CloudFront Without Minimum Protocol TLS 1.2

  • Query id: 255b0fcc-9f82-41fe-9229-01b163e3376b
  • Query name: CloudFront Without Minimum Protocol TLS 1.2
  • Platform: Crossplane
  • Severity: High
  • Category: Insecure Configurations
  • URL: Github

Description

CloudFront Minimum Protocol version should be at least TLS 1.2
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: cloudfront.aws.crossplane.io/v1alpha1
kind: Distribution
metadata:
  name: sample-distribution
spec:
  forProvider:
    region: us-east-1
    distributionConfig:
      enabled: true
      comment: Crossplane - auto provisioning
      viewerCertificate:
        sslSupportMethod: sni-only
        cloudFrontDefaultCertificate: false
        minimumProtocolVersion: TLSv1.1_2016
      origins:
        items:
          - domainName: sample.s3.amazonaws.com
            id: s3Origin
            s3OriginConfig:
              originAccessIDentity: ""
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
  - name: metadata
    patches:
    - fromFieldPath: metadata.labels
  resources:
    - name: sample-cloudfront
      base: 
        apiVersion: cloudfront.aws.crossplane.io/v1alpha1
        kind: Distribution
        metadata:
          name: sample-distribution
        spec:
          forProvider:
            region: us-east-1
            distributionConfig:
              enabled: true
              comment: Crossplane - auto provisioning
              viewerCertificate:
                sslSupportMethod: sni-only
                cloudFrontDefaultCertificate: false
                minimumProtocolVersion: TLSv1.1_2016
              origins:
                items:
                  - domainName: sample.s3.amazonaws.com
                    id: s3Origin
                    s3OriginConfig:
                      originAccessIDentity: ""

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: cloudfront.aws.crossplane.io/v1alpha1
kind: Distribution
metadata:
  name: sample-distribution
spec:
  forProvider:
    region: us-east-1
    distributionConfig:
      enabled: true
      comment: Crossplane - auto provisioning
      viewerCertificate:
        sslSupportMethod: sni-only
        cloudFrontDefaultCertificate: false
        minimumProtocolVersion: TLSv1.2_2018
      origins:
        items:
          - domainName: sample.s3.amazonaws.com
            id: s3Origin
            s3OriginConfig:
              originAccessIDentity: ""
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
  - name: metadata
    patches:
    - fromFieldPath: metadata.labels
  resources:
    - name: sample-cloudfront
      base: 
        apiVersion: cloudfront.aws.crossplane.io/v1alpha1
        kind: Distribution
        metadata:
          name: sample-distribution
        spec:
          forProvider:
            region: us-east-1
            distributionConfig:
              enabled: true
              comment: Crossplane - auto provisioning
              viewerCertificate:
                sslSupportMethod: sni-only
                cloudFrontDefaultCertificate: false
                minimumProtocolVersion: TLSv1.2_2018
              origins:
                items:
                  - domainName: sample.s3.amazonaws.com
                    id: s3Origin
                    s3OriginConfig:
                      originAccessIDentity: ""