Steampipe mods are now Powerpipe →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
26Dashboards
1161Controls
568Queries
2Variables
GitHub
Loading controls...

Control: 10 CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins

Description

This control checks if Amazon CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and your custom origins. This control fails if a CloudFront distribution has a CustomOriginConfig where OriginSslProtocols includes SSLv3.

In 2015, the Internet Engineering Task Force (IETF) officially announced that SSL 3.0 should be deprecated due to the protocol being insufficiently secure. It is recommended that you use TLSv1.2 or later for HTTPS communication to your custom origins.

Remediation

To update the Origin SSL Protocols for your CloudFront distributions, see Requiring HTTPS for communication between CloudFront and your custom origin in the Amazon CloudFront Developer Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_cloudfront_10

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_cloudfront_10 --share

SQL

This control uses a named query:

cloudfront_distribution_no_deprecated_ssl_protocol

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = encryption_of_data_in_transit
foundational_security_item_id = cloudfront_10
plugin = aws
service = AWS/CloudFront