An AWS CloudFront distribution uses a deprecated version of SSL/TLS

• GG_ID: GG_IAC_0026
• Severity: HIGH
• Complexity: HIGH
• Categories: NETWORK
• Providers: AWS
• Potential data exposure: True
• Visible in logs: False
• User interaction required: True
• Privileges required: False

Description

Outdated TLS policies (version 1.0 and 1.1) rely on insecure cipher suites (SHA-1 and MD5), and are subject to a range of well known attack. Note that TLS 1.0 and 1.1 have been deprecated on March 25, 2021.

Allowing such policies can allow attacker to break the encryption, decrypt the traffic, and perform man-in-the-middle attacks.

Impact

Known vulnerabilities could be exploited with man-in-the-middle attacks and lead to data and credential leakage.

Remediation guidelines

The cloudfront minimum protocol version should be set to TLS v1.2 or above.

Note that this implies that the clients connecting to your endpoint must support TLS version 1.2 or above. Also, if the SSL certificate is the default CloudFront certificate, i.e the used domain is cloudfront.net (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy), it won't be possible to set the minimum protocol version to TLS v1.2 or above. This policy should be ignored.

External documentation

• TLS Lifecycle
• Deprecating TLS 1.0 and TLS 1.1
• AWS Cloudfront supported protocols