Posted On: Sep 27, 2017
Starting today, you can further improve security for your web applications on Amazon CloudFront by selecting a pre-defined security policy that enforces TLS version 1.1 or 1.2 as the minimum protocol version. Amazon CloudFront will automatically select the cipher suite for your selected security policy which it will use to encrypt your content before returning it to viewers over HTTPS. For instance, with this feature, you can select the security policy that enforces TLS version 1.1 and weak ciphers such as RC4 and 3DES will automatically be excluded. This feature is available when you use custom SSL certificates to serve HTTPS requests using SNI.
All existing CloudFront distributions that are configured to use custom SSL certificates and to serve HTTPS requests using SNI will default to use TLS version 1.0 and all supported ciphers except RC4. You can choose to change the security policy for these distributions via the CloudFront console or API. Note that this feature applies to the SSL handshake for viewer connections to CloudFront. Customers already had the ability to specify minimum TLS version 1.1 or 1.2 for the handshake between CloudFront and their custom origins.
There is no additional fee for this feature. For more information about the security policies, that enforce the minimum TLS versions and their associated cipher suite, please see the CloudFront documentation.