aws-cloudfront: minimumProtocolVersion setting should not be allowed without custom SSL/TLS certificate

[bruniela]

Describe the feature

AWS CDK allows to deploy a CloudFront distribution with the following structure:

new Distribution(this, 'Distribution', {
  defaultBehavior: {
      origin: s3Origin,
      viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
  },
  defaultRootObject: 'index.html',
  sslSupportMethod: SSLMethod.SNI,
  minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2_2021,
  webAclId: webAcl.attrArn
});

However, minimumProtocolVersion is a setting that is ignored by CloudFront, as it only allows to set the Security Policy Protocol if a custom SSL/TLS certificate is used (otherwise it will default to TLSv1 despite what has been set in the CDK app). This information is missing from the AWS CDK documentation, and very difficult to find on the CloudFront documentation.

Use Case

Since AWS CDK did not give any warning or error, nor informed me in documentation, I was led to believe that my CloudFront distribution was using TLS 1.2 as its minimum accepted protocol. A scan then revealed that was actually not the case, and that is was accepting TLS 1.0 and TLS 1.1 as well.

Proposed Solution

This setting should not be allowed to be defined without a custom SSL/TLS certificate. On cdk synth, an error should appear, informing the developer that if minimumProtocolVersion is set, certificate is also required to be set. This information should be included in the documentation as well.

Other Information

Documentation about the issue:

AWS CDK CloudFront Distribution class

AWS CDK CloudFront Security Policy Protocol enum

CloudFront Security Policy

Acknowledgements

• I may be able to implement this feature request
• This feature might incur a breaking change

AWS CDK Library version (aws-cdk-lib)

2.214.0

AWS CDK CLI version

2.1027.0

Environment details (OS name and version, etc.)

KDE neon 6.0

[pahud]

Current vs Expected Behavior

Current Behavior:

new Distribution(this, 'Distribution', {
  defaultBehavior: {
      origin: s3Origin,
      viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
  },
  defaultRootObject: 'index.html',
  sslSupportMethod: SSLMethod.SNI,
  minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2_2021, // This is silently ignored
});

The CDK allows this configuration without error, but the generated CloudFormation template has ViewerCertificate: undefined, meaning CloudFront uses its default certificate and ignores the
minimumProtocolVersion setting.

Expected Behavior:

flowchart TD
    A["User sets minimumProtocolVersion"] --> B{"Certificate provided?"}
    B -->|No| C["CDK throws validation error"]
    B -->|Yes| D["CDK allows configuration"]
    C --> E["User must provide certificate"]
    D --> F["minimumProtocolVersion is effective"]
    E --> D

Loading

✅ Successfully reproduced. My reproduction confirms that:

1. CDK allows setting minimumProtocolVersion without a certificate
2. The generated CloudFormation template omits the ViewerCertificate section entirely
3. This means the minimumProtocolVersion setting is effectively ignored by CloudFront

Root Cause Analysis

Looking at the source code in packages/aws-cdk-lib/aws-cloudfront/lib/distribution.ts, the issue is in the constructor logic:

viewerCertificate: this.certificate ? this.renderViewerCertificate(this.certificate,
  props.minimumProtocolVersion, props.sslSupportMethod) : undefined,

The renderViewerCertificate method is only called when this.certificate exists. When no certificate is provided, the entire viewerCertificate property is set to undefined, which means any
minimumProtocolVersion or sslSupportMethod settings are ignored.

Document Evidence

• AWS CDK CloudFront Distribution class
• AWS CDK CloudFront Security Policy Protocol enum
• CloudFront Security Policy Documentation

Possible Fixes/Solutions

1. Add validation in the Distribution constructor to throw an error when minimumProtocolVersion is set without a certificate
2. Add validation for sslSupportMethod as well, since it has the same issue
3. Improve documentation to clearly state the dependency between these properties and certificates
4. Add a warning instead of an error for backward compatibility, similar to the existing domain names warning

---

Hi @bruniela,

Thank you for reporting this important security-related issue. You're absolutely correct that this behavior can be misleading and potentially create security vulnerabilities.

I've confirmed that the CDK currently allows setting minimumProtocolVersion without a custom certificate, but CloudFront silently ignores this setting when using the default certificate. This creates a false sense of security as developers might believe their distribution enforces TLS 1.2+ when it actually accepts TLS 1.0+.

The root cause is in the Distribution constructor where the viewerCertificate property is only set when a certificate is provided. When no certificate is specified, the entire ViewerCertificate section is omitted from the CloudFormation template, causing CloudFront to ignore any minimumProtocolVersion or sslSupportMethod settings.

Proposed Solution:
Add validation in the Distribution constructor to throw an error when minimumProtocolVersion or sslSupportMethod are specified without a certificate, similar to existing validations in the codebase.

This would be a breaking change, so we should consider:

1. Adding this validation behind a feature flag initially
2. Providing clear error messages that guide users to provide a certificate
3. Updating documentation to clarify this dependency

Would you be interested in contributing a pull request for this fix? The implementation would involve adding validation logic in the Distribution constructor and corresponding unit tests.

This is an excellent catch that will help prevent security misconfigurations. Thank you for bringing this to our attention!

[kaizencc]

Hi @bruniela thanks for the report. We will pick this one up