Non-Compliant CloudFront Distribution Using Default Domain Name

[bestickley]

Hi,
When I instantiate a default CloudFront distribution using the default domain name I see the error: [Error at /ss-stickb/ui/NextSite/Distribution/Distribution/Resource] AwsSolutions-CFR4: The CloudFront distribution allows for SSLv3 or TLSv1 for HTTPS viewer connections.. This is happening because of the line below:

cdk-nag/src/rules/cloudfront/CloudFrontDistributionHttpsViewerNoOutdatedSSL.ts

Line 23 in 16dacb9

if (viewerCertificate === undefined) {

Is this intended behavior? I would expect it to be secure behavior to use default CloudFront domain.

[dontirun]

Yes. The extended explanation on that rule has more information

Vulnerabilities have been and continue to be discovered in the deprecated SSL and TLS protocols. Help protect viewer connections by specifying a viewer certificate that enforces a minimum of TLSv1.1 or TLSv1.2 in the security policy. Distributions that use the default CloudFront viewer certificate or use 'vip' for the SslSupportMethod are non-compliant with this rule, as the minimum security policy is set to TLSv1 regardless of the specified MinimumProtocolVersion

[bestickley]

@dontirun, thank you for explaining. Where is the extended explanation?

[dontirun]

Enabling the verbose flag will show the extended explanations for all rules. They're also all listed on the
RULES file

Aspects.of(stack).add(new AwsSolutionsChecks({ verbose: true }));