CloudFront distributions use deprecated SSL protocols
Description
Using insecure and deprecated SSL protocols could leave your site and origin server vulnerable to exploits. We recommend detect the usage of older SSL protocols that are no longer considered secure. Use TLSv1.2 where possible and don't use older than TLSv1
You can review AWS guidance on SSL protocol here.
Fix - Runtime
AWS CloudFront Console
- Log in to the AWS Management Console at https://console.aws.amazon.com/.
- Open the CloudFront console.
- Select CloudFront distribution, then click Distribution Settings.
- Navigate to the General section, click Edit.
- Set a security policy. It is currently recommended to use policy TLSv1.2_2018.
- To save the changes, click Yes.
CLI Command
To get a list of all CloudFront distributions and check the origin SSL protocol, use the following command:
aws cloudfront list-distributions --query 'DistributionList.Items[*].Id'
aws cloudfront get-distribution --id <Distribution Id>
--query Distribution.DistributionConfig.Origins.Items[].CustomOriginConfig.
OriginSslProtocols.Items
If the distribution is SSLv2 or SSLv3, update the distribution using the following steps and commands:
aws cloudfront get-distribution-config
--id <Distribution Id> > /tmp/cloudfront-config.json
Get the ETag for your config
ETAG=$(cat /tmp/cloudfront-config.json | jq -r '.ETag')
echo $ETAG
**Get the DistributionConfig **
cat /tmp/cloudfront-config.json | jq '.DistributionConfig' > /tmp/cloudfront-dc.json
Edit the OriginSslProtocols config for TLSv1.2 at
Origins.Items[].CustomOriginConfig.OriginSslProtocols.Items
vi /tmp/cloudfront-dc.json
For example:
"OriginSslProtocols": {
"Quantity": 1,
"Items": [
"TLSv1.2"
]
},
aws cloudfront update-distribution \
--id <Distribution Id> \
--if-match $ETAG \
--distribution-config file:///tmp/cloudfront-dc.json