CloudFront distribution viewer certificate should use secure TLS protocol versions (1.2 and above)


The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS where possible. Versions prior to TLS 1.2 are deprecated and usage may pose security risks.

Console Remediation Steps

  • Navigate to AWS CloudFront.

  • Select the Distribution.

  • On the General tab, click Edit.

  • In the Security Policy, select TLS protocol version TLSv1.2_2018 or TLSv1.2_2019 (recommended).

  • Click Yes, Edit.

CLI Remediation Steps

  • To update your CloudFront viewer certificate to use secure TLS protocol versions (1.2 and above):

aws cloudfront update-distribution \
  [--distribution-config <value>] \
  --id <value> \
  [--if-match <value>] \
  [--default-root-object <value>] \
  [--cli-input-json <value>] \
  [--generate-cli-skeleton <value>]