feat(aws): improve AVD-AWS-0013 rule

go.mod

@@ -3,7 +3,7 @@ module github.com/aquasecurity/trivy-policies
 go 1.20
 
 require (
-	github.com/aquasecurity/defsec v0.93.2-0.20231024055158-015ab97ce898
+	github.com/aquasecurity/defsec v0.93.2-0.20231115015625-adcb9e5799e5
 	github.com/aquasecurity/trivy-iac v0.5.2
 	github.com/docker/docker v24.0.7+incompatible
 	github.com/liamg/iamgo v0.0.9

go.sum

@@ -26,8 +26,8 @@ github.com/apparentlymart/go-textseg/v13 v13.0.0 h1:Y+KvPE1NYz0xl601PVImeQfFyEy6
 github.com/apparentlymart/go-textseg/v13 v13.0.0/go.mod h1:ZK2fH7c4NqDTLtiYLvIkEghdlcqw7yxLeM89kiTRPUo=
 github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY=
 github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
-github.com/aquasecurity/defsec v0.93.2-0.20231024055158-015ab97ce898 h1:gu7XQvv2CswgzOdOFHg/AmtR4vBonG35XvGxHHvcIr4=
-github.com/aquasecurity/defsec v0.93.2-0.20231024055158-015ab97ce898/go.mod h1:J30VViSgmoW2Ic/6aqVJO2qvuADsmZ3MYuNxPcU6Vt0=
+github.com/aquasecurity/defsec v0.93.2-0.20231115015625-adcb9e5799e5 h1:CkfFZpctJrH+oHWlvuAE2qV4DNDqaVtPlEkVksbwuwo=
+github.com/aquasecurity/defsec v0.93.2-0.20231115015625-adcb9e5799e5/go.mod h1:J30VViSgmoW2Ic/6aqVJO2qvuADsmZ3MYuNxPcU6Vt0=
 github.com/aquasecurity/trivy-iac v0.5.2 h1:cqeSDEfQtM3l4ceiQ+IUD2K/ZBhyz443xe+S2TkBdE0=
 github.com/aquasecurity/trivy-iac v0.5.2/go.mod h1:dHoaIzm4niotuaEiSM40HelhcL8m/2MHzT3uHcQYUh8=
 github.com/arbovm/levenshtein v0.0.0-20160628152529-48b4e1c0c4d0 h1:jfIu9sQUG6Ig+0+Ap1h4unLjW6YQJpKZVmUzxsD4E/Q=

rules/cloud/policies/aws/cloudfront/use_secure_tls_policy.go

@@ -20,11 +20,12 @@ var CheckUseSecureTlsPolicy = rules.Register(
 		Resolution: "Use the most modern TLS/SSL policies available",
 		Explanation: `You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+.
 
-Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name). 
+Note: that setting *minimum_protocol_version = "TLSv1.2_2021"* is only possible when *cloudfront_default_certificate* is false (eg. you are not using the cloudfront.net domain name) and *ssl_support_method* is *sni-only*. 
 If *cloudfront_default_certificate* is true then the Cloudfront API will only allow setting *minimum_protocol_version = "TLSv1"*, and setting it to any other value will result in a perpetual diff in your *terraform plan*'s. 
 The only option when using the cloudfront.net domain name is to ignore this rule.`,
 		Links: []string{
 			"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html",
+			"https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesGeneral",
 		},
 		Terraform: &scan.EngineMetadata{
 			GoodExamples:        terraformUseSecureTlsPolicyGoodExamples,
@@ -42,10 +43,13 @@ The only option when using the cloudfront.net domain name is to ignore this rule
 	},
 	func(s *state.State) (results scan.Results) {
 		for _, dist := range s.AWS.Cloudfront.Distributions {
-			if dist.ViewerCertificate.MinimumProtocolVersion.NotEqualTo(cloudfront.ProtocolVersionTLS1_2) {
+			vc := dist.ViewerCertificate
+			if vc.CloudfrontDefaultCertificate.IsFalse() &&
+				vc.SSLSupportMethod.EqualTo("sni-only") &&
+				vc.MinimumProtocolVersion.NotEqualTo(cloudfront.ProtocolVersionTLS1_2) {
 				results.Add(
 					"Distribution allows unencrypted communications.",
-					dist.ViewerCertificate.MinimumProtocolVersion,
+					vc.MinimumProtocolVersion,
 				)
 			} else {
 				results.AddPassed(&dist)

rules/cloud/policies/aws/cloudfront/use_secure_tls_policy_test.go

@@ -28,6 +28,7 @@ func TestCheckUseSecureTlsPolicy(t *testing.T) {
 						ViewerCertificate: cloudfront.ViewerCertificate{
 							Metadata:               defsecTypes.NewTestMetadata(),
 							MinimumProtocolVersion: defsecTypes.String("TLSv1.0", defsecTypes.NewTestMetadata()),
+							SSLSupportMethod:       defsecTypes.String("sni-only", defsecTypes.NewTestMetadata()),
 						},
 					},
 				},
@@ -49,6 +50,38 @@ func TestCheckUseSecureTlsPolicy(t *testing.T) {
 			},
 			expected: false,
 		},
+		{
+			name: "CloudFrontDefaultCertificate is true",
+			input: cloudfront.Cloudfront{
+				Distributions: []cloudfront.Distribution{
+					{
+						Metadata: defsecTypes.NewTestMetadata(),
+						ViewerCertificate: cloudfront.ViewerCertificate{
+							Metadata:                     defsecTypes.NewTestMetadata(),
+							MinimumProtocolVersion:       defsecTypes.String("TLSv1.0", defsecTypes.NewTestMetadata()),
+							CloudfrontDefaultCertificate: defsecTypes.Bool(true, defsecTypes.NewTestMetadata()),
+						},
+					},
+				},
+			},
+			expected: false,
+		},
+		{
+			name: "SSLSupportMethod is not `sny-only`",
+			input: cloudfront.Cloudfront{
+				Distributions: []cloudfront.Distribution{
+					{
+						Metadata: defsecTypes.NewTestMetadata(),
+						ViewerCertificate: cloudfront.ViewerCertificate{
+							Metadata:               defsecTypes.NewTestMetadata(),
+							MinimumProtocolVersion: defsecTypes.String("TLSv1.0", defsecTypes.NewTestMetadata()),
+							SSLSupportMethod:       defsecTypes.String("vip", defsecTypes.NewTestMetadata()),
+						},
+					},
+				},
+			},
+			expected: false,
+		},
 	}
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {