CloudFront Distributions Using Deprecated SSL Protocols
Overview
This check identifies CloudFront distributions that allow deprecated SSL/TLS protocol versions (SSLv3, TLSv1, or TLSv1.1) when connecting to custom origins. These older protocols have known security vulnerabilities and should be disabled in favor of TLSv1.2 or higher.
CloudFront communicates with your origin servers over SSL/TLS. The "Origin SSL protocols" setting controls which protocol versions CloudFront can use for these connections. Allowing deprecated protocols creates security risks even if your origin supports newer versions.
Risk
Allowing deprecated SSL/TLS protocols exposes your infrastructure to:
- POODLE attacks (SSLv3) - Attackers can decrypt encrypted data by exploiting padding oracle vulnerabilities
- BEAST attacks (TLSv1) - Allows decryption of HTTPS traffic through browser exploits
- Protocol downgrade attacks - Attackers can force connections to use weaker protocols, then exploit their vulnerabilities
- Compromised data confidentiality - Sensitive data like authentication tokens, session cookies, and user information can be intercepted
- Compliance failures - PCI-DSS, HIPAA, and other frameworks require modern TLS versions
Modern security standards require TLSv1.2 as the minimum acceptable protocol version.
Remediation Steps
Prerequisites
- AWS account access with permission to modify CloudFront distributions
- Your distribution ID (found in the Prowler findings or CloudFront console)
- Your origin server must support TLSv1.2 (most modern servers do)
Required IAM permissions
To update CloudFront distributions, you need:
cloudfront:GetDistributioncloudfront:GetDistributionConfigcloudfront:UpdateDistribution
AWS Console Method
- Open the CloudFront console
- Click on the Distribution ID you want to update
- Go to the Origins tab
- Select the custom origin and click Edit
- Scroll to Minimum origin SSL protocol
- Select TLSv1.2 (this disables all older protocols)
- Click Save changes
- Wait for the distribution status to change from "Deploying" to "Deployed" (5-15 minutes)
Important: If your distribution has multiple custom origins, repeat steps 4-7 for each one.
Before making changes: Verify your origin server supports TLSv1.2. If your origin only supports older protocols, you must upgrade your origin's TLS configuration first, or the connection will fail.
AWS CLI (optional)
Updating CloudFront via CLI requires retrieving the configuration, modifying it, and applying the update.
Step 1: Get the current distribution configuration
aws cloudfront get-distribution-config \
--id <distribution-id> \
--region us-east-1 \
> distribution-config.json
Step 2: Extract the ETag (required for updates)
ETAG=$(cat distribution-config.json | jq -r '.ETag')
echo "ETag: $ETAG"
Step 3: Modify the configuration
Extract and update the configuration to use only TLSv1.2:
cat distribution-config.json | jq '
.DistributionConfig |
.Origins.Items |= map(
if .CustomOriginConfig then
.CustomOriginConfig.OriginSslProtocols = {"Quantity": 1, "Items": ["TLSv1.2"]}
else
.
end
)
' > updated-config.json
Alternatively, manually edit distribution-config.json:
- Remove the top-level
ETagfield - Rename
DistributionConfigto be the root object - Find each origin's
CustomOriginConfig.OriginSslProtocolssection - Change
Itemsto contain only["TLSv1.2"] - Update
Quantityto1
Step 4: Apply the updated configuration
aws cloudfront update-distribution \
--id <distribution-id> \
--if-match "$ETAG" \
--distribution-config file://updated-config.json \
--region us-east-1
Replace <distribution-id> with your CloudFront distribution ID (e.g., E1A2B3C4D5E6F7).
