Update aws-cloudfront-insecure-tls rule (#3705)

semgreg · web-flow · commit 885b51b43617 · 2025-10-30T08:27:12.000+01:00
This updates aws-cloudfront-insecure-tls rule
to account for the addition of aws cloudfront
support for TLSv1.2_2025 and TLSv1.3_2025
diff --git a/terraform/aws/security/aws-cloudfront-insecure-tls.yaml b/terraform/aws/security/aws-cloudfront-insecure-tls.yaml
@@ -39,11 +39,31 @@ rules:
         }
         ...
       }
+  - pattern-not-inside: |
+      resource "aws_cloudfront_distribution" $ANYTHING {
+        ...
+        viewer_certificate {
+          ...
+          minimum_protocol_version = "TLSv1.2_2025"
+          ...
+        }
+        ...
+      }
+  - pattern-not-inside: |
+      resource "aws_cloudfront_distribution" $ANYTHING {
+        ...
+        viewer_certificate {
+          ...
+          minimum_protocol_version = "TLSv1.3_2025"
+          ...
+        }
+        ...
+      }
   message: >-
     Detected an AWS CloudFront Distribution with an insecure TLS version.
     TLS versions less than 1.2 are considered insecure because they
     can be broken. To fix this, set your `minimum_protocol_version` to
-    `"TLSv1.2_2018", "TLSv1.2_2019" or "TLSv1.2_2021"`.
+    `"TLSv1.2_2018", "TLSv1.2_2019", "TLSv1.2_2021", "TLSv1.2_2025" or "TLSv1.3_2025"`.
   metadata:
     category: security
     technology:
