feat(cloudfront): use TLS_V1_2_2021 SecurityPolicy as default version (under feature flag)

packages/@aws-cdk/aws-cloudfront/README.md

@@ -95,7 +95,7 @@ your domain name, and provide one (or more) domain names from the certificate fo
 
 The certificate must be present in the AWS Certificate Manager (ACM) service in the US East (N. Virginia) region; the certificate
 may either be created by ACM, or created elsewhere and imported into ACM. When a certificate is used, the distribution will support HTTPS connections
-from SNI only and a minimum protocol version of TLSv1.2_2019.
+from SNI only and a minimum protocol version of TLSv1.2_2021 if the '@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021' feature flag is set, and TLSv1.2_2019 otherwise. 
 
 ```ts
 const myCertificate = new acm.DnsValidatedCertificate(this, 'mySiteCert', {

packages/@aws-cdk/aws-cloudfront/lib/distribution.ts

@@ -1,7 +1,8 @@
 import * as acm from '@aws-cdk/aws-certificatemanager';
 import * as lambda from '@aws-cdk/aws-lambda';
 import * as s3 from '@aws-cdk/aws-s3';
-import { IResource, Lazy, Resource, Stack, Token, Duration, Names } from '@aws-cdk/core';
+import { IResource, Lazy, Resource, Stack, Token, Duration, Names, FeatureFlags } from '@aws-cdk/core';
+import { CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021 } from '@aws-cdk/cx-api';
 import { Construct } from 'constructs';
 import { ICachePolicy } from './cache-policy';
 import { CfnDistribution } from './cloudfront.generated';
@@ -215,7 +216,7 @@ export interface DistributionProps {
     * CloudFront serves your objects only to browsers or devices that support at
     * least the SSL version that you specify.
     *
-    * @default SecurityPolicyProtocol.TLS_V1_2_2019
+    * @default - SecurityPolicyProtocol.TLS_V1_2_2021 if the '@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021' feature flag is set; otherwise, SecurityPolicyProtocol.TLS_V1_2_2019.
     */
   readonly minimumProtocolVersion?: SecurityPolicyProtocol;
 }
@@ -446,7 +447,12 @@ export class Distribution extends Resource implements IDistribution {
   }
 
   private renderViewerCertificate(certificate: acm.ICertificate,
-    minimumProtocolVersion: SecurityPolicyProtocol = SecurityPolicyProtocol.TLS_V1_2_2019): CfnDistribution.ViewerCertificateProperty {
+    minimumProtocolVersionProp?: SecurityPolicyProtocol): CfnDistribution.ViewerCertificateProperty {
+
+    const defaultVersion = FeatureFlags.of(this).isEnabled(CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021)
+      ? SecurityPolicyProtocol.TLS_V1_2_2021 : SecurityPolicyProtocol.TLS_V1_2_2019;
+    const minimumProtocolVersion = minimumProtocolVersionProp ?? defaultVersion;
+
     return {
       acmCertificateArn: certificate.certificateArn,
       sslSupportMethod: SSLMethod.SNI,
@@ -531,7 +537,8 @@ export enum SecurityPolicyProtocol {
   TLS_V1_2016 = 'TLSv1_2016',
   TLS_V1_1_2016 = 'TLSv1.1_2016',
   TLS_V1_2_2018 = 'TLSv1.2_2018',
-  TLS_V1_2_2019 = 'TLSv1.2_2019'
+  TLS_V1_2_2019 = 'TLSv1.2_2019',
+  TLS_V1_2_2021 = 'TLSv1.2_2021'
 }
 
 /**

packages/@aws-cdk/aws-cloudfront/lib/web-distribution.ts

@@ -800,7 +800,7 @@ export class CloudFrontWebDistribution extends cdk.Resource implements IDistribu
     [SSLMethod.SNI]: [
       SecurityPolicyProtocol.TLS_V1, SecurityPolicyProtocol.TLS_V1_1_2016,
       SecurityPolicyProtocol.TLS_V1_2016, SecurityPolicyProtocol.TLS_V1_2_2018,
-      SecurityPolicyProtocol.TLS_V1_2_2019,
+      SecurityPolicyProtocol.TLS_V1_2_2019, SecurityPolicyProtocol.TLS_V1_2_2021,
     ],
     [SSLMethod.VIP]: [SecurityPolicyProtocol.SSL_V3, SecurityPolicyProtocol.TLS_V1],
   };

