CloudFront Without Minimum Protocol TLS 1.2
- Query id: 255b0fcc-9f82-41fe-9229-01b163e3376b
- Query name: CloudFront Without Minimum Protocol TLS 1.2
- Platform: Crossplane
- Severity: High
- Category: Insecure Configurations
- URL: Github
Description¶
CloudFront Minimum Protocol version should be at least TLS 1.2
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Postitive test num. 1 - yaml file
apiVersion: cloudfront.aws.crossplane.io/v1alpha1
kind: Distribution
metadata:
name: sample-distribution
spec:
forProvider:
region: us-east-1
distributionConfig:
enabled: true
comment: Crossplane - auto provisioning
viewerCertificate:
sslSupportMethod: sni-only
cloudFrontDefaultCertificate: false
minimumProtocolVersion: TLSv1.1_2016
origins:
items:
- domainName: sample.s3.amazonaws.com
id: s3Origin
s3OriginConfig:
originAccessIDentity: ""
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-cloudfront
base:
apiVersion: cloudfront.aws.crossplane.io/v1alpha1
kind: Distribution
metadata:
name: sample-distribution
spec:
forProvider:
region: us-east-1
distributionConfig:
enabled: true
comment: Crossplane - auto provisioning
viewerCertificate:
sslSupportMethod: sni-only
cloudFrontDefaultCertificate: false
minimumProtocolVersion: TLSv1.1_2016
origins:
items:
- domainName: sample.s3.amazonaws.com
id: s3Origin
s3OriginConfig:
originAccessIDentity: ""
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: cloudfront.aws.crossplane.io/v1alpha1
kind: Distribution
metadata:
name: sample-distribution
spec:
forProvider:
region: us-east-1
distributionConfig:
enabled: true
comment: Crossplane - auto provisioning
viewerCertificate:
sslSupportMethod: sni-only
cloudFrontDefaultCertificate: false
minimumProtocolVersion: TLSv1.2_2018
origins:
items:
- domainName: sample.s3.amazonaws.com
id: s3Origin
s3OriginConfig:
originAccessIDentity: ""
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-cloudfront
base:
apiVersion: cloudfront.aws.crossplane.io/v1alpha1
kind: Distribution
metadata:
name: sample-distribution
spec:
forProvider:
region: us-east-1
distributionConfig:
enabled: true
comment: Crossplane - auto provisioning
viewerCertificate:
sslSupportMethod: sni-only
cloudFrontDefaultCertificate: false
minimumProtocolVersion: TLSv1.2_2018
origins:
items:
- domainName: sample.s3.amazonaws.com
id: s3Origin
s3OriginConfig:
originAccessIDentity: ""