CloudFront Without Minimum Protocol TLS 1.2
- Query id: dc17ee4b-ddf2-4e23-96e8-7a36abad1303
- Query name: CloudFront Without Minimum Protocol TLS 1.2
- Platform: CloudFormation
- Severity: Medium
- Category: Insecure Configurations
- CWE: 311
- URL: Github
Description¶
CloudFront Minimum Protocol version should be at least TLS 1.2
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
cloudfrontdistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: true
CacheBehaviors:
- LambdaFunctionAssociations:
- EventType: string-value
LambdaFunctionARN: string-value
DefaultCacheBehavior:
LambdaFunctionAssociations:
- EventType: string-value
LambdaFunctionARN: string-value
IPV6Enabled: boolean-value
Origins:
- CustomOriginConfig:
OriginKeepaliveTimeout: integer-value
OriginReadTimeout: integer-value
ViewerCertificate:
AcmCertificateArn: String
CloudFrontDefaultCertificate: true
IamCertificateId: String
MinimumProtocolVersion: "TLSv1.1_2016"
SslSupportMethod: String
Tags:
- Key: string-value
Value: string-value
cloudfrontdistribution2:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: true
CacheBehaviors:
- LambdaFunctionAssociations:
- EventType: string-value
LambdaFunctionARN: string-value
DefaultCacheBehavior:
LambdaFunctionAssociations:
- EventType: string-value
LambdaFunctionARN: string-value
IPV6Enabled: boolean-value
Origins:
- CustomOriginConfig:
OriginKeepaliveTimeout: integer-value
OriginReadTimeout: integer-value
Tags:
- Key: string-value
Value: string-value
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"cloudfrontdistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"Enabled": true,
"ViewerCertificate": {
"IamCertificateId": "String",
"MinimumProtocolVersion": "TLSv1.1_2016",
"SslSupportMethod": "String",
"AcmCertificateArn": "String",
"CloudFrontDefaultCertificate": true
},
"CacheBehaviors": [
{
"LambdaFunctionAssociations": [
{
"EventType": "string-value",
"LambdaFunctionARN": "string-value"
}
]
}
],
"DefaultCacheBehavior": {
"LambdaFunctionAssociations": [
{
"EventType": "string-value",
"LambdaFunctionARN": "string-value"
}
]
},
"IPV6Enabled": "boolean-value",
"Origins": [
{
"CustomOriginConfig": {
"OriginKeepaliveTimeout": "integer-value",
"OriginReadTimeout": "integer-value"
}
}
]
},
"Tags": [
{
"Key": "string-value",
"Value": "string-value"
}
]
}
},
"cloudfrontdistribution2": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"Enabled": true,
"Origins": [
{
"CustomOriginConfig": {
"OriginKeepaliveTimeout": "integer-value",
"OriginReadTimeout": "integer-value"
}
}
],
"CacheBehaviors": [
{
"LambdaFunctionAssociations": [
{
"EventType": "string-value",
"LambdaFunctionARN": "string-value"
}
]
}
],
"DefaultCacheBehavior": {
"LambdaFunctionAssociations": [
{
"LambdaFunctionARN": "string-value",
"EventType": "string-value"
}
]
},
"IPV6Enabled": "boolean-value"
},
"Tags": [
{
"Key": "string-value",
"Value": "string-value"
}
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: 2010-09-09
Resources:
cloudfrontdistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
CacheBehaviors:
- LambdaFunctionAssociations:
- EventType: string-value
LambdaFunctionARN: string-value
DefaultCacheBehavior:
LambdaFunctionAssociations:
- EventType: string-value
LambdaFunctionARN: string-value
IPV6Enabled: boolean-value
Origins:
- CustomOriginConfig:
OriginKeepaliveTimeout: integer-value
OriginReadTimeout: integer-value
ViewerCertificate:
AcmCertificateArn: String
CloudFrontDefaultCertificate: true
IamCertificateId: String
MinimumProtocolVersion: "TLSv1.2_2018"
SslSupportMethod: String
Tags:
- Key: string-value
Value: string-value
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
"Resources": {
"cloudfrontdistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"CacheBehaviors": [
{
"LambdaFunctionAssociations": [
{
"EventType": "string-value",
"LambdaFunctionARN": "string-value"
}
]
}
],
"DefaultCacheBehavior": {
"LambdaFunctionAssociations": [
{
"EventType": "string-value",
"LambdaFunctionARN": "string-value"
}
]
},
"IPV6Enabled": "boolean-value",
"Origins": [
{
"CustomOriginConfig": {
"OriginKeepaliveTimeout": "integer-value",
"OriginReadTimeout": "integer-value"
}
}
],
"ViewerCertificate": {
"IamCertificateId": "String",
"MinimumProtocolVersion": "TLSv1.2_2018",
"SslSupportMethod": "String",
"AcmCertificateArn": "String",
"CloudFrontDefaultCertificate": true
}
},
"Tags": [
{
"Key": "string-value",
"Value": "string-value"
}
]
}
}
}
}