packages/@aws-cdk/aws-cloudfront/package.json

@@ -85,6 +85,7 @@
   "dependencies": {
     "@aws-cdk/aws-certificatemanager": "0.0.0",
     "@aws-cdk/aws-cloudwatch": "0.0.0",
+    "@aws-cdk/cx-api": "0.0.0",
     "@aws-cdk/aws-ec2": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/aws-kms": "0.0.0",
@@ -98,6 +99,7 @@
   "peerDependencies": {
     "@aws-cdk/aws-certificatemanager": "0.0.0",
     "@aws-cdk/aws-cloudwatch": "0.0.0",
+    "@aws-cdk/cx-api": "0.0.0",
     "@aws-cdk/aws-ec2": "0.0.0",
     "@aws-cdk/aws-iam": "0.0.0",
     "@aws-cdk/aws-kms": "0.0.0",
@@ -147,6 +149,7 @@
       "docs-public-apis:@aws-cdk/aws-cloudfront.SecurityPolicyProtocol.TLS_V1_1_2016",
       "docs-public-apis:@aws-cdk/aws-cloudfront.SecurityPolicyProtocol.TLS_V1_2_2018",
       "docs-public-apis:@aws-cdk/aws-cloudfront.SecurityPolicyProtocol.TLS_V1_2_2019",
+      "docs-public-apis:@aws-cdk/aws-cloudfront.SecurityPolicyProtocol.TLS_V1_2_2021",
       "docs-public-apis:@aws-cdk/aws-cloudfront.ViewerCertificate.aliases",
       "docs-public-apis:@aws-cdk/aws-cloudfront.ViewerCertificate.props",
       "docs-public-apis:@aws-cdk/aws-cloudfront.ViewerCertificateOptions",

packages/@aws-cdk/aws-cloudfront/test/distribution.test.ts

@@ -4,7 +4,21 @@ import * as acm from '@aws-cdk/aws-certificatemanager';
 import * as lambda from '@aws-cdk/aws-lambda';
 import * as s3 from '@aws-cdk/aws-s3';
 import { App, Duration, Stack } from '@aws-cdk/core';
-import { CfnDistribution, Distribution, Function, FunctionCode, FunctionEventType, GeoRestriction, HttpVersion, IOrigin, LambdaEdgeEventType, PriceClass, SecurityPolicyProtocol } from '../lib';
+import { CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021 } from '@aws-cdk/cx-api';
+import { testFutureBehavior, testLegacyBehavior } from 'cdk-build-tools/lib/feature-flag';
+import {
+  CfnDistribution,
+  Distribution,
+  Function,
+  FunctionCode,
+  FunctionEventType,
+  GeoRestriction,
+  HttpVersion,
+  IOrigin,
+  LambdaEdgeEventType,
+  PriceClass,
+  SecurityPolicyProtocol,
+} from '../lib';
 import { defaultOrigin, defaultOriginGroup } from './test-origin';
 
 let app: App;
@@ -60,6 +74,7 @@ test('exhaustive example of props renders correctly', () => {
     httpVersion: HttpVersion.HTTP1_1,
     logFilePrefix: 'logs/',
     logIncludesCookies: true,
+    minimumProtocolVersion: SecurityPolicyProtocol.TLS_V1_2_2019,
     priceClass: PriceClass.PRICE_CLASS_100,
     webAclId: '473e64fd-f30b-4765-81a0-62ad96dd167a',
   });
@@ -328,25 +343,61 @@ describe('certificates', () => {
     }).toThrow(/Must specify at least one domain name/);
   });
 
-  test('adding a certificate and domain renders the correct ViewerCertificate and Aliases property', () => {
-    const certificate = acm.Certificate.fromCertificateArn(stack, 'Cert', 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012');
-
-    new Distribution(stack, 'Dist', {
-      defaultBehavior: { origin: defaultOrigin() },
-      domainNames: ['example.com', 'www.example.com'],
-      certificate,
-    });
-
-    expect(stack).toHaveResourceLike('AWS::CloudFront::Distribution', {
-      DistributionConfig: {
-        Aliases: ['example.com', 'www.example.com'],
-        ViewerCertificate: {
-          AcmCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012',
-          SslSupportMethod: 'sni-only',
-          MinimumProtocolVersion: 'TLSv1.2_2019',
-        },
+  describe('adding a certificate and domain renders the correct ViewerCertificate and Aliases property', () => {
+    testFutureBehavior(
+      'when @aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021 is enabled, use the TLSv1.2_2021 security policy by default',
