Rule for CloudFront Distributions SSL Protocols
In this rule, CloudFront distributions must avoid deprecated SSL protocols between edge locations and custom origins.
| Rule | CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule Description:
CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins for AWS Foundational Security Best Practices. This rule ensures that secure communication is maintained between CloudFront edge locations and custom origins by disallowing the use of deprecated SSL protocols.
Troubleshooting Steps:
If you encounter any issues related to deprecated SSL protocols, you can follow these troubleshooting steps:
- 1.
Check SSL/TLS configuration: Review the SSL/TLS configuration of your CloudFront distribution and ensure that you have configured it to use up-to-date and secure protocols. Verify that deprecated SSL protocols, such as SSLv3 or TLS 1.0, are not being used.
- 2.
Verify custom origin SSL/TLS settings: Ensure that your custom origin server or load balancer is set up to support the recommended SSL/TLS protocols, such as TLS 1.2 or higher. Update the custom origin configuration if necessary.
- 3.
Enable CloudFront access logs: Enable CloudFront access logs for your distribution to gain insights into any potential SSL-related issues. Analyze the access logs for any errors or warnings related to SSL protocols and take necessary actions to address them.
- 4.
Test connectivity to the custom origin: Use tools such as cURL or OpenSSL to establish a connection to your custom origin server and verify the SSL/TLS handshake. Check the negotiated protocol version to confirm that deprecated protocols are not being used.
- 5.
Review error messages: In case of any SSL-related errors, refer to the error messages displayed in the CloudFront logs or error responses. Analyze the error messages to identify the specific SSL protocol-related issue and take appropriate remedial measures.
Necessary Code:
In most cases, code changes are not required for this rule as it mainly involves configuration settings. However, here is an example of updating CloudFront settings programmatically using AWS Command Line Interface (CLI):
aws cloudfront update-distribution \ --id <distribution_id> \ --default-cache-behavior ViewerProtocolPolicy=https-only \ --query 'Distribution.ViewerCertificate.MinimumProtocolVersion' \ --output text \ >> minimum_protocol_version.txt
This code snippet retrieves the minimum protocol version currently set for the CloudFront distribution and stores it in a text file named
minimum_protocol_version.txtStep-by-Step Guide for Remediation:
Follow these steps to remediate and ensure that your CloudFront distributions do not use deprecated SSL protocols:
- 1.
Access AWS Management Console: Log in to the AWS Management Console and navigate to the CloudFront service.
- 2.
Select the distribution: Select the desired CloudFront distribution from the list of available distributions.
- 3.
Configure SSL/TLS settings: Click on the "Behaviors" tab and then click on the "Edit" button corresponding to the default behavior.
- 4.
Update Viewer Protocol Policy: In the "Viewer Protocol Policy" section, select the option "HTTPS Only". This ensures that connections to the CloudFront distribution are only allowed using secure HTTPS.
- 5.
Update Origin Protocol Policy: In the "Origin Protocol Policy" section, select the option "Match Viewer". This ensures that the protocol used between CloudFront and the custom origin server will be the same as the protocol used by the viewer/client.
- 6.
Save changes: Click on the "Yes, Edit" button to save the changes made to the SSL/TLS settings.
- 7.
Verify minimum protocol version: Optionally, you can verify the minimum protocol version currently set for the distribution by running the AWS CLI command mentioned in the previous section or by viewing the distribution settings in the AWS Management Console.
- 8.
Monitor and test: Monitor the CloudFront distribution for any SSL-related errors or warnings in the access logs. Additionally, perform connectivity tests to the custom origin server to ensure secure communication using the updated SSL/TLS settings.
By following these steps, you can ensure that your CloudFront distributions adhere to the AWS Foundational Security Best Practice of not using deprecated SSL protocols between edge locations and custom origins.