AWS securityhub medium security documentation change
Summary
Added new CloudFront.15 control requiring recommended TLS security policy and updated AWS Config rule link formatting
Security assessment
The addition of CloudFront.15 explicitly addresses encryption of data-in-transit by enforcing TLS security policy updates to prevent weak protocols. This directly relates to mitigating security risks associated with outdated encryption standards. The control's description emphasizes protecting data-in-transit and references remediation for TLS configuration.
Diff
diff --git a/securityhub/latest/userguide/cloudfront-controls.md b/securityhub/latest/userguide/cloudfront-controls.md index 291f4a7f4..85c877f8d 100644 --- a//securityhub/latest/userguide/cloudfront-controls.md +++ b//securityhub/latest/userguide/cloudfront-controls.md @@ -5 +5 @@ -[CloudFront.1] CloudFront distributions should have a default root object configured[CloudFront.3] CloudFront distributions should require encryption in transit[CloudFront.4] CloudFront distributions should have origin failover configured[CloudFront.5] CloudFront distributions should have logging enabled[CloudFront.6] CloudFront distributions should have WAF enabled[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins[CloudFront.13] CloudFront distributions should use origin access control[CloudFront.14] CloudFront distributions should be tagged +[CloudFront.1] CloudFront distributions should have a default root object configured[CloudFront.3] CloudFront distributions should require encryption in transit[CloudFront.4] CloudFront distributions should have origin failover configured[CloudFront.5] CloudFront distributions should have logging enabled[CloudFront.6] CloudFront distributions should have WAF enabled[CloudFront.7] CloudFront distributions should use custom SSL/TLS certificates[CloudFront.8] CloudFront distributions should use SNI to serve HTTPS requests[CloudFront.9] CloudFront distributions should encrypt traffic to custom origins[CloudFront.10] CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins[CloudFront.12] CloudFront distributions should not point to non-existent S3 origins[CloudFront.13] CloudFront distributions should use origin access control[CloudFront.14] CloudFront distributions should be tagged[CloudFront.15] CloudFront distributions should use the recommended TLS security policy @@ -21 +21 @@ These AWS Security Hub controls evaluate the Amazon CloudFront service and resou -**AWS Config rule:** [`cloudfront-default-root-object-configured`](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-default-root-object-configured.html) +**AWS Config rule:** [cloudfront-default-root-object-configured](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-default-root-object-configured.html) @@ -45 +45 @@ To configure a default root object for a CloudFront distribution, see [How to sp -**AWS Config rule:** [`cloudfront-viewer-policy-https`](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-viewer-policy-https.html) +**AWS Config rule:** [cloudfront-viewer-policy-https](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-viewer-policy-https.html) @@ -69 +69 @@ To encrypt a CloudFront distribution in transit, see [Requiring HTTPS for commun -**AWS Config rule:** [`cloudfront-origin-failover-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-origin-failover-enabled.html) +**AWS Config rule:** [cloudfront-origin-failover-enabled](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-origin-failover-enabled.html) @@ -93 +93 @@ To configure origin failover for a CloudFront distribution, see [Creating an ori -**AWS Config rule:** [`cloudfront-accesslogs-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-accesslogs-enabled.html) +**AWS Config rule:** [cloudfront-accesslogs-enabled](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-accesslogs-enabled.html) @@ -117 +117 @@ To configure standard logging (legacy) for a CloudFront distribution, see [Confi -**AWS Config rule:** [`cloudfront-associated-with-waf`](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-associated-with-waf.html) +**AWS Config rule:** [cloudfront-associated-with-waf](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-associated-with-waf.html) @@ -141 +141 @@ To associate an AWS WAF web ACL with a CloudFront distribution, see [Using AWS W -**AWS Config rule:** [`cloudfront-custom-ssl-certificate`](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-custom-ssl-certificate.html) +**AWS Config rule:** [cloudfront-custom-ssl-certificate](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-custom-ssl-certificate.html) @@ -165 +165 @@ To add an alternate domain name for a CloudFront distribution using a custom SSL -**AWS Config rule:** [`cloudfront-sni-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-sni-enabled.html) +**AWS Config rule:** [cloudfront-sni-enabled](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-sni-enabled.html) @@ -189 +189 @@ To configure a CloudFront distribution to use SNI to serve HTTPS requests, see [ -**AWS Config rule:** [`cloudfront-traffic-to-origin-encrypted`](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-traffic-to-origin-encrypted.html) +**AWS Config rule:** [cloudfront-traffic-to-origin-encrypted](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-traffic-to-origin-encrypted.html) @@ -213 +213 @@ To update the Origin Protocol Policy to require encryption for a CloudFront conn -**AWS Config rule:** [`cloudfront-no-deprecated-ssl-protocols`](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-no-deprecated-ssl-protocols.html) +**AWS Config rule:** [cloudfront-no-deprecated-ssl-protocols](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-no-deprecated-ssl-protocols.html) @@ -237 +237 @@ To update the Origin SSL Protocols for a CloudFront distribution, see [Requiring -**AWS Config rule:** [`cloudfront-s3-origin-non-existent-bucket`](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-s3-origin-non-existent-bucket.html) +**AWS Config rule:** [cloudfront-s3-origin-non-existent-bucket](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-s3-origin-non-existent-bucket.html) @@ -259 +259 @@ To modify a CloudFront distribution to point to a new origin, see [Updating a di -**AWS Config rule:** [`cloudfront-s3-origin-access-control-enabled`](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-s3-origin-access-control-enabled.html) +**AWS Config rule:** [cloudfront-s3-origin-access-control-enabled](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-s3-origin-access-control-enabled.html) @@ -302,0 +303,26 @@ To add tags to a CloudFront distribution, see [Tagging Amazon CloudFront distrib +## [CloudFront.15] CloudFront distributions should use the recommended TLS security policy + +**Category:** Protect > Data Protection > Encryption of data-in-transit + +**Severity:** Medium + +**Resource type:** `AWS::CloudFront::Distribution` + +**AWS Config rule:** [cloudfront-ssl-policy-check](https://docs.aws.amazon.com/config/latest/developerguide/cloudfront-ssl-policy-check.html) + +**Schedule type:** Change triggered + +**Parameters:** `securityPolicies`: `TLSv1.2_2021` (not customizable) + +This control checks whether an Amazon CloudFront distribution is configured to use the recommended TLS security policy. The control fails if the CloudFront distribution is not configured to use the recommended TLS security policy. + +If you configure an Amazon CloudFront distribution to require viewers to use HTTPS to access content, you have to choose a security policy and specify the minimum SSL/TLS protocol version to use. This determines which protocol version CloudFront uses to communicate with viewers, and the ciphers that CloudFront uses to encrypt the communications. We recommend using the latest security policy that CloudFront provides. This ensures that CloudFront uses the latest cipher suites to encrypt data in transit between a viewer and a CloudFront distribution. + +###### Note + +This control generates findings only for CloudFront distributions that are configured to use custom SSL certificates and are not configured to support legacy clients. + +### Remediation + +For information about configuring the security policy for a CloudFront distribution, see [Update a distribution](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/HowToUpdateDistribution.html) in the _Amazon CloudFront Developer Guide_. When you configure the security policy for a distribution, choose the latest security policy. +