> ## Documentation Index
> Fetch the complete documentation index at: https://cloudanix.com/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# CloudFront Distributions Should Not Use Insecure SSL Protocols

### More Info:

Your AWS Cloudfront Content Delivery Network distributions should not be using insecure SSL protocols (i.e. SSLv3) for HTTPS communication between CloudFront edge locations and your custom origins.

### Risk Level

Medium

### Address

Security

### Compliance Standards

AWSWAF

### Triage and Remediation

<Tabs>
  <Tab title="Remediation">
    ### Remediation

    <AccordionGroup>
      <Accordion title="Using Console" defaultOpen="true">
        To remediate the misconfiguration "CloudFront Distributions Should Not Use Insecure SSL Protocols" in AWS using AWS console, follow the below steps:

        1. Login to your AWS console.
        2. Go to the CloudFront service.
        3. Select the distribution which is using insecure SSL protocols.
        4. Click on the "Edit" button.
        5. Scroll down to the "SSL Certificate" section.
        6. In the "Minimum SSL Protocol Version" dropdown, select "TLSv1.2\_2018".
        7. Click on the "Yes, Edit" button to save the changes.

        By doing this, you have successfully remediated the misconfiguration "CloudFront Distributions Should Not Use Insecure SSL Protocols" in AWS using AWS console.

        #
      </Accordion>

      <Accordion title="Using CLI">
        To remediate the CloudFront Distributions Should Not Use Insecure SSL Protocols misconfiguration in AWS using AWS CLI, you can follow the below steps:

        1. Open your terminal and install AWS CLI if it is not installed already.

        2. Run the following command to update the CloudFront distribution to use only secure SSL protocols:

        ```
        aws cloudfront update-distribution --id <distribution-id> --viewer-protocol-policy https-only
        ```

        Note: Replace `<distribution-id>` with the ID of the CloudFront distribution that you want to update.

        3. After running the above command, the CloudFront distribution will be updated to use only secure SSL protocols.

        4. Verify the changes by checking the SSL protocols used by the CloudFront distribution using the following command:

        ```
        aws cloudfront get-distribution-config --id <distribution-id> --query "DistributionConfig.ViewerCertificate.MinimumProtocolVersion"
        ```

        Note: Replace `<distribution-id>` with the ID of the CloudFront distribution that you updated.

        5. The output of the above command should show that the minimum SSL protocol version is TLSv1.1 or higher.

        By following these steps, you can remediate the CloudFront Distributions Should Not Use Insecure SSL Protocols misconfiguration in AWS using AWS CLI.
      </Accordion>

      <Accordion title="Using Python">
        To remediate the misconfiguration of CloudFront distributions using insecure SSL protocols in AWS using Python, you can follow the below steps:

        1. Import the required AWS modules and libraries in your Python script:

        ```
        import boto3
        from botocore.exceptions import ClientError
        ```

        2. Create an AWS client for CloudFront using the boto3 library:

        ```
        cloudfront_client = boto3.client('cloudfront')
        ```

        3. Get a list of all the CloudFront distributions using the `list_distributions` method:

        ```
        response = cloudfront_client.list_distributions()
        ```

        4. Loop through the list of CloudFront distributions and check if they are using insecure SSL protocols. You can do this by checking the value of the `MinimumProtocolVersion` parameter. If it is set to `SSLv3` or `TLSv1`, then it is using an insecure SSL protocol.

        ```
        for distribution in response['DistributionList']['Items']:
            if distribution['ViewerCertificate']['MinimumProtocolVersion'] in ['SSLv3', 'TLSv1']:
                # Remediation steps go here
        ```

        5. To remediate the misconfiguration, you need to update the CloudFront distribution with a secure SSL protocol. You can do this by updating the `ViewerCertificate` parameter with a new value for `MinimumProtocolVersion`. For example, to set it to `TLSv1.2_2018`, you can use the `update_distribution` method:

        ```
        distribution_id = distribution['Id']
        etag = distribution['ETag']
        viewer_certificate = {
            'CloudFrontDefaultCertificate': False,
            'MinimumProtocolVersion': 'TLSv1.2_2018'
        }
        try:
            cloudfront_client.update_distribution(
                DistributionConfig={
                    'ViewerCertificate': viewer_certificate
                },
                Id=distribution_id,
                IfMatch=etag
            )
            print(f"Successfully updated CloudFront distribution {distribution_id}")
        except ClientError as e:
            print(f"Error updating CloudFront distribution {distribution_id}: {e}")
        ```

        6. Finally, run the Python script to remediate the misconfiguration for all the CloudFront distributions using insecure SSL protocols.
      </Accordion>
    </AccordionGroup>
  </Tab>
</Tabs>

### Additional Reading:

* [https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html)
