More Info:

Your AWS Cloudfront Content Delivery Network distributions should not be using insecure SSL protocols (i.e. SSLv3) for HTTPS communication between CloudFront edge locations and your custom origins.

Risk Level

Medium

Address

Security

Compliance Standards

AWSWAF

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “CloudFront Distributions Should Not Use Insecure SSL Protocols” in AWS using AWS console, follow the below steps:
  1. Login to your AWS console.
  2. Go to the CloudFront service.
  3. Select the distribution which is using insecure SSL protocols.
  4. Click on the “Edit” button.
  5. Scroll down to the “SSL Certificate” section.
  6. In the “Minimum SSL Protocol Version” dropdown, select “TLSv1.2_2018”.
  7. Click on the “Yes, Edit” button to save the changes.
By doing this, you have successfully remediated the misconfiguration “CloudFront Distributions Should Not Use Insecure SSL Protocols” in AWS using AWS console.

To remediate the CloudFront Distributions Should Not Use Insecure SSL Protocols misconfiguration in AWS using AWS CLI, you can follow the below steps:
  1. Open your terminal and install AWS CLI if it is not installed already.
  2. Run the following command to update the CloudFront distribution to use only secure SSL protocols: 
aws cloudfront update-distribution --id <distribution-id> --viewer-protocol-policy https-only
Note: Replace <distribution-id> with the ID of the CloudFront distribution that you want to update.
  1. After running the above command, the CloudFront distribution will be updated to use only secure SSL protocols.
  2. Verify the changes by checking the SSL protocols used by the CloudFront distribution using the following command: 
aws cloudfront get-distribution-config --id <distribution-id> --query "DistributionConfig.ViewerCertificate.MinimumProtocolVersion"
Note: Replace <distribution-id> with the ID of the CloudFront distribution that you updated.
  1. The output of the above command should show that the minimum SSL protocol version is TLSv1.1 or higher.
By following these steps, you can remediate the CloudFront Distributions Should Not Use Insecure SSL Protocols misconfiguration in AWS using AWS CLI.
To remediate the misconfiguration of CloudFront distributions using insecure SSL protocols in AWS using Python, you can follow the below steps:
  1. Import the required AWS modules and libraries in your Python script:
import boto3
from botocore.exceptions import ClientError
  1. Create an AWS client for CloudFront using the boto3 library:
cloudfront_client = boto3.client('cloudfront')
  1. Get a list of all the CloudFront distributions using the list_distributions method:
response = cloudfront_client.list_distributions()
  1. Loop through the list of CloudFront distributions and check if they are using insecure SSL protocols. You can do this by checking the value of the MinimumProtocolVersion parameter. If it is set to SSLv3 or TLSv1, then it is using an insecure SSL protocol.
for distribution in response['DistributionList']['Items']:
    if distribution['ViewerCertificate']['MinimumProtocolVersion'] in ['SSLv3', 'TLSv1']:
        # Remediation steps go here
  1. To remediate the misconfiguration, you need to update the CloudFront distribution with a secure SSL protocol. You can do this by updating the ViewerCertificate parameter with a new value for MinimumProtocolVersion. For example, to set it to TLSv1.2_2018, you can use the update_distribution method:
distribution_id = distribution['Id']
etag = distribution['ETag']
viewer_certificate = {
    'CloudFrontDefaultCertificate': False,
    'MinimumProtocolVersion': 'TLSv1.2_2018'
}
try:
    cloudfront_client.update_distribution(
        DistributionConfig={
            'ViewerCertificate': viewer_certificate
        },
        Id=distribution_id,
        IfMatch=etag
    )
    print(f"Successfully updated CloudFront distribution {distribution_id}")
except ClientError as e:
    print(f"Error updating CloudFront distribution {distribution_id}: {e}")
  1. Finally, run the Python script to remediate the misconfiguration for all the CloudFront distributions using insecure SSL protocols.

Additional Reading: