Skip to main content

πŸ“ AWS CloudFront Web Distribution uses outdated SSL protocols with Custom Origins 🟒

  • Contextual name: πŸ“ Web Distribution uses outdated SSL protocols with Custom Origins 🟒
  • ID: /ce/ca/aws/cloudfront/distribution-uses-outdated-ssl-protocols
  • Located in: πŸ“ AWS CloudFront

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-4002ecfe1

Logic​

Description​

Open File

Description​

This policy checks that AWS CloudFront Web Distributions are configured to use secure, up‑to‑date SSL/TLS protocols for client connections. It identifies distributions that allow outdated protocols such as SSLv3, TLS 1.0, and TLS 1.1, which are susceptible to known cryptographic weaknesses.

Rationale​

Allowing outdated SSL/TLS protocols exposes traffic to a range of security risks, including eavesdropping and man-in-the-middle attacks. Modern protocols like TLS 1.2 and newer offer stronger cipher suites and are required by many regulatory and compliance standards (e.g., PCI DSS).

Audit​

This policy flags an AWS CloudFront Web Distribution as INCOMPLIANT if at least one custom AWS CloudFront Origin associated with the distribution (excluding S3 static websites as origin) is configured with Custom Origin Config Origin SSL Protocol to allow the following protocols: SSLv3, TLSv1, TLSv1.1.

If a Web Distribution has no Origins in the CMDB, the Distribution is marked as UNDETERMINED.

Remediation​

Open File

Remediation​

From Command Line​

  1. Retrieve the current distribution configuration and capture its ETag:

    aws cloudfront get-distribution-config \
        --id {{distribution-id}} \
        --query 'DistributionConfig' \
        > {{distribution-config}}.json

    ETAG=$(aws cloudfront get-distribution-config \
        --id {{distribution-id}} \
        --query 'ETag' \
        --output text)

  2. In the downloaded {{distribution-config}}.json, modify the origins (items in the Origins array) and update the Items list in OriginSslProtocols to include only TLSv1.2.

  3. Apply the updated configuration to your distribution using the saved ETag:

    aws cloudfront update-distribution \
        --id {{distribution-id}} \
        --if-match $ETAG \
        --distribution-config file://{{distribution-config}}.json

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).2122
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins11
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption42
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)23675
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2526
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)17
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-7(1) Periodic Review (M)(H)1212
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)18
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)25
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)1817
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)816
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1624
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-17 Public Key Infrastructure Certificates (M)(H)22
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-23 Session Authenticity (M)(H)713
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)8
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)117
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)16
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)24
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)160
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)17
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-7(1) Periodic Review (M)(H)12
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)8
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)25
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)117
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)16
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)24
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-17 Public Key Infrastructure Certificates (M)(H)2
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-23 Session Authenticity (M)(H)13
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.1 Policy on the use of cryptographic controls1819
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4766
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)426
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities2130
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events134
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained45
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected114
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected94
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected108
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage66
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό CM-7 LEAST FUNCTIONALITY567
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4 Information Flow Enforcement326885
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains3032
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption1217
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό IA-5(1) Authenticator Management _ Password-based Authentication8
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(4) Boundary Protection _ External Telecommunications Services25
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity5816
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection815
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8(2) Transmission Confidentiality and Integrity _ Pre- and Post-transmission Handling7
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-12(3) Cryptographic Key Establishment and Management _ Asymmetric Keys6
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection413
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-23 Session Authenticity57
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection12
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 1.1.6 Documentation of business justification and approval for use of all services, protocols, and ports allowed, including documentation of security features implemented for those protocols considered to be insecure.127
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 2.2.4 Configure system security parameters to prevent misuse.16
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.1821
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.27
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.27
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 2.2.6 System security parameters are configured to prevent misuse.16
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.221
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.5 All services, protocols, and ports allowed are identified, approved, and have a defined business need.1527
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 1.2.6 Security features are defined and implemented for all services, protocols, and ports that are in use and considered to be insecure, such that the risk is mitigated.627
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 2.2.6 System security parameters are configured to prevent misuse.1216
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.2921
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.7-2 Uses Encryption Technologies or Secure Communication Channels to Protect Data68