- Knowledge Base
- Amazon Web Services
- Amazon CloudFront
- CloudFront Insecure Origin SSL Protocols
Ensure that your Amazon CloudFront Content Delivery Network (CDN) distributions are not using insecure SSL protocols (i.e. SSLv3) for HTTPS communication between CloudFront edge locations and custom origins. Trend Cloud One™ – Conformity recommends using TLSv1.0 or later (ideally use only TLSv1.2 if your origins support it) and avoid using the SSLv3 protocol.
This rule can help you with the following compliance standards:
- PCI
- HIPAA
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using insecure and deprecated SSL protocols for your Amazon CloudFront distributions could make the connection between the Content Delivery Network and the origin server vulnerable to exploits such as POODLE (Padding Oracle on Downgraded Legacy Encryption) which allows an attacker to eavesdrop on your application traffic over a secure channel (encrypted with the SSLv3 protocol) by implementing a Man-In-The-Middle (MITM) tactic.
Audit
To determine if your Amazon CloudFront distribution origins are using insecure SSL protocols (i.e. SSLv3) for their origins, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.
03 In the left navigation panel, under CloudFront, choose Distributions.
04 Click on the name (link) of the CloudFront distribution that you want to examine.
05 Select the Origins tab to access the origins created for the selected distribution.
06 Select the distribution origin that you want to examine and choose Edit.
07 On the Edit origin page, check the Minimum origin SSL protocol configuration setting to determine the minimum SSL protocol that CloudFront uses with the selected origin. If the Minimum origin SSL protocol is set to SSLv3, the selected distribution origin is configured to use an insecure SSL protocol for HTTPS traffic, therefore the selected Amazon CloudFront distribution is vulnerable to exploits.
08 Repeat steps no. 6 and 7 for each origin created for the selected Amazon CloudFront distribution.
09 Repeat steps no. 4 – 8 for each CloudFront distribution available within your AWS cloud account.
Using AWS CLI
01 Run list-distributions command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon CloudFront distribution created in your AWS account:
aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id'
02 The command output should return a table with the requested distribution ID(s):
-------------------- |ListDistributions | +------------------+ | ABCDABCDABCDAB | | AABBCCDDAABBCC | +------------------+
03 Run get-distribution command (OSX/Linux/UNIX) using the ID of the Amazon CloudFront distribution that you want to examine as the identifier parameter and custom filtering to describe the minimum SSL/TLS protocols used by the distribution origins:
aws aws cloudfront get-distribution --id ABCDABCDABCDAB --query 'Distribution.DistributionConfig.Origins.Items[*].CustomOriginConfig.OriginSslProtocols.Items | []'
04 The command output should return the SSL/TLS protocols used by the custom origins:
[ "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" ]
If the list of the SSL/TLS protocols returned by the get-distribution command output includes the SSLv3 protocol, as shown in the example above, the origins defined for the selected distribution are configured to use an insecure SSL protocol for HTTPS traffic, therefore the selected Amazon CloudFront distribution is vulnerable to exploits.
05 Repeat steps no. 3 and 4 for each CloudFront distribution deployed in your AWS cloud account.
Remediation / Resolution
To remove the deprecated SSLv3 protocol from your Amazon Cloudfront distributions origins, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "CloudFrontDistribution": { "Type": "AWS::CloudFront::Distribution", "Properties": { "DistributionConfig": { "Enabled": true, "Comment": "CloudFront CDN Web Distribution", "Origins": [ { "Id": "cc-cdn-origin", "DomainName": "domain.com" } ], "DefaultRootObject": "index.html", "DefaultCacheBehavior": { "Compress": true, "AllowedMethods": [ "HEAD", "GET" ], "DefaultTTL": 0, "ForwardedValues": { "Cookies": { "Forward": "none" }, "QueryString": false }, "ViewerProtocolPolicy": "redirect-to-https" }, "HttpVersion": "http2", "PriceClass": "PriceClass_All", "ViewerCertificate": { "CloudFrontDefaultCertificate": false, "MinimumProtocolVersion": "TLSv1.2_2019", "AcmCertificateArn": "arn:aws:acm:us-east-1:123412341234:certificate/abcd1234-abcd-1234-abcd-1234abcd1234", "SslSupportMethod": "sni-only" } } } } } }
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Resources: CloudFrontDistribution: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: Enabled: true Comment: CloudFront CDN Web Distribution Origins: - Id: cc-cdn-origin DomainName: domain.com DefaultRootObject: index.html DefaultCacheBehavior: Compress: true AllowedMethods: - HEAD - GET DefaultTTL: 0 ForwardedValues: Cookies: Forward: none QueryString: false ViewerProtocolPolicy: redirect-to-https HttpVersion: http2 PriceClass: PriceClass_All ViewerCertificate: CloudFrontDefaultCertificate: false MinimumProtocolVersion: TLSv1.2_2019 AcmCertificateArn: arn:aws:acm:us-east-1:123412341234:certificate/abcd1234-abcd-1234-abcd-1234abcd1234 SslSupportMethod: sni-only
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 4.0" } } required_version = ">= 0.14.9" } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_cloudfront_distribution" "cloudfront-distribution" { enabled = true default_root_object = "index.html" comment = "CloudFront CDN Web Distribution" origin { domain_name = "domain.com" origin_id = "cc-cdn-origin" } default_cache_behavior { compress = true target_origin_id = "cc-domain-origin" allowed_methods = ["GET", "HEAD"] cached_methods = ["GET", "HEAD"] forwarded_values { query_string = false cookies { forward = "none" } } min_ttl = 0 default_ttl = 3600 max_ttl = 86400 viewer_protocol_policy = "redirect-to-https" } price_class = "PriceClass_All" viewer_certificate { cloudfront_default_certificate = false minimum_protocol_version = "TLSv1.2_2019" acm_certificate_arn = "arn:aws:acm:us-east-1:123412341234:certificate/abcd1234-abcd-1234-abcd-1234abcd1234" ssl_support_method = "sni-only" } }
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.
