Control: CloudFront distributions should use the recommended TLS security policy
Description
This control checks whether an Amazon CloudFront distribution is configured to use the recommended TLS security policy. The control fails if the CloudFront distribution is not configured to use the recommended TLS security policy.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cloudfront_distribution_uses_recommended_tls_security_policy
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cloudfront_distribution_uses_recommended_tls_security_policy --share
SQL
This control uses a named query:
select arn as resource, case when viewer_certificate is null then 'alarm' when not (viewer_certificate ->> 'MinimumProtocolVersion' = ANY($1::text[])) then 'alarm' else 'ok' end as status, case when viewer_certificate is null then title || ' has no MinimumProtocolVersion set.' when not (viewer_certificate ->> 'MinimumProtocolVersion' = ANY($1::text[])) then title || ' uses non-recommended MinimumProtocolVersion: ' || (viewer_certificate ->> 'MinimumProtocolVersion') || '.' else title || ' uses recommended MinimumProtocolVersion: ' || (viewer_certificate ->> 'MinimumProtocolVersion') || '.' end as reason , region, account_idfrom aws_cloudfront_distribution
Params
Args | Name | Default | Description | Variable |
---|---|---|---|---|
$1 | cloudfront_distribution_tls_security_policy |
| A list of SSL policies for CloudFront distributions. |