CloudFront distribution custom origins should use secure TLS protocol versions (1.2 and above)


The TLS (Transport Layer Security) protocol secures transmission of data over the internet using standard encryption technology. Encryption should be set with the latest version of TLS where possible. Versions prior to TLS 1.2 are deprecated and usage may pose security risks.

Console Remediation Steps

  • Navigate to AWS CloudFront.

  • Select the Distribution.

  • Select the Origins and Origin Groups tab.

  • Select the checkbox for the Origin and select Edit.

  • In the Minimum Origin SSL Protocol, select TLS protocol version TLSv1.2.

  • Click Yes, Edit.

CLI Remediation Steps

  • To update your CloudFront distribution custom origins to use secure TLS protocol versions (1.2 and above):

aws cloudfront update-distribution \
  [--distribution-config <value>] \
  --id <value> \
  [--if-match <value>] \
  [--default-root-object <value>] \
  [--cli-input-json <value>] \
  [--generate-cli-skeleton <value>]