feat(misconf): Improve AVD-AWS-0126 behavior when cloudfront_default_certificate is set to true

[simar7]

Discussed in #5192

^{Originally posted by obounaim September 14, 2023}

Description

The Trivy IaC scanner reports a HIGH severity finding suggesting my AWS CloudFront distribution allows unencrypted communications due to outdated SSL policies when using the default CloudFront SSL/TLS certificate.

Desired Behavior

According to the terraform documentation when the cloudfront_default_certificate is set to true, the argument minimum_protocol_version is not supported

Actual Behavior

The title of the finding is "HIGH: Distribution allows unencrypted communications" However the links and code snippet are referring to CloudFront distribution uses outdated SSL/TLS protocols

Reproduction Steps

1. Create an AWS CloudFront distribution resource in Terraform with the viewer_certificate block set to cloudfront_default_certificate = true.
2. Run the trivy IaC scanner.
3. Terraform code :


resource "aws_cloudfront_distribution" "this" {
  origin {
    domain_name = var.backend_domain_name
    origin_id   = "my_backend"

    custom_origin_config {
      http_port              = "80"
      https_port             = "443"
      origin_protocol_policy = "https-only"
      origin_ssl_protocols   = ["TLSv1.2"]
    }
  }

  enabled         = true
  is_ipv6_enabled = true

  price_class = "PriceClass_100"

  viewer_certificate {
    cloudfront_default_certificate = true
  }

  default_cache_behavior {
    allowed_methods  = ["GET", "HEAD", "OPTIONS"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = "my_backend"

    viewer_protocol_policy = "redirect-to-https"
  }

  restrictions {
    geo_restriction {
      restriction_type = "none"
      locations        = []
    }
  }

  custom_error_response {
    error_code         = 403
    response_code      = 200
    response_page_path = "/index.html"
  }
}

Target

AWS

Scanner

Misconfiguration

Output Format

None

Mode

None

Debug Output

────────────────────────────────────────
HIGH: Distribution allows unencrypted communications.
════════════════════════════════════════
You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
		
Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name). 
If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s. 
The only option when using the cloudfront.net domain name is to ignore this rule.
See https://avd.aquasec.com/misconfig/avd-aws-0013
────────────────────────────────────────
 ../common/backend_cloudfront.tf:20-22
   via ../common/backend_cloudfront.tf:1-45 (aws_cloudfront_distribution.this)
    via main.tf:34-44 (module.common)
────────────────────────────────────────
   1   resource "aws_cloudfront_distribution" "this" {
   .   
  20 ┌   viewer_certificate {
  21 │     cloudfront_default_certificate = true
  22 └   }
  ..   
  45   }

Operating System

Linux

Version

0.45.0

Checklist

• Run trivy image --reset
• Read the troubleshooting