This product is not supported for your selected
Datadog site. (
).
Id: 218413a0-c716-4b94-9e08-0bb70d854709
Cloud Provider: AWS
Platform: Ansible
Severity: Medium
Category: Encryption
Learn More
Description
CloudFront distributions that do not enforce a modern minimum TLS protocol version can allow legacy TLS/SSL versions, increasing the risk of downgrade attacks and interception of data in transit.
For Ansible CloudFront resources (modules community.aws.cloudfront_distribution and cloudfront_distribution), the viewer_certificate.minimum_protocol_version property must be defined and set to TLSv1.1 or TLSv1.2 (preferably TLSv1.2) when using a custom certificate (viewer_certificate.cloudfront_default_certificate set to false). Resources that omit minimum_protocol_version or specify any other value are flagged.
Secure configuration example for Ansible:
- name: Create CloudFront distribution with secure TLS
community.aws.cloudfront_distribution:
name: my-distribution
viewer_certificate:
cloudfront_default_certificate: false
acm_certificate_arn: arn:aws:acm:region:acct:certificate/your-cert-id
minimum_protocol_version: TLSv1.2
Compliant Code Examples
- name: example
community.aws.cloudfront_distribution:
state: present
caller_reference: unique test distribution ID
origins:
- id: my test origin-000111
domain_name: www.example.com
origin_path: /production
custom_headers:
- header_name: MyCustomHeaderName
header_value: MyCustomHeaderValue
viewer_certificate:
cloudfront_default_certificate: true
Non-Compliant Code Examples
- name: example
community.aws.cloudfront_distribution:
state: present
caller_reference: unique test distribution ID
origins:
- id: 'my test origin-000111'
domain_name: www.example.com
origin_path: /production
custom_headers:
- header_name: MyCustomHeaderName
header_value: MyCustomHeaderValue
viewer_certificate:
cloudfront_default_certificate: false
minimum_protocol_version: 'SSLv3'
