CloudFront Without Minimum Protocol TLS 1.2
- Query id: 00e5e55e-c2ff-46b3-a757-a7a1cd802456
- Query name: CloudFront Without Minimum Protocol TLS 1.2
- Platform: Terraform
- Severity: High
- Category: Insecure Configurations
- URL: Github
Description¶
CloudFront Minimum Protocol version should be at least TLS 1.2
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - tf file
resource "aws_cloudfront_distribution" "positive1" {
origin {
domain_name = aws_s3_bucket.b.bucket_regional_domain_name
origin_id = local.s3_origin_id
s3_origin_config {
origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567"
}
}
enabled = true
comment = "Some comment"
default_root_object = "index.html"
default_cache_behavior {
#settings
}
restrictions {
#restrictions
}
}
Positive test num. 2 - tf file
resource "aws_cloudfront_distribution" "positive2" {
origin {
domain_name = aws_s3_bucket.b.bucket_regional_domain_name
origin_id = local.s3_origin_id
s3_origin_config {
origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567"
}
}
enabled = true
comment = "Some comment"
default_root_object = "index.html"
default_cache_behavior {
#settings
}
restrictions {
#restrictions
}
viewer_certificate {
cloudfront_default_certificate = false
minimum_protocol_version = "TLSv1_2016"
}
}
Positive test num. 3 - tf file
resource "aws_cloudfront_distribution" "positive3" {
origin {
domain_name = aws_s3_bucket.b.bucket_regional_domain_name
origin_id = local.s3_origin_id
s3_origin_config {
origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567"
}
}
enabled = true
comment = "Some comment"
default_root_object = "index.html"
default_cache_behavior {
#settings
}
restrictions {
#restrictions
}
viewer_certificate {
cloudfront_default_certificate = true
}
}
Positive test num. 4 - tf file
resource "aws_cloudfront_distribution" "positive4" {
origin {
domain_name = aws_s3_bucket.b.bucket_regional_domain_name
origin_id = local.s3_origin_id
s3_origin_config {
origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567"
}
}
enabled = true
comment = "Some comment"
default_root_object = "index.html"
default_cache_behavior {
#settings
}
restrictions {
#restrictions
}
viewer_certificate {
cloudfront_default_certificate = false
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - tf file
resource "aws_cloudfront_distribution" "negative1" {
origin {
domain_name = aws_s3_bucket.b.bucket_regional_domain_name
origin_id = local.s3_origin_id
s3_origin_config {
origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567"
}
}
enabled = true
comment = "Some comment"
default_root_object = "index.html"
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = local.s3_origin_id
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "allow-all"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = ["US", "CA", "GB", "DE"]
}
}
viewer_certificate {
cloudfront_default_certificate = false
minimum_protocol_version = "TLSv1.2_2018"
}
}
resource "aws_cloudfront_distribution" "negative2" {
origin {
domain_name = aws_s3_bucket.b.bucket_regional_domain_name
origin_id = local.s3_origin_id
s3_origin_config {
origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567"
}
}
enabled = true
comment = "Some comment"
default_root_object = "index.html"
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = local.s3_origin_id
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "allow-all"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = ["US", "CA", "GB", "DE"]
}
}
viewer_certificate {
cloudfront_default_certificate = false
minimum_protocol_version = "TLSv1.2_2019"
}
}