03 In the left navigation panel, under CloudFront, choose Distributions.
04 Click on the name of the CloudFront distribution that you want to reconfigure.
05 Select the Origins tab to access the origins created for the selected distribution.
06 Select the distribution origin that you want to reconfigure and choose Edit.
07 On the Edit origin page, select TLSv1.2 from the Minimum origin SSL protocol list to remove the insecure SSLv3 protocol from the current configuration and apply the latest TLS protocol that your origin supports (in this case, the TLSv1.2 protocol). Choose Save changes to apply the configuration changes.
08 Repeat steps no. 6 and 7 for each origin that you want to reconfigure, defined for the selected Amazon CloudFront distribution.
09 Repeat steps no. 4 – 8 for each CloudFront distribution available within your AWS cloud account.
Using AWS CLI
01 Run get-distribution-config command (OSX/Linux/UNIX) to extract all the configuration information from the Amazon CloudFront distribution that you want to reconfigure:
aws cloudfront get-distribution-config --id ABCDABCDABCDAB --query 'DistributionConfig'
02 The command output should return the requested configuration information:
{ "CallerReference": "abcd1234-abcd-1234-abcd-1234abcd1234", "Aliases": { "Quantity": 0 }, "DefaultRootObject": "", "Origins": { "Quantity": 1, "Items": [ { "Id": "cloudconformity.com", "DomainName": "cloudconformity.com", "OriginPath": "", "CustomHeaders": { "Quantity": 0 }, "CustomOriginConfig": { "HTTPPort": 80, "HTTPSPort": 443, "OriginProtocolPolicy": "http-only", "OriginSslProtocols": { "Quantity": 4, "Items": [ "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" ] }, "OriginReadTimeout": 30, "OriginKeepaliveTimeout": 5 }, "ConnectionAttempts": 3, "ConnectionTimeout": 10, "OriginShield": { "Enabled": false } } ] }, "OriginGroups": { "Quantity": 0 }, "DefaultCacheBehavior": { "TargetOriginId": "cloudconformity.com", "TrustedSigners": { "Enabled": false, "Quantity": 0 }, "TrustedKeyGroups": { "Enabled": false, "Quantity": 0 }, "ViewerProtocolPolicy": "allow-all", "AllowedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ], "CachedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ] } }, "SmoothStreaming": false, "Compress": true, "LambdaFunctionAssociations": { "Quantity": 0 }, "FunctionAssociations": { "Quantity": 0 }, "FieldLevelEncryptionId": "", "ForwardedValues": { "QueryString": false, "Cookies": { "Forward": "none" }, "Headers": { "Quantity": 0 }, "QueryStringCacheKeys": { "Quantity": 0 } }, "MinTTL": 0, "DefaultTTL": 86400, "MaxTTL": 31536000 }, "CacheBehaviors": { "Quantity": 1, "Items": [ { "PathPattern": "/images", "TargetOriginId": "cloudconformity.com", "TrustedSigners": { "Enabled": false, "Quantity": 0 }, "TrustedKeyGroups": { "Enabled": false, "Quantity": 0 }, "ViewerProtocolPolicy": "allow-all", "AllowedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ], "CachedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ] } }, "SmoothStreaming": false, "Compress": true, "LambdaFunctionAssociations": { "Quantity": 0 }, "FunctionAssociations": { "Quantity": 0 }, "FieldLevelEncryptionId": "", "ForwardedValues": { "QueryString": false, "Cookies": { "Forward": "none" }, "Headers": { "Quantity": 0 }, "QueryStringCacheKeys": { "Quantity": 0 } }, "MinTTL": 0, "DefaultTTL": 86400, "MaxTTL": 31536000 } ] }, "CustomErrorResponses": { "Quantity": 0 }, "Comment": "", "Logging": { "Enabled": false, "IncludeCookies": false, "Bucket": "", "Prefix": "" }, "PriceClass": "PriceClass_100", "Enabled": true, "ViewerCertificate": { "CloudFrontDefaultCertificate": true, "MinimumProtocolVersion": "TLSv1", "CertificateSource": "cloudfront" }, "Restrictions": { "GeoRestriction": { "RestrictionType": "none", "Quantity": 0 } }, "WebACLId": "", "HttpVersion": "http1.1", "IsIPV6Enabled": false }
03 Run get-distribution-config command (OSX/Linux/UNIX) to describe the current version of the configuration available for the selected distribution (i.e. eTag):
aws cloudfront get-distribution-config --id ABCDABCDABCDAB --query 'ETag'
