CloudFront Without Minimum Protocol TLS 1.2

  • Query id: dc17ee4b-ddf2-4e23-96e8-7a36abad1303
  • Query name: CloudFront Without Minimum Protocol TLS 1.2
  • Platform: CloudFormation
  • Severity: Medium
  • Category: Insecure Configurations
  • CWE: 311
  • URL: Github

Description

CloudFront Minimum Protocol version should be at least TLS 1.2
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
  cloudfrontdistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Enabled: true
        CacheBehaviors:
          - LambdaFunctionAssociations:
              - EventType: string-value
                LambdaFunctionARN: string-value
        DefaultCacheBehavior:
          LambdaFunctionAssociations:
            - EventType: string-value
              LambdaFunctionARN: string-value
        IPV6Enabled: boolean-value
        Origins:
          - CustomOriginConfig:
              OriginKeepaliveTimeout: integer-value
              OriginReadTimeout: integer-value
        ViewerCertificate:
            AcmCertificateArn: String
            CloudFrontDefaultCertificate: true
            IamCertificateId: String
            MinimumProtocolVersion: "TLSv1.1_2016"
            SslSupportMethod: String
      Tags:
        - Key: string-value
          Value: string-value
  cloudfrontdistribution2:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Enabled: true
        CacheBehaviors:
          - LambdaFunctionAssociations:
              - EventType: string-value
                LambdaFunctionARN: string-value
        DefaultCacheBehavior:
          LambdaFunctionAssociations:
            - EventType: string-value
              LambdaFunctionARN: string-value
        IPV6Enabled: boolean-value
        Origins:
          - CustomOriginConfig:
              OriginKeepaliveTimeout: integer-value
              OriginReadTimeout: integer-value
      Tags:
        - Key: string-value
          Value: string-value
Positive test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "cloudfrontdistribution": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DistributionConfig": {
          "Enabled": true,
          "ViewerCertificate": {
            "IamCertificateId": "String",
            "MinimumProtocolVersion": "TLSv1.1_2016",
            "SslSupportMethod": "String",
            "AcmCertificateArn": "String",
            "CloudFrontDefaultCertificate": true
          },
          "CacheBehaviors": [
            {
              "LambdaFunctionAssociations": [
                {
                  "EventType": "string-value",
                  "LambdaFunctionARN": "string-value"
                }
              ]
            }
          ],
          "DefaultCacheBehavior": {
            "LambdaFunctionAssociations": [
              {
                "EventType": "string-value",
                "LambdaFunctionARN": "string-value"
              }
            ]
          },
          "IPV6Enabled": "boolean-value",
          "Origins": [
            {
              "CustomOriginConfig": {
                "OriginKeepaliveTimeout": "integer-value",
                "OriginReadTimeout": "integer-value"
              }
            }
          ]
        },
        "Tags": [
          {
            "Key": "string-value",
            "Value": "string-value"
          }
        ]
      }
    },
    "cloudfrontdistribution2": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DistributionConfig": {
          "Enabled": true,
          "Origins": [
            {
              "CustomOriginConfig": {
                "OriginKeepaliveTimeout": "integer-value",
                "OriginReadTimeout": "integer-value"
              }
            }
          ],
          "CacheBehaviors": [
            {
              "LambdaFunctionAssociations": [
                {
                  "EventType": "string-value",
                  "LambdaFunctionARN": "string-value"
                }
              ]
            }
          ],
          "DefaultCacheBehavior": {
            "LambdaFunctionAssociations": [
              {
                "LambdaFunctionARN": "string-value",
                "EventType": "string-value"
              }
            ]
          },
          "IPV6Enabled": "boolean-value"
        },
        "Tags": [
          {
            "Key": "string-value",
            "Value": "string-value"
          }
        ]
      }
    }
  }
}

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
  cloudfrontdistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        CacheBehaviors:
          - LambdaFunctionAssociations:
              - EventType: string-value
                LambdaFunctionARN: string-value
        DefaultCacheBehavior:
          LambdaFunctionAssociations:
            - EventType: string-value
              LambdaFunctionARN: string-value
        IPV6Enabled: boolean-value
        Origins:
          - CustomOriginConfig:
              OriginKeepaliveTimeout: integer-value
              OriginReadTimeout: integer-value
        ViewerCertificate:
            AcmCertificateArn: String
            CloudFrontDefaultCertificate: true
            IamCertificateId: String
            MinimumProtocolVersion: "TLSv1.2_2018"
            SslSupportMethod: String
      Tags:
        - Key: string-value
          Value: string-value
Negative test num. 2 - json file
{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "cloudfrontdistribution": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DistributionConfig": {
          "CacheBehaviors": [
            {
              "LambdaFunctionAssociations": [
                {
                  "EventType": "string-value",
                  "LambdaFunctionARN": "string-value"
                }
              ]
            }
          ],
          "DefaultCacheBehavior": {
            "LambdaFunctionAssociations": [
              {
                "EventType": "string-value",
                "LambdaFunctionARN": "string-value"
              }
            ]
          },
          "IPV6Enabled": "boolean-value",
          "Origins": [
            {
              "CustomOriginConfig": {
                "OriginKeepaliveTimeout": "integer-value",
                "OriginReadTimeout": "integer-value"
              }
            }
          ],
          "ViewerCertificate": {
            "IamCertificateId": "String",
            "MinimumProtocolVersion": "TLSv1.2_2018",
            "SslSupportMethod": "String",
            "AcmCertificateArn": "String",
            "CloudFrontDefaultCertificate": true
          }
        },
        "Tags": [
          {
            "Key": "string-value",
            "Value": "string-value"
          }
        ]
      }
    }
  }
}