Amazon CloudFront
      Back to home
      1. CNS Policies
      2. AWS Knowledge Base
      3. Amazon CloudFront

      Insecure CloudFront Distribution Protocols

      This plugin detects the use of insecure HTTPS SSL/TLS protocols for use with HTTPS traffic between viewers and CloudFront.

      Risk Level: Medium

      Description: 

      This plugin detects the use of insecure HTTPS SSL/TLS protocols for use with HTTPS traffic between viewers and CloudFront. CloudFront supports SSLv3 and TLSv1 protocols for use with HTTPS traffic, but only TLSv1.1 or higher should be used unless there is a valid business justification to support the older, insecure SSLv3.

      PingSafe strongly recommends ensuring that traffic sent between viewers and CloudFront is passed over HTTPS and uses TLSv1.1 or higher.

      Configuration Parameters

      Insecure CloudFront Protocol Ignore Default Certificate: This parameter detects the use of insecure CloudFront protocols. However, when the parameter is set to “true” the use of the default CloudFront certificate is ignored, despite using an insecure TLS protocol.

      By default, the value of this parameter is set to “true”.

      About the Service :

      Amazon CloudFront is a web service that accelerates your online content delivery to your users, such as.html,.css,.js, or picture files. CloudFront provides your content over a global data center network known as edge locations. When a user requires the material you provide with CloudFront, the request is routed to the lowest delay location, which ensures the optimum performance for the content.

      Impact : 

      The link between the Cloudfront CDN and the original server may be exposed by insecure and unsuccessful distribution protocols for Cloud front systems,  which allows an attacker to intercept Cloudfront traffic over the safe channel by using a man-in-the-middle strategy.

      Steps to reproduce :

      1. Log In the AWS Console.
      2. Move to Cloudfront dashboard. (https://console.aws.amazon.com/cloudfront/) 
      3. Click on the Distributions panel on the left panel to access the distributions.
      4. Choose the distribution origin that you want to verify from the Origins tab.
      5. Verify the protocols enabled within the Origin SSL Protocols category, on the Origin Settings page. If the SSLv3 protocol is currently enabled: the Cloudfront configuration is vulnerable to exploits.

      Steps for remediation :

      1. Log In the AWS Console.
      2. Move to Cloudfront dashboard.
      3. https://console.aws.amazon.com/cloudfront/ 
      4. Click on the Distributions panel on the left panel to access the distributions.
      5. Choose the distribution origin that you want to verify from the Origins tab.
      6. Verify the protocols enabled within the Origin SSL Protocols category, on the Origin Settings page.
      7. Uncheck the insecure distribution’s checkbox and Click Yes, Edit to save the changes.

       

      References: