Control: 10 CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins
Description
This control checks if Amazon CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and your custom origins. This control fails if a CloudFront distribution has a CustomOriginConfig where OriginSslProtocols includes SSLv3.
In 2015, the Internet Engineering Task Force (IETF) officially announced that SSL 3.0 should be deprecated due to the protocol being insufficiently secure. It is recommended that you use TLSv1.2 or later for HTTPS communication to your custom origins.
Remediation
To update the Origin SSL Protocols for your CloudFront distributions, see Requiring HTTPS for communication between CloudFront and your custom origin in the Amazon CloudFront Developer Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_cloudfront_10
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_cloudfront_10 --share
SQL
This control uses a named query:
cloudfront_distribution_no_deprecated_ssl_protocol