CloudFront distribution should have a security policy requiring a secure version of TLS

cloudfront
이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

Verify that AWS CloudFront distributions have a security policy of TLS v1.1 or greater.

Rationale

TLS v1.1, the minimum protocol recommended for AWS CloudFront, and the cipher used to encrypt this content, improve application security.

Remediation

From the console

Follow the Values That You Specify When You Create or Update a Distribution docs to update your CloudFront distribution’s Minimum Origin SSL Protocol to TLS v1.1 or greater.

From the command line

  1. Run get-distribution-config with your AWS CloudFront distribution ID to retrieve your distribution’s configuration information.

    get-distribution-config.sh

        aws cloudfront get-distribution-config
        --id ID000000000000

  2. In a new JSON file, modify the returned configuration by setting the minimum protocol version to TLC v1.1 (2016) or v1.2 (2018).

    tls-version.sh

        {
      "ETag": "ETAG0000000000",
      "DistributionConfig": {
        ...
        "ViewerCertificate": {
          ...
          "MinimumProtocolVersion": "TLSv1.1_2016",
        },
        ...
      }
    }

  3. Run update-distribution to update your distribution with your distribution id, the path of the configuration file (created in step 2), and your etag.

    update-distribution.sh

        aws cloudfront update-distribution
        --id ID000000000000
        --distribution-config tls-version.json
        --if-match ETAG0000000000