AWS CloudFront Using Insecure Origin SSL Protocols

Description:

AWS CloudFront is a content delivery network (CDN) that integrates with other Amazon Web Services to give developers and businesses a simple way to distribute content with low latency and high data transfer speeds. The SSL protocols used between CloudFront and the origin determine the security level of data in transit. Insecure SSL protocols, such as SSLv2, SSLv3, or early versions of TLS, are known to have vulnerabilities and therefore should not be used.


Remediation:

1. Update CloudFront Origin to Use Secure SSL Protocols:

AWS Management Console:
  • Navigate to the CloudFront service.
  • In the list of distributions, click the ID of the distribution that you want to update.
  • Choose the Origins and Origin Groups tab.
  • Select the origin, and then choose Edit.
  • In the Origin SSL Protocols section, uncheck insecure protocols like SSLv2, SSLv3.
  • Check secure versions like TLSv1.1, TLSv1.2, and TLSv1.3.
  • Choose Yes, Edit.
Terraform:

To configure a CloudFront distribution to use secure SSL protocols for origin fetches, you can use the following Terraform code:

resource "aws_cloudfront_distribution" "s3_distribution" {
  origin {
    # ... other configuration ...

    custom_origin_config {
      # ... other configuration ...

      origin_ssl_protocols = ["TLSv1", "TLSv1.1", "TLSv1.2"]
    }
  }
  
  # ... other configuration ...
}

In this Terraform configuration, the origin_ssl_protocols setting ensures that only secure TLS versions are allowed between CloudFront and the origin.


Recommendation:

Regularly review and update the SSL/TLS configurations for your AWS services. Ensure that only the latest and most secure versions of SSL/TLS protocols are allowed. Monitor AWS advisories and the broader cybersecurity community for updates about vulnerabilities and best practices. Consider integrating automated checks into your CI/CD pipeline to detect insecure configurations before they go into production.