github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md

github.com/aquasecurity/trivy-iac@v0.8.1-0.20240127024015-3d8e412cf0ab/avd_docs/aws/cloudfront/AVD-AWS-0013/docs.md (about)

     1  
     2  You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
     3  		
     4  Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name) and *ssl_support_method* is *sni-only*. 
     5  If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s. 
     6  The only option when using the cloudfront.net domain name is to ignore this rule.
     7  
     8  ### Impact
     9  Outdated SSL policies increase exposure to known vulnerabilities
    10  
    11  <!-- DO NOT CHANGE -->
    12  {{ remediationActions }}
    13  
    14  ### Links
    15  - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html
    16  
    17  - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesGeneral
    18  
    19