Json Yaml Outdated Tls Protocols Enabled

Description

Detects AWS CloudFront distributions that are configured to use outdated or insecure TLS protocols. Using deprecated TLS versions can expose the distribution to known security vulnerabilities, potentially compromising the confidentiality and integrity of data in transit.

Weakness:

016 - Insecure encryption algorithm - SSL/TLS

Category: Information Collection

Detection Strategy

• Search for AWS::CloudFront::Distribution resources in CloudFormation templates

• Check the ViewerCertificate configuration properties of the CloudFront distribution

• Flag distributions that allow insecure protocols through configurations like MinimumProtocolVersion

• Report a vulnerability if the distribution accepts deprecated TLS versions below the recommended minimum

Vulnerable code example

Resources:
  myDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Enabled: 'true'
        DefaultCacheBehavior:
          TargetOriginId: origin1...

✅ Secure code example

Resources:
  myDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Enabled: 'true'
        DefaultCacheBehavior:
          TargetOriginId: origin1...

Free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.