Secure ciphers are not used in CloudFront distribution

[frediana]

• terrascan version: version: v1.5.0
• Operating System: Mac OS

Description

I have a terraform code, creating an AWS Cloudfront resource, configured as this:

resource "aws_cloudfront_distribution" "foo" {
...
  viewer_certificate {
    cloudfront_default_certificate = false
    acm_certificate_arn            = var.my_certificate
    minimum_protocol_version       = "TLSv1.2_2019"
    ssl_support_method             = "sni-only"
  }
...
}

What I Did

Terrascan is not happy:

Violation Details -

	Description    :	Secure ciphers are not used in CloudFront distribution
	File           :	../../front/cdn.tf
	Line           :	6
	Severity       :	HIGH

I think this should not be raised.

By reading the definition of this rule here: https://github.com/accurics/terrascan/blob/585edcc99942032e8f0ae8f280fcbea1a6aac0ab/pkg/runtime/testdata/testpolicies/aws_cloudfront_distribution/cloudfrontNoSecureCiphers.rego

I can see it's expected to have minimum_protocol_version strictly equal to TLSv1.2 or TLSv1.1.

To me this should be more something like minimum_protocol_version should start with TLSv1.2 or TLSv1.1.

See https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html#secure-connections-supported-ciphers for the supported list.

If the issue is confirmed, I would be happy to contribute.

Adrien

[harkirat22]

@frediana yes you are absolutely right. Please, go ahead and submit your contribution. Thanks