CloudFront Distributions Should Use Security Policies With Appropriate Version And Ciphers
More Info:
Your Amazon CloudFront distributions should use a security policy with minimum TLSv1.2 and appropriate security ciphers for HTTPS viewer connections.Risk Level
MediumAddress
SecurityCompliance Standards
NISTCSFTriage and Remediation
Remediation
Using Console
Using Console
To remediate the CloudFront Distribution Security Policy misconfiguration in AWS, you can follow the below steps:
- Log in to your AWS Management Console.
- Navigate to the Amazon CloudFront service.
- Click on the “Distributions” tab from the left-hand menu.
- Select the CloudFront distribution that needs to be remediated.
- Click on the “Edit” button.
- Scroll down to the “Security Policy” section.
- Select the appropriate security policy version from the dropdown list. The recommended version is TLSv1.2_2018.
- Select the appropriate ciphers from the “Cipher Suites” dropdown list. The recommended ciphers are AES128-SHA256 and AES256-SHA256.
- Click on the “Yes, Edit” button to save the changes.
Using CLI
Using CLI
To remediate this misconfiguration in AWS, you can follow the below steps using AWS CLI:Here, Here, Here,
- First, you need to create a security policy with appropriate version and ciphers that you want to use for your CloudFront distribution. You can use the following command to create a security policy:
<policy-name> is the name you want to give to your security policy, <unique-id> is a unique identifier for the policy, <public-key> is the actual public key that you want to use, and <comment> is an optional comment that you can add.- Once you have created your security policy, you need to update your CloudFront distribution to use this policy. You can use the following command to update your distribution:
<distribution-id> is the ID of your CloudFront distribution, <minimum-protocol-version> is the minimum TLS version that you want to use, <ssl-support-method> is the SSL support method that you want to use, <certificate-arn> is the ARN of the SSL certificate that you want to use, <certificate-source> is the source of the SSL certificate (either iam or acm), and <policy-name> is the name of the security policy that you created in step 1.- Finally, you should verify that your CloudFront distribution is now using the correct security policy. You can use the following command to get the details of your distribution:
<distribution-id> is the ID of your CloudFront distribution. This command will return the details of your distribution, including the security policy that it is currently using.That’s it! By following these steps, you can remediate the misconfiguration of using inappropriate security policies with appropriate version and ciphers for your AWS CloudFront distributions using AWS CLI.Using Python
Using Python
To remediate the misconfiguration “CloudFront Distributions Should Use Security Policies With Appropriate Version And Ciphers” for AWS using python, follow the below steps:Replace Replace
- Create a new security policy with appropriate version and ciphers using the AWS CLI command:
<policy-name> with the name you want to give to the new security policy and <policy-config-file> with the path to the JSON file containing the policy configuration.- Update the CloudFront distribution to use the new security policy using the AWS CLI command:
<distribution-id> with the ID of the CloudFront distribution you want to update and <distribution-config-file> with the path to the JSON file containing the distribution configuration.- Verify that the updated distribution is now using the new security policy with appropriate version and ciphers.