Profile Applicability: 

Level 2

Description

Amazon CloudFront is a web service that speeds up the distribution of your static and dynamic web content. Using insecure and deprecated SSL protocols could leave your site and origin server vulnerable to exploits. Ensuring that CloudFront distributions use up-to-date SSL protocols is crucial for maintaining the security and integrity of your web applications.

Rationale

  • Enhanced Security: Prevents vulnerabilities and exploits associated with deprecated SSL protocols.

  • Compliance: Ensures adherence to security best practices and regulatory requirements.

  • Improved Performance: Modern SSL protocols offer better performance and security features.

Impact

Pros:

  • Enhances security by using up-to-date SSL protocols.

  • Reduces the risk of exploits and vulnerabilities.

  • Ensures compliance with security standards.

Cons:

  • May require updating configurations and testing compatibility.

  • Potential temporary disruption during the update process.

Default Value

By default, SSL protocol is not selected for the HTTPS protocol. It must be explicitly configured to use modern SSL protocols.

Pre-Requisite

IAM Permissions:

  • cloudfront:GetDistribution

  • cloudfront:UpdateDistribution

  • AWS CLI installed and configured.

Remediation

Test Plan:

 Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudFront Dashboard.

  3. Click on the Distributions tab in the top left navigation menu.

  4. Select the Distributions you want to audit.

  5. Click on the Origins tab in the top menu.

  6. Select the Origin to examine.

  7. Click on the Edit tab from the top right.

  8. Identify if there is an SSL origin protocol for the HTTPS-only protocol.

  9. Verify that the selected distribution origin is not using an insecure SSL protocol.

Using AWS CLI:

Check SSL Protocol Status:

aws cloudfront get-distribution --id <id-value> --query 'Distribution.DistributionConfig.Origins.Items[*].CustomOriginConfig'

Implementation Steps: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudFront Dashboard.

  3. Click on the Distributions tab in the top left navigation menu.

  4. Select the Distributions you want to change.

  5. Click on the Origins tab in the top menu.

  6. Select the origin you want to change and click edit.

  7. From the Protocol section and HTTPS-only section, choose the TLSv1 minimum origin SSL protocol.

  8. Click on Save changes to save the changes.

Using AWS CLI:

  1. Save the JSON file document named distconfig-secure-origin.json.

Update the distribution:

aws cloudfront update-distribution --id <id-value> --default-root-object index.html


Backout Plan

If updating SSL protocols causes issues: Using AWS Console:

  1. Navigate to the CloudFront Dashboard.

  2. Select the Distribution.

  3. Click Edit Attributes.

  4. From the Protocol section and HTTPS-only section, choose the SSLv3 minimum origin SSL protocol.

  5. Click Save changes to save the changes.

Using AWS CLI:

aws cloudfront update-distribution --id <id-value> --default-root-object index.html


References

CloudFront No Deprecated SSL Protocols

CloudFront Controls

Ensure CloudFront Distributions Are Not Using Deprecated SSL Protocols


CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.

v7

9.1

Limit Exposure to External Networks – Use techniques like connection draining to ensure reliable connections.