Ensure secure ciphers are used for AWS CloudFront distribution

HIGH

Description

Using secure ciphers will help protect communication in-transit, however what is considered secure will change over time. Amazon maintains cipher sets in security policy groups for CloudFront, with older policies having less secure ciphers. For a complete chart of policies and the ciphers they use, see the CloudFront documentation.
References:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html

Remediation

This setting cannot be changed in the Console UI and can only be updated via the API or Terraform.

In Terraform -

In the aws_cloudfront_distribution resource, ensure that the viewer_certificate.minimum_protocol_version is set appropriately. This will configure both the protocol and the available ciphers.
This field takes values provided in the Distribution Web Values section of the AWS Documentation.

References:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValues-security-policy
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution

Policy Details

Rule Reference ID: AC_AWS_0394

CSP: AWS

Remediation Available: Yes

Domain: Data Protection

Resource: aws_cloudfront_distribution

Resource Category: Virtual Network

Resource Type: CloudFront

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
CCM
NY-DFS
SOC2
WELL-ARCH