Ensure AWS CloudFront distribution is using secure SSL protocols for HTTPS communication

Error: AWS CloudFront distribution is using insecure SSL protocols for HTTPS communication

Bridgecrew Policy ID: BC_AWS_GENERAL_5
Checkov Check ID: CKV_AWS_34
Severity: LOW

AWS CloudFront distribution is using insecure SSL protocols for HTTPS communication


DynamoDB point-in-time recovery (PITR) is an automatic backup service for DynamoDB table data that helps protect your DynamoDB tables from accidental write or delete operations. It must use HTTPS. Once enabled, PITR provides continuous backups that can be controlled using various programmatic parameters. PITR can also be used to restore table data from any point in time during the last 35 days, as well as any incremental backups of DynamoDB tables.

We recommend you ensure Cloudfront distribution ViewerProtocolPolicy is set to HTTPS.

Fix - Runtime

AWS Console

To change the policy using the AWS Console, follow these steps:

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the Amazon DynamoDB console.
  3. Navigate to your DynamoDB table, then select the Backups tab.
  4. To turn the feature on, click Enable.
    The Earliest restore date and Latest restore date are visible within a few seconds.

CLI Command

To update a CloudFront distribution:

aws cloudfront update-distribution \
    --if-match E2QWRUHEXAMPLE \
    --distribution-config file://dist-config-disable.json
    --ViewerProtocolPolicy https-only

Fix - Buildtime


  • Resource: aws_cloudfront_distribution
  • Argument: viewer_protocol_policy (Required) - Use this element to specify the protocol that users can use to access the files in the origin specified by TargetOriginId when a request matches the path pattern in PathPattern. One of allow-all, https-only, or redirect-to-https.
resource "aws_cloudfront_distribution" "s3_distribution" {
  origin {
    domain_name = aws_s3_bucket.b.bucket_regional_domain_name
    origin_id   = local.s3_origin_id
+ viewer_protocol_policy = "https-only"