Which security protocols and ciphers does CloudFront support?

Last updated: 2022-06-10

For detailed information on supported cipher and protocol versions, see Supported protocols and ciphers between viewers and CloudFront.

The configuration of each protocol version depends on the security policy that's selected. Security policies are pre-made. Specific ciphers suites cannot be added or removed from the security policy that you select. For more information, see Requirements for using SSL/TLS certificates with CloudFront.

It's a best practice to use the most secure policy: TLSv1.2_2021. CloudFront attempts to establish the most secure connection. However, the level of security depends on the ciphers and protocols supported by the end user or client.

Additionally, a security policy is selected only if a custom SSL certificate is used. If using the default SSL certificate, then the distribution defaults to TLSv1 as its security policy. For more information, see Security Policy.

Note: CloudFront uses s2n-tls for Transport Layer Security (TLS) implementation. CloudFront supports TLS versions 1.0, 1.1, 1.2, and 1.3. By default, TLS version 1.3 is enabled on all CloudFront distributions.