Control: 10 CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins
Description
This control checks if Amazon CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and your custom origins. This control fails if a CloudFront distribution has a CustomOriginConfig where OriginSslProtocols includes SSLv3.
In 2015, the Internet Engineering Task Force (IETF) officially announced that SSL 3.0 should be deprecated due to the protocol being insufficiently secure. It is recommended that you use TLSv1.2 or later for HTTPS communication to your custom origins.
Remediation
To update the Origin SSL Protocols for your CloudFront distributions, see Requiring HTTPS for communication between CloudFront and your custom origin in the Amazon CloudFront Developer Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_cloudfront_10Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_cloudfront_10 --shareSQL
This control uses a named query:
with origin_ssl_protocols as ( select distinct arn, o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' as origin_protocol_policy from aws_cloudfront_distribution, jsonb_array_elements(origins) as o where o -> 'CustomOriginConfig' -> 'OriginSslProtocols' -> 'Items' @> '["SSLv3"]')select b.arn as resource, case when o.arn is null then 'ok' else 'alarm' end as status, case when o.arn is null then title || ' does not have deprecated SSL protocols.' else title || ' has deprecated SSL protocols.' end as reason , region, account_idfrom aws_cloudfront_distribution as b left join origin_ssl_protocols as o on b.arn = o.arn;