🚀 Launch Week 10, September 22nd - 26th, 2025 🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
35Dashboards
1534Benchmarks
673Queries
9Variables
GitHub

Control: 15 CloudFront distributions should use the recommended TLS security policy

Description

This control checks whether an Amazon CloudFront distribution is configured to use the recommended TLS security policy. The control fails if the CloudFront distribution is not configured to use the recommended TLS security policy.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_cloudfront_15

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_cloudfront_15 --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when viewer_certificate is null then 'alarm'
    when not (viewer_certificate ->> 'MinimumProtocolVersion' = ANY($1::text[])) then 'alarm'
    else 'ok'
  end as status,
  case
    when viewer_certificate is null then title || ' has no MinimumProtocolVersion set.'
    when not (viewer_certificate ->> 'MinimumProtocolVersion' = ANY($1::text[])) then title || ' uses non-recommended MinimumProtocolVersion: ' || (viewer_certificate ->> 'MinimumProtocolVersion') || '.'
    else title || ' uses recommended MinimumProtocolVersion: ' || (viewer_certificate ->> 'MinimumProtocolVersion') || '.'
  end as reason
  
  , region, account_id
from
  aws_cloudfront_distribution

Params

ArgsNameDefaultDescriptionVariable
$1cloudfront_distribution_tls_security_policy
["TLSv1.2_2021"]
A list of SSL policies for CloudFront distributions.

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = encryption_of_data_in_transit
foundational_security_item_id = cloudfront_15
plugin = aws
service = AWS/CloudFront