CloudFront Without Minimum Protocol TLS 1.2

• Query id: d0c13053-d2c8-44a6-95da-d592996e9e67
• Query name: CloudFront Without Minimum Protocol TLS 1.2
• Platform: Ansible
• Severity: Medium
• Category: Insecure Configurations
• URL: Github

Description

CloudFront Minimum Protocol version should be at least TLS 1.2
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file

- name: create a distribution with an origin and logging
  community.aws.cloudfront_distribution:
    state: present
    caller_reference: unique test distribution ID
    origins:
      - id: 'my test origin-000111'
        domain_name: www.example.com
        origin_path: /production
        custom_headers:
          - header_name: MyCustomHeaderName
            header_value: MyCustomHeaderValue
    logging:
      enabled: true
      include_cookies: false
      bucket: mylogbucket.s3.amazonaws.com
      prefix: myprefix/
    viewer_certificate:
      minimum_protocol_version: TLSv1
    comment: this is a CloudFront distribution with logging
- name: create another distribution with an origin and logging
  community.aws.cloudfront_distribution:
    state: present
    caller_reference: unique test distribution ID
    origins:
      - id: 'my test origin-000111'
        domain_name: www.example.com
        origin_path: /production
        custom_headers:
          - header_name: MyCustomHeaderName
            header_value: MyCustomHeaderValue
    logging:
      enabled: true
      include_cookies: false
      bucket: mylogbucket.s3.amazonaws.com
      prefix: myprefix/
    viewer_certificate:
      minimum_protocol_version: TLSv1.1_2016
    comment: this is a CloudFront distribution with logging
- name: create a third distribution
  community.aws.cloudfront_distribution:
    state: present
    caller_reference: unique test distribution ID
    origins:
      - id: 'my test origin-000111'
        domain_name: www.example.com
        origin_path: /production
        custom_headers:
          - header_name: MyCustomHeaderName
            header_value: MyCustomHeaderValue
    logging:
      enabled: true
      include_cookies: false
      bucket: mylogbucket.s3.amazonaws.com
      prefix: myprefix/
    comment: this is a CloudFront distribution with logging

Code samples without security vulnerabilities

Negative test num. 1 - yaml file

- name: create a distribution with an origin and logging
  community.aws.cloudfront_distribution:
    state: present
    caller_reference: unique test distribution ID
    origins:
      - id: 'my test origin-000111'
        domain_name: www.example.com
        origin_path: /production
        custom_headers:
          - header_name: MyCustomHeaderName
            header_value: MyCustomHeaderValue
    logging:
      enabled: true
      include_cookies: false
      bucket: mylogbucket.s3.amazonaws.com
      prefix: myprefix/
    viewer_certificate:
      minimum_protocol_version: TLSv1.2_2018
    comment: this is a CloudFront distribution with logging