🚀 Launch Week 10, September 22nd - 26th, 2025 🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: CloudFront distributions should use the recommended TLS security policy

Description

This control checks whether an Amazon CloudFront distribution is configured to use the recommended TLS security policy. The control fails if the CloudFront distribution is not configured to use the recommended TLS security policy.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cloudfront_distribution_uses_recommended_tls_security_policy

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cloudfront_distribution_uses_recommended_tls_security_policy --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when viewer_certificate is null then 'alarm'
    when not (viewer_certificate ->> 'MinimumProtocolVersion' = ANY($1::text[])) then 'alarm'
    else 'ok'
  end as status,
  case
    when viewer_certificate is null then title || ' has no MinimumProtocolVersion set.'
    when not (viewer_certificate ->> 'MinimumProtocolVersion' = ANY($1::text[])) then title || ' uses non-recommended MinimumProtocolVersion: ' || (viewer_certificate ->> 'MinimumProtocolVersion') || '.'
    else title || ' uses recommended MinimumProtocolVersion: ' || (viewer_certificate ->> 'MinimumProtocolVersion') || '.'
  end as reason
  
  , region, account_id
from
  aws_cloudfront_distribution

Params

ArgsNameDefaultDescriptionVariable
$1cloudfront_distribution_tls_security_policy
["TLSv1.2_2021"]
A list of SSL policies for CloudFront distributions.

Tags

category = Compliance
plugin = aws
service = AWS/CloudFront