Verify CloudFront Distribution Viewer Certificate is using TLS v1.2

Error: CloudFront web distribution that allow TLS versions 1.0 or lower
Bridgecrew Policy ID: BC_AWS_NETWORKING_63
Checkov Check ID: CKV_AWS_174
Severity: MEDIUM

CloudFront web distribution that allow TLS versions 1.0 or lower

Description

This policy identifies AWS CloudFront web distributions which are configured with TLS versions for HTTPS communication between viewers and CloudFront. As a best practice, use TLSv1.1_2016 or later as the minimum protocol version in your CloudFront distribution security policies

Fix - Runtime

AWS Console

  1. Sign in to the AWS console
  2. Navigate to CloudFront Distributions Dashboard
  3. Click on the reported distribution
  4. On 'General' tab, Click on 'Edit' button
  5. On 'Edit Distribution' page, Set 'Security Policy' to TLSv1.1_2016 or later as per your requirement.
  6. Click on 'Yes, Edit'

Fix - Buildtime

Terraform

  • Resource: aws_cloudfront_distribution
  • Argument: minimum_protocol_version
resource "aws_cloudfront_distribution" "pass" {
...

  viewer_certificate {
    cloudfront_default_certificate = false
    minimum_protocol_version = "TLSv1.2_2018"
  }
}