What security protocols and ciphers does CloudFront support?

Resolution

CloudFront supports several security protocols and ciphers to make sure that there's secure communication between your viewers or clients and the CloudFront edge locations. CloudFront uses protocols and ciphers based on the security policy that you select for your CloudFront distribution. The security policies in CloudFront are predefined, and you can't add or remove individual ciphers from these policies.

It's a best practice to use the most secure security policy available such as TLSv1.2_2021. CloudFront uses the s2n-tls implementation for TLS. CloudFront supports TLS versions 1.0, 1.1, 1.2, and 1.3. By default, TLS version 1.3 is enabled on all CloudFront distributions.

Important: If you use a custom SSL/TLS certificate with your CloudFront distribution, then CloudFront selects a security policy only. If you use the default CloudFront certificate, then the distribution defaults to the TLSv1 security policy. For more information, see the Requirements for using SSL/TLS certificates with CloudFront.

CloudFront tries to establish the most secure connection possible based on the protocols and ciphers that the client or viewers support. However, the level of security depends on the capabilities of the client.