Description:
Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content. Using insecure and deprecated SSL protocols could leave your site and origin server vulnerable to exploits.
Rationale:
Changing the protocol from SSL to TLS there might be chances of less deprecated protocols, TLSv1.1 as minimum protocol version for your CloudFront distribution can improve further the security of the web applications that utilize these distributions.
Impact:
If using deprecated SSL protocols may leave the site and origin server vulnerable to exploits.
Default Value:
By default SSL protocol is not selected for the HTTPS protocol.
Pre-requisite:
A Distribution and origin for the distribution with a Origin domain must exist initially
Remediation:
Test Plan:
Sign in into AWS Management Console.
Navigate to the CloudFront Dashboard https://console.aws.amazon.com/cloudfront/v3/home.
Click on Distributions tab in top of left navigation menu.
Select the Distributions you want to audit
Click on the Origins tab in top menu.
Select the Origin to examine.
Click on the Edit tab from top right .
Identify if there is SSL origin protocol for the HTTPS only protocol.
The selected distribution origin is using an insecure SSL protocol for HTTPS traffic, therefore the Cloudfront CDN current configuration is vulnerable to exploits.
Follow the implementation steps to change.
Using AWS CLI:
aws cloudfront get-distribution --id <id-value> --query 'Distribution.DistributionConfig.Origins.Items[*].CustomOriginConfig'
Implementation:
Sign in into AWS Management Console.
Navigate to the CloudFront Dashboard https://console.aws.amazon.com/cloudfront/v3/home.
Click on Distributions tab in top of left navigation menu.
Select the Distributions you want to change
Click on the Origins tab in top menu
Select the origin want to change and click edit
From the Protocol section and HTTPS only section choose the TLSv1 minimum origin SSL protocol.
Click on Save changes button to save the changes.
Using AWS CLI:
Save the JSON file document named distconfig-secure-origin.json
aws cloudfront update-distribution --id EDFDVBD6EXAMPLE --default-root-object index.html
Back out Plan:
Follow the implementation steps from 1-6 and then
From the Protocol section and HTTPS only section choose the SSLv3 minimum origin SSL protocol.
Click on Save changes button to save the changes.
References:
Working with distributions - Amazon CloudFront
get-distribution-config — AWS CLI 1.22.80 Command Reference