Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TTSD-5652 enforce minimum TLS version 1.2 #9

Merged
merged 2 commits into from
Apr 22, 2024
Merged

TTSD-5652 enforce minimum TLS version 1.2 #9

merged 2 commits into from
Apr 22, 2024

Conversation

kr3cj
Copy link

@kr3cj kr3cj commented Apr 22, 2024
edited
Loading

See ticket for more information.

Previous changes to enforce TLS version 1.2 only changed it for TLS to the origin, not to the client. This PR attempts to fix that.

A recent scan review shows that TLS v1.0 & TLS v1.1 is enabled on the dashboard.ibotta.com endpoint.

PR for consuming it: https://github.com/Ibotta/ipn-portal-infrastructure/pull/136

@kr3cj kr3cj self-assigned this Apr 22, 2024
kr3cj
kr3cj commented Apr 22, 2024
View reviewed changes
CHANGELOG.md Outdated
@@ -1,5 +1,9 @@
## Changelog

### `1.3.0`
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I wasn't sure whether to make this a patch release or a minor release since previous attempts to enforce TLS 1.2 were already made. Open to suggestions.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Patch seems reasonable. 👍

kr3cj
kr3cj commented Apr 22, 2024
View reviewed changes
cloudfront.tf
acm_certificate_arn = aws_acm_certificate.cert.arn
ssl_support_method = "sni-only"
acm_certificate_arn = aws_acm_certificate.cert.arn
minimum_protocol_version = "TLSv1.2_2021"
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The latest version from https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html

@kr3cj kr3cj requested a review from jdeanibotta April 22, 2024 17:18
@ibcheckmarx
Copy link

Logo
Checkmarx One – Scan Summary & Details89e78ed3-781e-4f71-bf7a-5754ac645ce1

New Issues

Severity Issue Source File / Package Checkmarx Insight
LOW IAM Access Analyzer Not Enabled /s3.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /route53.tf: 5 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
LOW IAM Access Analyzer Not Enabled /cloudfront.tf: 1 IAM Access Analyzer should be enabled and configured to continuously monitor resource permissions

Fixed Issues

Severity Issue Source File / Package
HIGH Vulnerable Default SSL Certificate /cloudfront.tf: 48

@kr3cj kr3cj removed request for physik932 and mubarak-j April 22, 2024 17:40
elementalvoid
elementalvoid approved these changes Apr 22, 2024
View reviewed changes
CHANGELOG.md Outdated
@@ -1,5 +1,9 @@
## Changelog

### `1.3.0`
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Patch seems reasonable. 👍

@kr3cj kr3cj merged commit 3554980 into main Apr 22, 2024
1 of 2 checks passed
@kr3cj kr3cj deleted the TTSD-5652 branch April 22, 2024 19:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@elementalvoid elementalvoid elementalvoid approved these changes

@Jdmorrisett Jdmorrisett Awaiting requested review from Jdmorrisett

@Howl1935 Howl1935 Awaiting requested review from Howl1935

@jdeanibotta jdeanibotta Awaiting requested review from jdeanibotta

Assignees

@kr3cj kr3cj

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kr3cj @ibcheckmarx @elementalvoid