Control: CloudFront distributions should use the recommended TLS security policy

Description

This control checks whether an Amazon CloudFront distribution is configured to use the recommended TLS security policy. The control fails if the CloudFront distribution is not configured to use the recommended TLS security policy.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cloudfront_distribution_uses_recommended_tls_security_policy

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cloudfront_distribution_uses_recommended_tls_security_policy --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when viewer_certificate is null then 'alarm'
    when not (viewer_certificate ->> 'MinimumProtocolVersion' = ANY($1::text[])) then 'alarm'
    else 'ok'
  end as status,
  case
    when viewer_certificate is null then title || ' has no MinimumProtocolVersion set.'
    when not (viewer_certificate ->> 'MinimumProtocolVersion' = ANY($1::text[])) then title || ' uses non-recommended MinimumProtocolVersion: ' || (viewer_certificate ->> 'MinimumProtocolVersion') || '.'
    else title || ' uses recommended MinimumProtocolVersion: ' || (viewer_certificate ->> 'MinimumProtocolVersion') || '.'
  end as reason
  
  , region, account_id
from
  aws_cloudfront_distribution

Params

Args	Name	Default	Description	Variable
$1	cloudfront_distribution_tls_security_policy	`["TLSv1.2_2021"]`	A list of SSL policies for CloudFront distributions.	cloudfront_distribution_tls_security_policy

Control: CloudFront distributions should use the recommended TLS security policy

Description

Usage

SQL

Params

Tags