CloudFront.10: No deprecated SSL protocols to custom origins

Written and reviewed by Emnode · Last reviewed 27 May 2026

What does AWS Security Hub CloudFront.10 check?

CloudFront.10 checks the edge-to-origin TLS handshake on custom origins. It reports FAILED when a `CustomOriginConfig`'s `OriginSslProtocols` list still includes `SSLv3`. S3 origins, which have no viewer-configurable origin protocol set, are out of scope.

Why does CloudFront.10 matter?

SSLv3 was deprecated in 2015 (RFC 7568) because it's structurally broken — POODLE lets an attacker on the edge-to-origin path force a downgrade and decrypt traffic a byte at a time. Since the protocol is merely offered, an attacker who can influence the handshake picks the weakest mutually-supported option, exposing session tokens, form posts, and API payloads. It maps to PCI DSS 4.2.1 and NIST SC-8/SC-13/SC-23.

How do I fix CloudFront.10?

Inventory every custom origin's `OriginSslProtocols.Items` to find any that include `SSLv3`.
Confirm the origin already supports TLSv1.2 so trimming the list changes nothing operationally.
Read-modify-write the distribution config, restricting `Items` to `TLSv1.2`, and push it back with `update-distribution --if-match <ETag>`.
Gate new distributions in IaC so an SSLv3 entry can't reappear.

Remediation script · bash

# 1. Lock an S3 origin: only THIS distribution may read the bucket.
cat > bucket-policy.json <<'JSON'
{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "AllowCloudFrontServicePrincipalReadOnly",
    "Effect": "Allow",
    "Principal": { "Service": "cloudfront.amazonaws.com" },
    "Action": "s3:GetObject",
    "Resource": "arn:aws:s3:::my-downloads-bucket/*",
    "Condition": { "StringEquals": {
      "AWS:SourceArn": "arn:aws:cloudfront::111122223333:distribution/E2QWRUHAPOMQZL"
    } }
  }]
}
JSON
aws s3api put-bucket-policy --bucket my-downloads-bucket --policy file://bucket-policy.json

# 2. Raise the minimum TLS version (the field is nested in ViewerCertificate, so send the whole config back).
aws cloudfront get-distribution-config --id E2QWRUHAPOMQZL > dist.json
ETAG=$(python3 -c "import json;print(json.load(open('dist.json'))['ETag'])")
# ... edit dist.json: ViewerCertificate.MinimumProtocolVersion = TLSv1.2_2021, ViewerProtocolPolicy = redirect-to-https ...
aws cloudfront update-distribution --id E2QWRUHAPOMQZL \
  --distribution-config file://distribution-config.json --if-match "$ETAG"

# 3. Confirm the second door is shut: a raw S3 GET should now return 403.
curl -s -o /dev/null -w '%{http_code}\n' https://my-downloads-bucket.s3.amazonaws.com/file.pdf

Full walkthrough (console steps, edge cases and verification) in the lesson Protect CloudFront distributions and origins.

Is CloudFront.10 a false positive?

A distribution can show a pristine TLS 1.3 viewer policy and pass CloudFront.15 while still failing CloudFront.10 — external scanners only see the viewer leg, so the stale origin protocol list hides behind a healthy-looking public posture.

Full lesson Protect CloudFront distributions and origins Step-by-step remediation with CLI, code and persona-specific context.

AWS documentation for CloudFront controls ↗ Check your own account for CloudFront.10 →

Part of the learning path Lock down access

CloudFront.1 No default root object, exposing the distribution listing
CloudFront.3 Distributions should require encryption in transit
CloudFront.5 Distributions should have logging enabled
CloudFront.6 Distributions should have WAF enabled
CloudFront.9 Distributions should encrypt traffic to custom origins
CloudFront.12 A distribution points at a non-existent S3 origin (takeover risk)
CloudFront.13 Distributions should use origin access control
CloudFront.15 Distributions should use recommended TLS policy
CloudFront.16 OAC for Lambda function URL origins
CloudFront.17 Use trusted key groups for signed URLs/cookies