This rule raises an issue when an insecure TLS protocol version (i.e. a protocol different from "TLSv1.2", "TLSv1.3", "DTLSv1.2", or "DTLSv1.3") is used or allowed.
It is recommended to enforce TLS 1.2 as the minimum protocol version and to disallow older versions like TLS 1.0. Failure to do so could open the door to downgrade attacks: a malicious actor who is able to intercept the connection could modify the requested protocol version and downgrade it to a less secure version.
For Amazon OpenSearch domains:
resource "aws_elasticsearch_domain" "example" {
domain_name = "example"
domain_endpoint_options {
enforce_https = true
tls_security_policy = "Policy-Min-TLS-1-0-2019-07" # Noncompliant
}
For Amazon API Gateway:
resource "aws_api_gateway_domain_name" "example" {
domain_name = "api.example.com"
security_policy = "TLS_1_0" # Noncompliant
}
resource "aws_apigatewayv2_domain_name" "example" {
domain_name = "api.example.com"
domain_name_configuration {} # Noncompliant
}
For Google Cloud load balancers
resource "google_compute_ssl_policy" "example" {
name = "example"
min_tls_version = "TLS_1_0" # Noncompliant
# ...
}
For Amazon OpenSearch domains:
resource "aws_elasticsearch_domain" "example" {
domain_name = "example"
domain_endpoint_options {
enforce_https = true
tls_security_policy = "Policy-Min-TLS-1-2-2019-07"
For Amazon API Gateway:
resource "aws_api_gateway_domain_name" "example" {
domain_name = "api.example.com"
security_policy = "TLS_1_2"
}
resource "aws_apigatewayv2_domain_name" "example" {
domain_name = "api.example.com"
domain_name_configuration {
security_policy = "TLS_1_2"
}
}
For Google Cloud load balancers
resource "google_compute_ssl_policy" "example" {
name = "example"
min_tls_version = "TLS_1_2"
# ...
}