CloudFront Without Minimum Protocol TLS 1.2

Query id: dc17ee4b-ddf2-4e23-96e8-7a36abad1303
Query name: CloudFront Without Minimum Protocol TLS 1.2
Platform: CloudFormation
Severity: Medium
Category: Insecure Configurations
CWE: 311
URL: Github

Description¶

CloudFront Minimum Protocol version should be at least TLS 1.2
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Positive test num. 1 - yaml file

< Re

Positive test num. 2 - json file

/span>

AWSTemplateFormatVersion: 2010-09-09 sources: cloudfrontdistribution: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: Enabled: true CacheBehaviors: - LambdaFunctionAssociations: - EventType: string-value LambdaFunctionARN: string-value DefaultCacheBehavior: LambdaFunctionAssociations: - EventType: string-value LambdaFunctionARN: string-value IPV6Enabled: boolean-value Origins: - CustomOriginConfig: OriginKeepaliveTimeout: integer-value OriginReadTimeout: integer-value ViewerCertificate: AcmCertificateArn: String CloudFrontDefaultCertificate: true IamCertificateId: String class="w">            MinimumProtocolVersion: "TLSv1.1_2016" SslSupportMethod: String Tags: - Key: string-value Value: string-value cloudfrontdistribution2: Type: AWS::CloudFront::Distribution Properties: class="w">      DistributionConfig: Enabled: true CacheBehaviors: - LambdaFunctionAssociations: - EventType: string-value LambdaFunctionARN: string-value DefaultCacheBehavior: LambdaFunctionAssociations: - EventType: string-value LambdaFunctionARN: string-value IPV6Enabled: boolean-value Origins: - CustomOriginConfig: OriginKeepaliveTimeout: integer-value OriginReadTimeout: integer-value Tags: - Key: string-value Value: string-value /span>{ "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z", "Resources": { "cloudfrontdistribution": { "Type": "AWS::CloudFront::Distribution", "Properties": { "DistributionConfig": { "Enabled": true, "ViewerCertificate": { "IamCertificateId": "String", class="w">            "MinimumProtocolVersion": "TLSv1.1_2016", "SslSupportMethod": "String", "AcmCertificateArn": "String", "CloudFrontDefaultCertificate": true }, "CacheBehaviors": [ { "LambdaFunctionAssociations": [ { "EventType": "string-value", "LambdaFunctionARN": "string-value" } ] } ], "DefaultCacheBehavior": { "LambdaFunctionAssociations": [ { "EventType": "string-value", "LambdaFunctionARN": "string-value" } ] }, "IPV6Enabled": "boolean-value", "Origins": [ { "CustomOriginConfig": { "OriginKeepaliveTimeout": "integer-value", "OriginReadTimeout": "integer-value" } } ] }, "Tags": [ { "Key": "string-value", "Value": "string-value" } ] } }, "cloudfrontdistribution2": { "Type": "AWS::CloudFront::Distribution", "Properties": { class="w">        "DistributionConfig": { "Enabled": true, "Origins": [ { "CustomOriginConfig": { "OriginKeepaliveTimeout": "integer-value", "OriginReadTimeout": "integer-value" } } ], "CacheBehaviors": [ { "LambdaFunctionAssociations": [ { "EventType": "string-value", "LambdaFunctionARN": "string-value" } ] } ], "DefaultCacheBehavior": { "LambdaFunctionAssociations": [ { "LambdaFunctionARN": "string-value", "EventType": "string-value" } ] }, "IPV6Enabled": "boolean-value" }, "Tags": [ { "Key": "string-value", "Value": "string-value" } ] } } } }
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml fileAWSTemplateFormatVersion: 2010-09-09
Resources:
  cloudfrontdistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        CacheBehaviors:
          - LambdaFunctionAssociations:
              - EventType: string-value
                LambdaFunctionARN: string-value
        DefaultCacheBehavior:
          LambdaFunctionAssociations:
            - EventType: string-value
              LambdaFunctionARN: string-value
        IPV6Enabled: boolean-value
        Origins:
          - CustomOriginConfig:
              OriginKeepaliveTimeout: integer-value
              OriginReadTimeout: integer-value
        ViewerCertificate:
            AcmCertificateArn: String
            CloudFrontDefaultCertificate: true
            IamCertificateId: String
            MinimumProtocolVersion: "TLSv1.2_2018"
            SslSupportMethod: String
      Tags:
        - Key: string-value
          Value: string-value

Negative test num. 2 - json file{
  "AWSTemplateFormatVersion": "2010-09-09T00:00:00Z",
  "Resources": {
    "cloudfrontdistribution": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DistributionConfig": {
          "CacheBehaviors": [
            {
              "LambdaFunctionAssociations": [
                {
                  "EventType": "string-value",
                  "LambdaFunctionARN": "string-value"
                }
              ]
            }
          ],
          "DefaultCacheBehavior": {
            "LambdaFunctionAssociations": [
              {
                "EventType": "string-value",
                "LambdaFunctionARN": "string-value"
              }
            ]
          },
          "IPV6Enabled": "boolean-value",
          "Origins": [
            {
              "CustomOriginConfig": {
                "OriginKeepaliveTimeout": "integer-value",
                "OriginReadTimeout": "integer-value"
              }
            }
          ],
          "ViewerCertificate": {
            "IamCertificateId": "String",
            "MinimumProtocolVersion": "TLSv1.2_2018",
            "SslSupportMethod": "String",
            "AcmCertificateArn": "String",
            "CloudFrontDefaultCertificate": true
          }
        },
        "Tags": [
          {
            "Key": "string-value",
            "Value": "string-value"
          }
        ]
      }
    }
  }
}