Posted On: Jun 23, 2021
Amazon CloudFront now provides a new security policy, TLSv1.2_2021 which removes the following CBC based ciphers:
- ECDHE-RSA-AES128-SHA256
- ECDHE-RSA-AES256-SHA384
The updated TLSv1.2_2021 policy supports the following six ciphers:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-CHACHA20-POLY1305
Security policies determine the SSL/TLS protocol that CloudFront uses to communicate with viewers, and the available ciphers that CloudFront can use to encrypt content sent to end users. The TLSv1.2_2021 policy sets the minimum negotiated Transport Layer Security (TLS) version to 1.2 and supports the six ciphers listed above. You can update your CloudFront distribution configuration to use this new security policy by using the AWS Management Console, Amazon CloudFront APIs, or AWS CloudFormation. To learn more about CloudFront security policies refer to the CloudFront Developer Guide.