Control: CloudFront distributions should use secure SSL cipher
Description
Ensure that CloudFront distributions do not have any insecure SSL ciphers. Using insecure and deprecated ciphers could make the SSL connection between the CloudFront and the origins vulnerable to exploits.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cloudfront_distribution_use_secure_cipherSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cloudfront_distribution_use_secure_cipher --shareSQL
This control uses a named query:
with origin_protocols as ( select distinct arn, o -> 'CustomOriginConfig' ->> 'OriginSslProtocols' as origin_ssl_policy from aws_cloudfront_distribution, jsonb_array_elements(origins) as o where o -> 'CustomOriginConfig' -> 'OriginSslProtocols' -> 'Items' @> '["TLSv1"]' or o -> 'CustomOriginConfig' -> 'OriginSslProtocols' -> 'Items' @> '["SSLv3"]')select distinct b.arn as resource, case when o.arn is null then 'ok' else 'alarm' end as status, case when o.arn is null then title || ' uses secure cipher.' else title || ' does not use secure cipher.' end as reason , b.region, b.account_idfrom aws_cloudfront_distribution as b left join origin_protocols as o on b.arn = o.arn;