To list distributions and check current SSL protocols:
aws cloudfront list-distributions \
--region us-east-1 \
--query 'DistributionList.Items[*].{ID:Id,Domain:DomainName,Origins:Origins.Items[*].{Name:Id,SSLProtocols:CustomOriginConfig.OriginSslProtocols.Items}}' \
--output json
CloudFormation (optional)
AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFront distribution with secure TLS 1.2 origin configuration
Parameters:
OriginDomainName:
Type: String
Description: The domain name of your origin server (e.g., api.example.com)
OriginId:
Type: String
Default: SecureOrigin
Description: A unique identifier for the origin
Resources:
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: true
Comment: Distribution with TLS 1.2 only origin connection
Origins:
- Id: !Ref OriginId
DomainName: !Ref OriginDomainName
CustomOriginConfig:
HTTPSPort: 443
OriginProtocolPolicy: https-only
# Key setting: Only allow TLSv1.2 (no deprecated protocols)
OriginSSLProtocols:
- TLSv1.2
DefaultCacheBehavior:
TargetOriginId: !Ref OriginId
ViewerProtocolPolicy: redirect-to-https
AllowedMethods:
- GET
- HEAD
CachedMethods:
- GET
- HEAD
ForwardedValues:
QueryString: false
Cookies:
Forward: none
Compress: true
ViewerCertificate:
CloudFrontDefaultCertificate: true
PriceClass: PriceClass_100
Outputs:
DistributionId:
Description: CloudFront Distribution ID
Value: !Ref CloudFrontDistribution
DistributionDomainName:
Description: CloudFront Distribution Domain Name
Value: !GetAtt CloudFrontDistribution.DomainName
Deploy with:
aws cloudformation deploy \
--template-file cloudfront-tls12.yaml \
--stack-name cloudfront-secure-tls \
--parameter-overrides \
OriginDomainName=api.example.com \
--region us-east-1
Key configuration:
OriginSSLProtocolscontains onlyTLSv1.2- this prevents CloudFront from using SSLv3, TLSv1, or TLSv1.1
Terraform (optional)
variable "origin_domain_name" {
description = "The domain name of your origin server"
type = string
}
resource "aws_cloudfront_distribution" "secure_distribution" {
enabled = true
comment = "Distribution with TLS 1.2 only origin connection"
price_class = "PriceClass_100"
origin {
domain_name = var.origin_domain_name
origin_id = "SecureOrigin"
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = "https-only"
# Key setting: Only allow TLSv1.2 (no deprecated protocols)
origin_ssl_protocols = ["TLSv1.2"]
}
}
default_cache_behavior {
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "SecureOrigin"
viewer_protocol_policy = "redirect-to-https"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
compress = true
}
restrictions {
geo_restriction {
restriction_type = "none"
}
}
viewer_certificate {
cloudfront_default_certificate = true
}
tags = {
Environment = "Production"
Security = "TLS12Only"
}
}
output "distribution_id" {
description = "CloudFront Distribution ID"
value = aws_cloudfront_distribution.secure_distribution.id
}
output "distribution_domain_name" {
description = "CloudFront Distribution Domain Name"
value = aws_cloudfront_distribution.secure_distribution.domain_name
}
To update an existing distribution:
# Import: terraform import aws_cloudfront_distribution.existing E1A2B3C4D5E6F7
resource "aws_cloudfront_distribution" "existing" {
# ... existing configuration ...
origin {
domain_name = "api.example.com"
origin_id = "ExistingOrigin"
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = "https-only"
# Changed from ["SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"] to:
origin_ssl_protocols = ["TLSv1.2"]
}
}
}
Deploy with:
terraform init
terraform apply -var="origin_domain_name=api.example.com"
Verification
After updating your distribution:
- Go to the CloudFront console
- Click on your distribution
- Go to the Origins tab
- Click on each custom origin and verify Minimum origin SSL protocol shows TLSv1.2
- Test your application to confirm it still works (the origin must support TLSv1.2)
CLI verification
Check the SSL protocols for a specific distribution:
aws cloudfront get-distribution \
--id <distribution-id> \
--region us-east-1 \
--query 'Distribution.DistributionConfig.Origins.Items[*].{OriginId:Id,SSLProtocols:CustomOriginConfig.OriginSslProtocols.Items}' \
--output table
Expected output for a compliant distribution:
---------------------------------
| GetDistribution |
+---------------+---------------+
| OriginId | SSLProtocols |
+---------------+---------------+
| SecureOrigin | TLSv1.2 |
+---------------+---------------+
Re-run the Prowler check:
prowler aws --checks cloudfront_distributions_using_deprecated_ssl_protocols
Additional Resources
- Requiring HTTPS for Communication Between CloudFront and Your Custom Origin
- Supported protocols and ciphers between CloudFront and the origin
- CloudFront Security Best Practices
- NIST Guidelines on TLS - Recommends TLS 1.2 minimum
Notes
-
Origin compatibility: Before changing this setting, ensure your origin server supports TLSv1.2. If your origin only supports older protocols, connections will fail after this change. Test your origin first using:
openssl s_client -connect your-origin.com:443 -tls1_2 -
S3 origins: This check applies only to custom origins. S3 bucket origins (using S3 REST API endpoints) automatically use secure, modern TLS versions managed by AWS.
-
Deployment time: Changes take 5-15 minutes to propagate globally. The console shows "Deploying" status during this time.
-
No rollback needed for viewer access: This setting only affects CloudFront-to-origin connections. Viewers (end users) connecting to CloudFront are not affected by this change.
-
Multiple origins: If your distribution has multiple custom origins, update each one separately.
-
TLSv1.3: As of this writing, CloudFront supports TLSv1.2 as the most secure option for origin connections. AWS may add TLSv1.3 support in the future.