Ensure that Cloudfront distribution is not using insecure SSL protocols

Security & Compliance

Amazon CloudFront is a content delivery network service provided by Amazon Web Services (AWS). It allows you to distribute your content to users globally with low latency and high transfer speeds. CloudFront supports secure connections between your origin server and end users using HTTPS protocol with SSL/TLS encryption.By ensuring that your CloudFront distribution is not using insecure SSL protocols, you can help protect your content and users from potential security vulnerabilities and ensure that your AWS environment is secure.


If you have determined that your CloudFront distribution is using insecure SSL protocols, it is important to take immediate remediation steps to ensure that your content and users are protected. Here are some steps you can take:

  1. Update SSL/TLS protocols and ciphers: The first step is to update the SSL/TLS protocols and ciphers used by your CloudFront distribution. You can do this by creating a custom SSL/TLS certificate and choosing the appropriate protocols and ciphers. Specifically, you should disable SSL 3.0 and TLS 1.0, and enable TLS 1.2 or higher with strong ciphers.
  2. Rotate SSL/TLS certificates: You should also rotate your SSL/TLS certificates regularly to ensure the highest level of security. You can use the AWS Certificate Manager (ACM) to manage your certificates and automatically rotate them.
  3. Verify secure connections: Once you have updated your SSL/TLS protocols and ciphers and rotated your certificates, you should verify that your CloudFront distribution is using secure connections. You can use a variety of tools to test the security of your SSL/TLS connections, including SSL Labs' SSL Server Test or Qualys SSL Server Test.
  4. Update your security policies: Finally, you should update your security policies to ensure that all new CloudFront distributions use secure SSL/TLS protocols and ciphers. This can include updating your company's security guidelines, creating templates for CloudFront distributions that enforce secure SSL/TLS configurations, and training your team on best practices for SSL/TLS security.

By following these remediation steps, you can help ensure that your CloudFront distribution is not using insecure SSL protocols and that your content and users are protected from potential security vulnerabilities.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.