04 The command output should return the requested information:
"AAAABBBBCCCCD"
05 Modify the configuration document returned at step no. 2 to enable and remove the deprecated SSLv3 protocol from the "OriginSslProtocols" configuration object and set the TLSv1.2 protocol as the minimum SSL protocol for the selected origin (as highlighted in the example below). Save the document with the modified distribution configuration (highlighted) to a JSON file named configure-ssl-tls-protocols.json:
{ "CallerReference": "abcd1234-abcd-1234-abcd-1234abcd1234", "Aliases": { "Quantity": 0 }, "DefaultRootObject": "", "Origins": { "Quantity": 1, "Items": [ { "Id": "cloudconformity.com", "DomainName": "cloudconformity.com", "OriginPath": "", "CustomHeaders": { "Quantity": 0 }, "CustomOriginConfig": { "HTTPPort": 80, "HTTPSPort": 443, "OriginProtocolPolicy": "http-only", "OriginSslProtocols": { "Quantity": 1, "Items": [ "TLSv1.2" ] }, "OriginReadTimeout": 30, "OriginKeepaliveTimeout": 5 }, "ConnectionAttempts": 3, "ConnectionTimeout": 10, "OriginShield": { "Enabled": false } } ] }, "OriginGroups": { "Quantity": 0 }, "DefaultCacheBehavior": { "TargetOriginId": "cloudconformity.com", "TrustedSigners": { "Enabled": false, "Quantity": 0 }, "TrustedKeyGroups": { "Enabled": false, "Quantity": 0 }, "ViewerProtocolPolicy": "allow-all", "AllowedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ], "CachedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ] } }, "SmoothStreaming": false, "Compress": true, "LambdaFunctionAssociations": { "Quantity": 0 }, "FunctionAssociations": { "Quantity": 0 }, "FieldLevelEncryptionId": "", "ForwardedValues": { "QueryString": false, "Cookies": { "Forward": "none" }, "Headers": { "Quantity": 0 }, "QueryStringCacheKeys": { "Quantity": 0 } }, "MinTTL": 0, "DefaultTTL": 86400, "MaxTTL": 31536000 }, "CacheBehaviors": { "Quantity": 1, "Items": [ { "PathPattern": "/images", "TargetOriginId": "cloudconformity.com", "TrustedSigners": { "Enabled": false, "Quantity": 0 }, "TrustedKeyGroups": { "Enabled": false, "Quantity": 0 }, "ViewerProtocolPolicy": "allow-all", "AllowedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ], "CachedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ] } }, "SmoothStreaming": false, "Compress": true, "LambdaFunctionAssociations": { "Quantity": 0 }, "FunctionAssociations": { "Quantity": 0 }, "FieldLevelEncryptionId": "", "ForwardedValues": { "QueryString": false, "Cookies": { "Forward": "none" }, "Headers": { "Quantity": 0 }, "QueryStringCacheKeys": { "Quantity": 0 } }, "MinTTL": 0, "DefaultTTL": 86400, "MaxTTL": 31536000 } ] }, "CustomErrorResponses": { "Quantity": 0 }, "Comment": "", "Logging": { "Enabled": false, "IncludeCookies": false, "Bucket": "", "Prefix": "" }, "PriceClass": "PriceClass_100", "Enabled": true, "ViewerCertificate": { "CloudFrontDefaultCertificate": true, "MinimumProtocolVersion": "TLSv1", "CertificateSource": "cloudfront" }, "Restrictions": { "GeoRestriction": { "RestrictionType": "none", "Quantity": 0 } }, "WebACLId": "", "HttpVersion": "http1.1", "IsIPV6Enabled": false }
06 Run update-distribution command (OSX/Linux/UNIX) using the document modified at the previous step (i.e. configure-ssl-tls-protocols.json) as the distribution configuration document, to reconfigure the selected Amazon CloudFront distribution in order to disable the SSLv3 origin protocol. --if-match parameter represents the current version of the configuration, returned at step no. 4:
aws cloudfront update-distribution --id ABCDABCDABCDAB --if-match AAAABBBBCCCCD --distribution-config file://configure-ssl-tls-protocols.json --query 'Distribution.Status'
07 The command output should return the status of the modified CloudFront distribution:
"InProgress"
08 Repeat steps no. 6 and 7 for each origin that you want to reconfigure, created for the selected Amazon CloudFront distribution.
09 Repeat steps no. 1 – 8 for each CloudFront distribution deployed in your AWS cloud account.
References
- AWS Command Line Interface (CLI) Documentation
- cloudfront
- list-distributions
- get-distribution
- get-distribution-config
- update-distribution