Ensure insecure SSL protocols are not configured for AWS CloudFront origin

MEDIUM

Description

HTTPS can be configured for communication from CloudFront to a custom origin, excluding S3 buckets. This will secure data in-transit to the origin, which is considered best practice. For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html

Remediation

In Terraform -

In the aws_cloudfront_distribution resource, ensure that the custom_origin_config.origin_ssl_protocols value is set appropriately.

For more information, see the Terraform documentation.
References:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#origin_ssl_protocols

Policy Details

Rule Reference ID: AC_AWS_0232

CSP: AWS

Remediation Available: Yes

Domain: Infrastructure Security

Resource: aws_cloudfront_distribution

Resource Category: Virtual Network

Resource Type: CloudFront

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
ISO-27001