aws/aws-cdk

aws-cloudfront: minimumProtocolVersion setting should not be allowed without custom SSL/TLS certificate

Open

#35,404 opened on Sep 3, 2025

View on GitHub
 (3 comments) (0 reactions) (2 assignees)TypeScript (10,710 stars) (3,530 forks)batch import
@aws-cdk/aws-cloudfrontbugeffort/smallgood first issuep1

Description

Describe the feature

AWS CDK allows to deploy a CloudFront distribution with the following structure:

new Distribution(this, 'Distribution', {
  defaultBehavior: {
      origin: s3Origin,
      viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
  },
  defaultRootObject: 'index.html',
  sslSupportMethod: SSLMethod.SNI,
  minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2_2021,
  webAclId: webAcl.attrArn
});

However, minimumProtocolVersion is a setting that is ignored by CloudFront, as it only allows to set the Security Policy Protocol if a custom SSL/TLS certificate is used (otherwise it will default to TLSv1 despite what has been set in the CDK app). This information is missing from the AWS CDK documentation, and very difficult to find on the CloudFront documentation.

Use Case

Since AWS CDK did not give any warning or error, nor informed me in documentation, I was led to believe that my CloudFront distribution was using TLS 1.2 as its minimum accepted protocol. A scan then revealed that was actually not the case, and that is was accepting TLS 1.0 and TLS 1.1 as well.

Proposed Solution

This setting should not be allowed to be defined without a custom SSL/TLS certificate. On cdk synth, an error should appear, informing the developer that if minimumProtocolVersion is set, certificate is also required to be set. This information should be included in the documentation as well.

Other Information

Documentation about the issue:

AWS CDK CloudFront Distribution class

AWS CDK CloudFront Security Policy Protocol enum

CloudFront Security Policy

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

AWS CDK Library version (aws-cdk-lib)

2.214.0

AWS CDK CLI version

2.1027.0

Environment details (OS name and version, etc.)

KDE neon 6.0

Contributor guide

Tech stack
typescript
Domain
backendinfrastructuresecurity
Issue type
feature
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
2
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
1-3 hours
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
blocked
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
clear
Prerequisites
AWS CDK basicsCloudFront understanding
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
40
Research direction
The issue is about adding a validation check in the `Distribution` class to ensure that `minimumProtocolVersion` is only allowed when a custom SSL/TLS certificate is provided. The relevant file is likely `packages/aws cdk lib/aws cloudfront/lib/distribution.ts`. Implement a validation error in the constructor or via a validation method that runs during `synth`. The existing comments indicate that the CloudFront API ignores `minimumProtocolVersion` without a custom cert. Look at the `Distribution` constructor parameters and add a check that if `minimumProtocolVersion` is set and `certificate` is not, throw an error. Also update the documentation to clarify this requirement.