Terraform Outdated Tls Versions
Description
Detects AWS CloudFront distributions configured to serve content using outdated or insecure TLS protocol versions. Using older TLS versions can expose web traffic to known vulnerabilities and man-in-the-middle attacks, compromising the security of data in transit.
Detection Strategy
• Check for AWS CloudFront distribution resource declarations in infrastructure code
• Examine the TLS protocol version settings in the distribution configuration
• Report a vulnerability if the distribution allows TLS versions older than 1.2
• Review the minimum protocol version setting in the viewer certificate configuration block
Vulnerable code example
resource "aws_cloudfront_distribution" "example" {
origin {
domain_name = "example.com"
origin_id = "myOrigin"
custom_origin_config {
origin_protocol_policy = "match-viewer" # Vulnerable: allows insecure HTTP if viewer uses it
origin_ssl_protocols = ["TLSv1"]...✅ Secure code example
resource "aws_cloudfront_distribution" "example" {
origin {
domain_name = "example.com"
origin_id = "myOrigin"
custom_origin_config {
origin_protocol_policy = "https-only" # Enforce HTTPS between CloudFront and origin
origin_ssl_protocols = ["TLSv1.2"] # Use modern TLS version...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.