Ensure CloudFront distributions do not use deprecated SSL protocols

Error: CloudFront distributions use deprecated SSL protocols

Bridgecrew Policy ID: BC_AWS_NETWORKING_33
Severity: MEDIUM

CloudFront distributions use deprecated SSL protocols

Description

Using insecure and deprecated SSL protocols could leave your site and origin server vulnerable to exploits. We recommend detect the usage of older SSL protocols that are no longer considered secure. Use TLSv1.2 where possible and don't use older than TLSv1

You can review AWS guidance on SSL protocol here.

Fix - Runtime

AWS CloudFront Console

  1. Log in to the AWS Management Console at https://console.aws.amazon.com/.
  2. Open the CloudFront console.
  3. Select CloudFront distribution, then click Distribution Settings.
  4. Navigate to the General section, click Edit.
  5. Set a security policy. It is currently recommended to use policy TLSv1.2_2018.
  6. To save the changes, click Yes.

CLI Command

To get a list of all CloudFront distributions and check the origin SSL protocol, use the following command:

aws cloudfront list-distributions --query 'DistributionList.Items[*].Id' 

aws cloudfront get-distribution --id <Distribution Id> 
--query Distribution.DistributionConfig.Origins.Items[].CustomOriginConfig.
OriginSslProtocols.Items 

If the distribution is SSLv2 or SSLv3, update the distribution using the following steps and commands:

aws cloudfront get-distribution-config 
--id <Distribution Id> > /tmp/cloudfront-config.json

Get the ETag for your config

ETAG=$(cat /tmp/cloudfront-config.json | jq -r '.ETag')
echo $ETAG

Get the DistributionConfig

cat /tmp/cloudfront-config.json | jq '.DistributionConfig' > /tmp/cloudfront-dc.json

Edit the OriginSslProtocols config for TLSv1.2 at
Origins.Items[].CustomOriginConfig.OriginSslProtocols.Items

vi /tmp/cloudfront-dc.json

For example:

                     "OriginSslProtocols": {
                           "Quantity": 1,
                           "Items": [
                               "TLSv1.2"
                         ]
                        },
aws cloudfront update-distribution \
    --id <Distribution Id> \
    --if-match $ETAG \
    --distribution-config file:///tmp/cloudfront-dc.json