CloudFront distributions security policy is less than TLS v1.1
Incident Management が一般に使用できるようになりました。 Incident Management が広範に使用できるようになりました。
<  Back to rules search

CloudFront distributions security policy is less than TLS v1.1

cloudfront

Classification:

compliance

Set up the cloudfront integration.

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Overview

Description

Verify that AWS CloudFront distributions have a security policy of TLS v1.1 or greater.

Rationale

TLS v1.1, the minimum protocol recommended for AWS CloudFront, and the cipher used to encrypt this content, improve application security.

Remediation

  1. Run get-distribution-config with your AWS CloudFront distribution ID to retrieve your distribution’s configuration information.

    get-distribution-config.sh

        aws cloudfront get-distribution-config
            --id ID000000000000
        
  2. In a new JSON file, modify the returned configuration by setting the minimum protocol version to TLC v1.1 (2016) or v1.2 (2018).

    tls-version.sh

        {
          "ETag": "ETAG0000000000",
          "DistributionConfig": {
            ...
            "ViewerCertificate": {
              ...
              "MinimumProtocolVersion": "TLSv1.1_2016",
            },
            ...
          }
        }
        
  3. Run update-distribution to update your distribution with your distribution id, the path of the configuration file (created in step 2), and your etag.

    update-distribution.sh

        aws cloudfront update-distribution
            --id ID000000000000
            --distribution-config tls-version.json
            --if-match ETAG0000000000