{
    "Behavior": "PROACTIVE",
    "ComplianceFrameworkMappings": [
        {
            "ComplianceFramework": "NIST 800-53 Rev 5",
            "Ids": [
                "AC-17(2)",
                "AC-4",
                "IA-5(1)",
                "SC-12(3)",
                "SC-13",
                "SC-23",
                "SC-23(3)",
                "SC-7(4)",
                "SC-8",
                "SC-8(1)",
                "SC-8(2)",
                "SI-7(6)"
            ]
        },
        {
            "ComplianceFramework": "PCI DSS version 3.2.1",
            "Ids": [
                "4.1"
            ]
        }
    ],
    "ConfigRuleIdentifier": "CLOUDFRONT_SECURITY_POLICY_CHECK",
    "ControlOwner": "AWS Control Tower",
    "DeploymentMechanism": "AWS CloudFormation Hook",
    "DeploymentOwner": "AWS Control Tower",
    "Description": "This control checks whether your Amazon CloudFront distributions are using a minimum security policy and cipher suite of TLSv1.2 or greater for viewer connections.",
    "DisplayName": "Require an Amazon CloudFront distribution to have a security policy of TLSv1.2 as a minimum",
    "DocumentationReferences": [
        {
            "DisplayName": "Requiring HTTPS for communication between viewers and CloudFront",
            "Type": "AWS Documentation",
            "Url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html"
        },
        {
            "DisplayName": "Supported protocols and ciphers between viewers and CloudFront",
            "Type": "AWS Documentation",
            "Url": "https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html"
        }
    ],
    "EvaluatedResourceTypes": [
        "AWS::CloudFront::Distribution"
    ],
    "EvaluatedServices": [
        "Amazon CloudFront"
    ],
    "Guidance": "Elective",
    "Id": "CT.CLOUDFRONT.PR.9",
    "ImplementationType": "CloudFormation guard rule",
    "MinimumSupportedRuntimeVersion": "2.1",
    "Objectives": [
        {
            "Id": "CO.12",
            "Name": "Manage vulnerabilities"
        }
    ],
    "RegionalPreference": "REGIONAL",
    "ReleaseDate": "2022-11-28",
    "RemediationMessage": "Provide a 'ViewerCertificate' configuration with 'MinimumProtocolVersion' set to TLSv1.2 or higher.",
    "Severity": "MEDIUM",
    "SupportedRegions": [
        "af-south-1",
        "ap-east-1",
        "ap-northeast-1",
        "ap-northeast-2",
        "ap-northeast-3",
        "ap-south-1",
        "ap-south-2",
        "ap-southeast-1",
        "ap-southeast-2",
        "ap-southeast-3",
        "ap-southeast-4",
        "ca-central-1",
        "eu-central-1",
        "eu-central-2",
        "eu-north-1",
        "eu-south-1",
        "eu-south-2",
        "eu-west-1",
        "eu-west-2",
        "eu-west-3",
        "il-central-1",
        "me-central-1",
        "me-south-1",
        "sa-east-1",
        "us-east-1",
        "us-east-2",
        "us-west-1",
        "us-west-2"
    ],
    "TargetOuType": "CUSTOM",
    "Version": "1",
    "Visibility": "PUBLIC"
}