Posted On: Jun 23, 2021

Amazon CloudFront now provides a new security policy, TLSv1.2_2021 which removes the following CBC based ciphers:


The updated TLSv1.2_2021 policy supports the following six ciphers:

  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256

Security policies determine the SSL/TLS protocol that CloudFront uses to communicate with viewers, and the available ciphers that CloudFront can use to encrypt content sent to end users. The TLSv1.2_2021 policy sets the minimum negotiated Transport Layer Security (TLS) version to 1.2 and supports the six ciphers listed above. You can update your CloudFront distribution configuration to use this new security policy by using the AWS Management Console, Amazon CloudFront APIs, or AWS CloudFormation. To learn more about CloudFront security policies refer to the CloudFront Developer Guide.