Skip to main content

πŸ›‘οΈ AWS CloudFront Web Distribution uses legacy Security Policy🟒

  • Contextual name: πŸ›‘οΈ Web Distribution uses legacy Security Policy🟒
  • ID: /ce/ca/aws/cloudfront/distribution-security-policy
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS CloudFront distributions that are not configured with a security policy enforcing a minimum TLS version of TLSv1.2_2021 and appropriate cipher suites for HTTPS viewer connections. An AWS CloudFront security policy defines two key parameters: the SSL/TLS protocol version CloudFront uses to communicate with viewers and the cipher suites used to encrypt content delivered to users.

It is recommended to configure CloudFront distributions to use TLS 1.2 (preferably TLS 1.3) as the minimum supported protocol version, unless compatibility requirements mandate support for legacy browsers or devices that do not support TLS 1.2 or later.

Rationale​

Using a predefined security policy that enforces TLS 1.2 or TLS 1.3 as the minimum protocol version enhances the security posture of websites and web applications delivered through CloudFront by reducing exposure to known cryptographic vulnerabilities.

Audit​

This policy flags an AWS CloudFront Distribution as INCOMPLIANT if Viewer Certificate Min Protocol Version is:

... see more

Remediation​

Open File

Remediation​

Update the Security Policy​

From Console​
  1. Log in to the AWS Management Console.
  2. Navigate to the Amazon CloudFront console.
  3. In the left navigation pane, choose Distributions.
  4. Select the CloudFront distribution to reconfigure.
  5. Open the General tab and choose Edit.
  6. Under Security policy, select TLSv1.2_2025 (recommended).
  7. Choose Save changes.
  8. Repeat these steps for each CloudFront distribution, if applicable.
From Command Line​

  1. Retrieve the current distribution configuration

    aws cloudfront get-distribution-config \
        --id {{distribution-id}} \
        --query 'DistributionConfig'

  2. Identify the non-compliant setting

    In the output, locate the ViewerCertificate.MinimumProtocolVersion field. For example:

    {
    "ViewerCertificate": {
        "SSLSupportMethod": "sni-only",
        "MinimumProtocolVersion": "TLSv1",
        "CertificateSource": "acm"
    }
    }

  3. Retrieve the configuration ETag

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudFront.15] CloudFront distributions should use the recommended TLS security policy1no data
πŸ’Ό AWS Well-Architected β†’ πŸ’Ό SEC09-BP01 Implement secure key and certificate management5no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption66no data