CloudFront Distributions Should Not Use Insecure SSL Protocols

More Info:

Your AWS Cloudfront Content Delivery Network distributions should not be using insecure SSL protocols (i.e. SSLv3) for HTTPS communication between CloudFront edge locations and your custom origins.

Risk Level

Medium

Address

Security

Compliance Standards

AWSWAF

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the CloudFront Distributions Should Not Use Insecure SSL Protocols misconfiguration in AWS using AWS CLI, you can follow the below steps:

Open your terminal and install AWS CLI if it is not installed already.
Run the following command to update the CloudFront distribution to use only secure SSL protocols:

aws cloudfront update-distribution --id <distribution-id> --viewer-protocol-policy https-only

Note: Replace <distribution-id> with the ID of the CloudFront distribution that you want to update.

After running the above command, the CloudFront distribution will be updated to use only secure SSL protocols.
Verify the changes by checking the SSL protocols used by the CloudFront distribution using the following command:

aws cloudfront get-distribution-config --id <distribution-id> --query "DistributionConfig.ViewerCertificate.MinimumProtocolVersion"

Note: Replace <distribution-id> with the ID of the CloudFront distribution that you updated.

The output of the above command should show that the minimum SSL protocol version is TLSv1.1 or higher.

By following these steps, you can remediate the CloudFront Distributions Should Not Use Insecure SSL Protocols misconfiguration in AWS using AWS CLI.

Using Python

To remediate the misconfiguration of CloudFront distributions using insecure SSL protocols in AWS using Python, you can follow the below steps:

Import the required AWS modules and libraries in your Python script:

import boto3
from botocore.exceptions import ClientError

Create an AWS client for CloudFront using the boto3 library:

cloudfront_client = boto3.client('cloudfront')

Get a list of all the CloudFront distributions using the list_distributions method:

response = cloudfront_client.list_distributions()

Loop through the list of CloudFront distributions and check if they are using insecure SSL protocols. You can do this by checking the value of the MinimumProtocolVersion parameter. If it is set to SSLv3 or TLSv1, then it is using an insecure SSL protocol.

for distribution in response['DistributionList']['Items']:
    if distribution['ViewerCertificate']['MinimumProtocolVersion'] in ['SSLv3', 'TLSv1']:
        # Remediation steps go here

To remediate the misconfiguration, you need to update the CloudFront distribution with a secure SSL protocol. You can do this by updating the ViewerCertificate parameter with a new value for MinimumProtocolVersion. For example, to set it to TLSv1.2_2018, you can use the update_distribution method:

distribution_id = distribution['Id']
etag = distribution['ETag']
viewer_certificate = {
    'CloudFrontDefaultCertificate': False,
    'MinimumProtocolVersion': 'TLSv1.2_2018'
}
try:
    cloudfront_client.update_distribution(
        DistributionConfig={
            'ViewerCertificate': viewer_certificate
        },
        Id=distribution_id,
        IfMatch=etag
    )
    print(f"Successfully updated CloudFront distribution {distribution_id}")
except ClientError as e:
    print(f"Error updating CloudFront distribution {distribution_id}: {e}")

Finally, run the Python script to remediate the misconfiguration for all the CloudFront distributions using insecure SSL protocols.

Additional Reading:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

CloudFront Distributions Should Not Use Insecure SSL Protocols

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: