Information
CloudFront can connect to your origin using only HTTP, only HTTPS, or to connect by matching the protocol used by the viewer. Our recommendation is to use HTTPS only. In this case you can choose which SSL\TLS protocols CloudFront is allowed to use when establishing an HTTPS connection to your origin. Ensure that you are using only TLS1.1+ as the SSL\TLS protocol.
It used to be believed that TLS v1 was marginally more secure than SSL v3.0, its predecessor. However, developments, such as the POODLE vulnerability have shown that SSL v3.0 is now insecure.
Subsequent versions of TLS -- v1.1 and v1.2 are significantly more secure and fix many vulnerabilities present in SSL v3.0 and TLS v1. For example, the BEAST attack that can completely break web sites running on older SSL v3.0 and TLS v1 protocols. The newer TLS versions, if properly configured, prevent the BEAST and other attack vectors and provide many stronger ciphers and encryption methods.
Solution
Using the Amazon unified command line interface:
* For configuring Origin SSL protocols first save locally the current distribution config:
aws cloudfront get-distribution-config --id <application_cfn_distribution_id> --query "DistributionConfig" > /tmp/cf-distribution.json
* Edit and replace "OriginSslProtocols" element in /tmp/cf-distribution.json with the below section:
"OriginSslProtocols": {
"Items": [
"TLSv1.1",
"TLSv1.2"
],
"Quantity": 2
},
* Retrieve the current ETag of your CloudFront distribution:
aws cloudfront get-distribution-config --id <application_cfn_distribution_id> --query "ETag"
* Update the CloudFront distribution using the edited config and the above Etag:
aws cloudfront update-distribution --id <application_cfn_distribution_id> --distribution-config file:///tmp/cf-distribution.json --if-match <application_cfn_distribution_etag>