Why is this an issue?
This rule raises an issue when an insecure TLS protocol version (i.e. a protocol different from "TLSv1.2", "TLSv1.3", "DTLSv1.2", or "DTLSv1.3") is
used or allowed.
It is recommended to enforce TLS 1.2 as the minimum protocol version and to disallow older versions like TLS 1.0. Failure to do so could open the
door to downgrade attacks: a malicious actor who is able to intercept the connection could modify the requested protocol version and downgrade it to a
less secure version.
In most cases, using the default system configuration is not compliant. Indeed, an application might get deployed on a wide range of systems with
different configurations. While using a system’s default value might be safe on modern up-to-date systems, this might not be the case on older
systems. It is therefore recommended to explicitly set a safe configuration in every case.
Noncompliant code example
For Amazon OpenSearch domains:
AWSTemplateFormatVersion: 2010-09-09
Resources:
Example:
Type: AWS::OpenSearchService::Domain
Properties:
DomainName: example
DomainEndpointOptions:
EnforceHTTPS: true
TLSSecurityPolicy: "Policy-Min-TLS-1-0-2019-07" # Noncompliant
For Amazon API Gateway:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
CustomApi:
Type: AWS::ApiGateway::DomainName
Properties:
SecurityPolicy: "TLS_1_0" # Noncompliant
AWSTemplateFormatVersion: '2010-09-09'
Resources:
CustomApi: # Noncompliant
Type: AWS::ApiGatewayV2::DomainName
Compliant solution
For Amazon OpenSearch domains:
AWSTemplateFormatVersion: 2010-09-09
Resources:
Example:
Type: AWS::OpenSearchService::Domain
Properties:
DomainName: example
DomainEndpointOptions:
EnforceHTTPS: true
TLSSecurityPolicy: "Policy-Min-TLS-1-2-2019-07"
For Amazon API Gateway:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
CustomApi:
Type: AWS::ApiGateway::DomainName
Properties:
SecurityPolicy: "TLS_1_2"
AWSTemplateFormatVersion: '2010-09-09'
Resources:
CustomApi:
Type: AWS::ApiGatewayV2::DomainName
Properties:
DomainNameConfigurations:
- SecurityPolicy: "TLS_1_2"
Resources
