cloud/aws/cloudfront/cloudfront-insecure-protocol.yaml

id: cloudfront-insecure-protocol

info:
  name: CloudFront Insecure Origin SSL Protocols
  author: DhiyaneshDK
  severity: medium
  description: |
    Ensure that your Amazon CloudFront Content Delivery Network (CDN) distributions are not using insecure SSL protocols (i.e. SSLv3) for HTTPS communication between CloudFront edge locations and custom origins.
  impact: |
    Insecure SSL protocols for CloudFront origins can expose sensitive data to interception and compromise, increasing the risk of man-in-the-middle attacks.
  remediation: |
    Configure your CloudFront distribution to enforce the use of secure SSL/TLS protocols (TLS 1.2 or higher) for all origins and disable support for outdated protocols like SSLv3 and TLS 1.0/1.1.
  reference:
    - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/cloudfront-insecure-origin-ssl-protocols.html
    - http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html
  tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config

variables:
  region: "us-west-2"

flow: |
  code(1)
  for(let DistributionListItemsId of iterate(template.distributions)){
    set("distribution", DistributionListItemsId)
    code(2)
  }

self-contained: true

code:
  - engine:
      - sh
      - bash

    source: |
      aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json

    extractors:
      - type: json
        name: distributions
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash

    source: |
        aws cloudfront get-distribution --id $distribution --query 'Distribution.DistributionConfig.Origins.Items[*].CustomOriginConfig.OriginSslProtocols.Items | []' --region $region --output json

    matchers:
      - type: word
        words:
          - "SSLv3"

    extractors:
      - type: dsl
        dsl:
          - '"CloudFront Uses SSLv3 Protocol in" + distribution'
# digest: 490a0046304402203f82a403b2d5299d4e40fe21ec8d29df8dca63b594e26c055fb1aea9e3b183e9022070d55cd893d231f70803f0755dfbf169c2917ea01d600a785c3b5e5e4277a9ae:922c64590222798bb761d5b6d8e72950
AWS - Cloudfront 2024-10-18 08:10:08 +05:30			`id: cloudfront-insecure-protocol`

			`info:`
			`name: CloudFront Insecure Origin SSL Protocols`
			`author: DhiyaneshDK`
			`severity: medium`
			`description: \|`
			`Ensure that your Amazon CloudFront Content Delivery Network (CDN) distributions are not using insecure SSL protocols (i.e. SSLv3) for HTTPS communication between CloudFront edge locations and custom origins.`
			`impact: \|`
			`Insecure SSL protocols for CloudFront origins can expose sensitive data to interception and compromise, increasing the risk of man-in-the-middle attacks.`
			`remediation: \|`
			`Configure your CloudFront distribution to enforce the use of secure SSL/TLS protocols (TLS 1.2 or higher) for all origins and disable support for outdated protocols like SSLv3 and TLS 1.0/1.1.`
			`reference:`
			`- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/cloudfront-insecure-origin-ssl-protocols.html`
			`- http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/SecureConnections.html`
			`tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config`
Revert "chore: update TemplateMan 🤖" This reverts commit c31d574176f2b9e6f8d4fe573a24e7192f808e84. 2025-05-27 10:39:47 +08:00
AWS - Cloudfront 2024-10-18 08:10:08 +05:30			`variables:`
			`region: "us-west-2"`

			`flow: \|`
			`code(1)`
			`for(let DistributionListItemsId of iterate(template.distributions)){`
			`set("distribution", DistributionListItemsId)`
			`code(2)`
			`}`

			`self-contained: true`

			`code:`
			`- engine:`
			`- sh`
			`- bash`

			`source: \|`
			`aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json`

			`extractors:`
			`- type: json`
			`name: distributions`
			`internal: true`
			`json:`
			`- '.[]'`

			`- engine:`
			`- sh`
			`- bash`

			`source: \|`
			`aws cloudfront get-distribution --id $distribution --query 'Distribution.DistributionConfig.Origins.Items[*].CustomOriginConfig.OriginSslProtocols.Items \| []' --region $region --output json`

			`matchers:`
			`- type: word`
			`words:`
			`- "SSLv3"`

			`extractors:`
			`- type: dsl`
			`dsl:`
chore: sign templates 🤖 2024-11-03 18:33:29 +00:00			`- '"CloudFront Uses SSLv3 Protocol in" + distribution'`
chore: sign templates 🤖 2024-12-01 13:57:55 +00:00			`# digest: 490a0046304402203f82a403b2d5299d4e40fe21ec8d29df8dca63b594e26c055fb1aea9e3b183e9022070d55cd893d231f70803f0755dfbf169c2917ea01d600a785c3b5e5e4277a9ae:922c64590222798bb761d5b6d8e72950`