Back to All Checks
Medium CloudFront

CloudFront distributions should use the recommended TLS security policy

FSBPHIPAA

Description

This control checks whether an Amazon CloudFront distribution is configured to use the recommended TLS security policy. The control fails if the CloudFront distribution is not configured to use the recommended TLS security policy. If you configure an Amazon CloudFront distribution to require viewers to use HTTPS to access content, you have to choose a security policy and specify the minimum SSL/TLS protocol version to use. This determines which protocol version CloudFront uses to communicate with viewers, and the ciphers that CloudFront uses to encrypt the communications. We recommend using the latest security policy that CloudFront provides. This ensures that CloudFront uses the latest cipher suites to encrypt data in transit between a viewer and a CloudFront distribution.

Remediation

Configure your CloudFront distribution to use the recommended TLS security policy (TLSv1.2_2021 or newer).

Steps

  1. Navigate to the CloudFront console
  2. Select the distribution that needs TLS policy update
  3. Go to the 'Behaviors' tab and edit the behavior
  4. In the 'Viewer Protocol Policy', ensure it's set to 'Redirect HTTP to HTTPS' or 'HTTPS Only'
  5. In the 'Viewer Certificate' section, select 'Custom SSL Certificate' or 'ACM Certificate'
  6. Set the 'Security Policy' to 'TLSv1.2_2021' or newer
  7. Save the changes and wait for the distribution to deploy

Compliance

FSBPHIPAA
Start Your Free Security Check