Free Assessment

Amazon_Cloudfront_2

Ensure CloudFront to Origin connection is configured using TLS1.1 and above as the SSL/TLS protocol

Description

CloudFront can connect to your origin using only HTTP, only HTTPS, or to connect by matching the protocol used by the viewer. Our recommendation is to use HTTPS only. In this case you can choose which SSLTLS protocols CloudFront is allowed to use when establishing an HTTPS connection to your origin. Ensure that you are using only TLS1.1+ as the SSL/TLS protocol.

Remediation

Using the Amazon unified command line interface:

  • For configuring Origin SSL protocols first save locally the current distribution config:
    aws cloudfront get-distribution-config –id <application_cfn_distribution_id> –query “DistributionConfig” > /tmp/cf-distribution.json
  • Edit and replace “OriginSslProtocols” element in /tmp/cf-distribution.json with the below section:
    “OriginSslProtocols”: {
    “Items”: [
    “TLSv1.1”,
    “TLSv1.2”
    ],
    “Quantity”: 2
    },
  • Retrieve the current ETag of your CloudFront distribution:
    aws cloudfront get-distribution-config –id <application_cfn_distribution_id> –query “ETag”
  • Update the CloudFront distribution using the edited config and the above Etag:
    aws cloudfront update-distribution –id <application_cfn_distribution_id> –distribution-config file:///tmp/cf-distribution.json –if-match <application_cfn_distribution_etag>


References:

  1. https://aws.amazon.com/about-aws/whats-new/2016/01/amazon-cloudfront-adds-new-origin-security-features/
  2. http://docs.aws.amazon.com/cli/latest/reference/cloudfront/get-distribution.html
  3. http://docs.aws.amazon.com/cli/latest/reference/cloudfront/update-distribution.html

Service

Cloudfront

Severity

High

Compliance

Mapping

Start Free Trial
Login

CLOSE

We are now live on AWS Marketplace.
The integrated view of your cloud infrastructure is now easier than ever!

Learn More