e-aaabbbcccddd",
"CertificateSource": "acm"
},
...
"LastModifiedTime": "2017-09-10T14:54:39.561Z",
"Id": "E3RX0DT0Y3MUMZ"
},
"ETag": "DX2YDEJ94HDYGD"
}
06 Repeat steps no. 1 – 5 to change the security policy used by other Cloudfront distributions available in your AWS account.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial.
Let’s ChatUnlock the Remediation Steps
Gain free unlimited access to our full Knowledge Base
Over rules & best practices for 
and 
Get started for FREE
Thank you!
Please click the link in the confirmation email sent to
You are auditing:
CloudFront Security Policy
Risk level: Medium