Test cloudfront distributions using deprecated ssl protocols

[prajwal-choudhari-comprinno]

Description
This PR adds the cloudfront_distributions_using_deprecated_ssl_protocols check, which verifies that CloudFront distributions are configured to use only modern and secure SSL/TLS protocols, such as TLSv1.2 or higher.

It includes:

A new test file (tests/test_cloudfront_distributions_using_deprecated_ssl_protocols.py) with comprehensive unit tests for the check.
Test cases cover:

1. The check returns NOT_APPLICABLE when no CloudFront distributions are present in the account.
2. Distributions configured to use secure protocols like TLSv1.2_2021 correctly result in a PASSED status.
3. Distributions using deprecated protocols (e.g., SSLv3) are correctly identified, leading to a FAILED status.
4. The check gracefully handles ClientError exceptions during AWS API calls, returning an UNKNOWN status.

License

I confirm that my contribution is made under the terms of the Apache 2.0 license.

[aafaq-rashid-comprinno]

Summary of Improvements

1. Fix Logical Bug: ViewerCertificate is in the DistributionConfig, not the Distribution

   • Your current check uses:

     security_policy = distribution.get('ViewerCertificate', {}).get('MinimumProtocolVersion', 'TLSv1.2')

     ✅ Fix: Fetch ViewerCertificate from get_distribution_config(distribution_id) instead, which is the correct source.

2. Correct and Align Test Cases

   • Your test mocks call get_distribution_config, but the check never calls it. That’s why even deprecated protocols get marked as secure in the test.
   • ✅ Update the check to call client.get_distribution_config(Id=distribution_id) to fetch ViewerCertificate accurately.

---

Enhancements

3. Improve Test Coverage

   • Add test for mixed distributions (some secure, some deprecated).
   • Validate ARN consistency in the test using .endswith("distribution/dist-id").

4. Add Logging/Debug Info (Optional)

   • Useful for troubleshooting real-world deployments.