+      { [CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021]: true },
+      App,
+      (customApp) => {
+        const customStack = new Stack(customApp);
+
+        const certificate = acm.Certificate.fromCertificateArn(customStack, 'Cert', 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012');
+
+        new Distribution(customStack, 'Dist', {
+          defaultBehavior: { origin: defaultOrigin() },
+          domainNames: ['example.com', 'www.example.com'],
+          certificate,
+        });
+
+        expect(customStack).toHaveResourceLike('AWS::CloudFront::Distribution', {
+          DistributionConfig: {
+            Aliases: ['example.com', 'www.example.com'],
+            ViewerCertificate: {
+              AcmCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012',
+              SslSupportMethod: 'sni-only',
+              MinimumProtocolVersion: 'TLSv1.2_2021',
+            },
+          },
+        });
+      },
+    );
+
+    testLegacyBehavior(
+      'when @aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021 is disabled, use the TLSv1.2_2019 security policy by default',
+      App,
+      (customApp) => {
+        const customStack = new Stack(customApp);
+
+        const certificate = acm.Certificate.fromCertificateArn(customStack, 'Cert', 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012');
+
+        new Distribution(customStack, 'Dist', {
+          defaultBehavior: { origin: defaultOrigin() },
+          domainNames: ['example.com', 'www.example.com'],
+          certificate,
+        });
+
+        expect(customStack).toHaveResourceLike('AWS::CloudFront::Distribution', {
+          DistributionConfig: {
+            Aliases: ['example.com', 'www.example.com'],
+            ViewerCertificate: {
+              AcmCertificateArn: 'arn:aws:acm:us-east-1:123456789012:certificate/12345678-1234-1234-1234-123456789012',
+              SslSupportMethod: 'sni-only',
+              MinimumProtocolVersion: 'TLSv1.2_2019',
+            },
+          },
+        });
       },
-    });
+    );
   });
 
   test('adding a certificate with non default security policy protocol', () => {

packages/@aws-cdk/cx-api/lib/features.ts

@@ -153,6 +153,13 @@ export const EFS_DEFAULT_ENCRYPTION_AT_REST = '@aws-cdk/aws-efs:defaultEncryptio
  */
 export const LAMBDA_RECOGNIZE_VERSION_PROPS = '@aws-cdk/aws-lambda:recognizeVersionProps';
 
+/**
+ * Enable this feature flag to have cloudfront distributions use the security policy TLSv1.2_2021 by default.
+ *
+ * The security policy can also be configured explicitly using the `minimumProtocolVersion` property.
+ */
+export const CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021 = '@aws-cdk/aws-cloudfront:defaultSecurityPolicyTLSv1.2_2021';
+
 /**
  * This map includes context keys and values for feature flags that enable
  * capabilities "from the future", which we could not introduce as the default
@@ -179,6 +186,7 @@ export const FUTURE_FLAGS: { [key: string]: any } = {
   [RDS_LOWERCASE_DB_IDENTIFIER]: true,
   [EFS_DEFAULT_ENCRYPTION_AT_REST]: true,
   [LAMBDA_RECOGNIZE_VERSION_PROPS]: true,
+  [CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021]: true,
 
   // We will advertise this flag when the feature is complete
   // [NEW_STYLE_STACK_SYNTHESIS_CONTEXT]: 'true',
@@ -209,6 +217,7 @@ const FUTURE_FLAGS_DEFAULTS: { [key: string]: boolean } = {
   [RDS_LOWERCASE_DB_IDENTIFIER]: false,
   [EFS_DEFAULT_ENCRYPTION_AT_REST]: false,
   [LAMBDA_RECOGNIZE_VERSION_PROPS]: false,
+  [CLOUDFRONT_DEFAULT_SECURITY_POLICY_TLS_V1_2_2021]: false,
 };
 
 export function futureFlagDefault(flag: string): boolean {