AWS CloudFront Insecure Security Policy
Description:
AWS CloudFront is a content delivery network (CDN) service that provides a way to distribute content securely and with low latency. A CloudFront security policy, also known as an SSL/TLS policy, determines the SSL/TLS protocol and cipher versions that CloudFront uses when communicating with viewers. An insecure security policy can expose the traffic to vulnerabilities and potential man-in-the-middle attacks, leading to compromised data integrity and confidentiality.
Remediation:
1. Update CloudFront to Use a Secure SSL/TLS Policy:
AWS Management Console:
- Navigate to the CloudFront service.
- In the list of distributions, click the ID of the distribution you wish to update.
- Choose the Behaviors tab.
- Select the behavior you want to update, and then choose Edit.
- In the SSL/TLS Policy dropdown, select a secure policy like
TLSv1.2_2018
or a more recent version, avoiding older, deprecated policies. - Click Yes, Edit to save the changes.
Terraform:
To configure a CloudFront distribution to use a secure SSL/TLS policy, you can leverage the following Terraform snippet:
resource "aws_cloudfront_distribution" "s3_distribution" {
# ... other configuration ...
default_cache_behavior {
# ... other configuration ...
viewer_protocol_policy = "https-only"
ssl_support_method = "sni-only"
minimum_protocol_version = "TLSv1.2_2018"
}
# ... other configuration ...
}
In this Terraform configuration, the minimum_protocol_version
ensures that the distribution uses a secure SSL/TLS protocol version for viewer connections.
Recommendation:
Always choose the most recent and secure SSL/TLS policy for your CloudFront distributions to protect the integrity and confidentiality of your data in transit. Regularly review AWS documentation and advisories to be informed about any new SSL/TLS policy recommendations. Implement infrastructure as code (IaC) best practices to ensure your configurations are consistently applied across environments, and consider performing regular audits to detect and rectify insecure configurations.
Updated about 1 year ago