Supported protocols and ciphers between viewers and CloudFront
When you require HTTPS between viewers and your CloudFront distribution, you must choose a security policy, which determines the following settings:

The minimum SSL/TLS protocol that CloudFront uses to communicate with viewers.

The ciphers that CloudFront can use to encrypt the communication with viewers.
To choose a security policy, specify the applicable value for Security policy. The following table lists the protocols and ciphers that CloudFront can use for each security policy.
A viewer must support at least one of the supported ciphers to establish an HTTPS connection with CloudFront. CloudFront chooses a cipher in the listed order from among the ciphers that the viewer supports. See also OpenSSL, s2n, and RFC cipher names.
Security policy  

SSLv3  TLSv1  TLSv1_2016  TLSv1.1_2016  TLSv1.2_2018  TLSv1.2_2019  TLSv1.2_2021  
Supported SSL/TLS protocols  
TLSv1.3  ♦  ♦  ♦  ♦  ♦  ♦  ♦ 
TLSv1.2  ♦  ♦  ♦  ♦  ♦  ♦  ♦ 
TLSv1.1  ♦  ♦  ♦  ♦  
TLSv1  ♦  ♦  ♦  
SSLv3  ♦  
Supported TLSv1.3 ciphers  
TLS_AES_128_GCM_SHA256  ♦  ♦  ♦  ♦  ♦  ♦  ♦ 
TLS_AES_256_GCM_SHA384  ♦  ♦  ♦  ♦  ♦  ♦  ♦ 
TLS_CHACHA20_POLY1305_SHA256  ♦  ♦  ♦  ♦  ♦  ♦  ♦ 
Supported ECDSA ciphers  
ECDHEECDSAAES128GCMSHA256  ♦  ♦  ♦  ♦  ♦  ♦  ♦ 
ECDHEECDSAAES128SHA256  ♦  ♦  ♦  ♦  ♦  ♦  
ECDHEECDSAAES128SHA  ♦  ♦  ♦  ♦  
ECDHEECDSAAES256GCMSHA384  ♦  ♦  ♦  ♦  ♦  ♦  ♦ 
ECDHEECDSACHACHA20POLY1305  ♦  ♦  ♦  ♦  ♦  ♦  ♦ 
ECDHEECDSAAES256SHA384  ♦  ♦  ♦  ♦  ♦  ♦  
ECDHEECDSAAES256SHA  ♦  ♦  ♦  ♦  
Supported RSA ciphers  
ECDHERSAAES128GCMSHA256  ♦  ♦  ♦  ♦  ♦  ♦  ♦ 
ECDHERSAAES128SHA256  ♦  ♦  ♦  ♦  ♦  ♦  
ECDHERSAAES128SHA  ♦  ♦  ♦  ♦  
ECDHERSAAES256GCMSHA384  ♦  ♦  ♦  ♦  ♦  ♦  ♦ 
ECDHERSACHACHA20POLY1305  ♦  ♦  ♦  ♦  ♦  ♦  ♦ 
ECDHERSAAES256SHA384  ♦  ♦  ♦  ♦  ♦  ♦  
ECDHERSAAES256SHA  ♦  ♦  ♦  ♦  
AES128GCMSHA256  ♦  ♦  ♦  ♦  ♦  
AES256GCMSHA384  ♦  ♦  ♦  ♦  ♦  
AES128SHA256  ♦  ♦  ♦  ♦  ♦  
AES256SHA  ♦  ♦  ♦  ♦  
AES128SHA  ♦  ♦  ♦  ♦  
DESCBC3SHA  ♦  ♦  
RC4MD5  ♦ 
OpenSSL, s2n, and RFC cipher names
OpenSSL and s2n
For ciphers with elliptic curve key exchange algorithms, CloudFront supports the following elliptic curvers:

prime256v1

secp384r1

X25519
OpenSSL and s2n cipher name  RFC cipher name 

Supported TLSv1.3 ciphers  
TLS_AES_128_GCM_SHA256  TLS_AES_128_GCM_SHA256 
TLS_AES_256_GCM_SHA384  TLS_AES_256_GCM_SHA384 
TLS_CHACHA20_POLY1305_SHA256  TLS_CHACHA20_POLY1305_SHA256 
Supported ECDSA ciphers  
ECDHEECDSAAES128GCMSHA256  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 
ECDHEECDSAAES128SHA256  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 
ECDHEECDSAAES128SHA  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 
ECDHEECDSAAES256GCMSHA384  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 
ECDHEECDSACHACHA20POLY1305  TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 
ECDHEECDSAAES256SHA384  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 
ECDHEECDSAAES256SHA  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 
Supported RSA ciphers  
ECDHERSAAES128GCMSHA256  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
ECDHERSAAES128SHA256  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 
ECDHERSAAES128SHA  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 
ECDHERSAAES256GCMSHA384  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
ECDHERSACHACHA20POLY1305  TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 
ECDHERSAAES256SHA384  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
ECDHERSAAES256SHA  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 
AES128GCMSHA256  TLS_RSA_WITH_AES_128_GCM_SHA256 
AES256GCMSHA384  TLS_RSA_WITH_AES_256_GCM_SHA384 
AES128SHA256  TLS_RSA_WITH_AES_128_CBC_SHA256 
AES256SHA  TLS_RSA_WITH_AES_256_CBC_SHA 
AES128SHA  TLS_RSA_WITH_AES_128_CBC_SHA 
DESCBC3SHA  TLS_RSA_WITH_3DES_EDE_CBC_SHA 
RC4MD5  TLS_RSA_WITH_RC4_128_MD5 
Supported signature schemes between viewers and CloudFront
CloudFront supports the following signature schemes for connections between viewers and CloudFront.

TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA256

TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA384

TLS_SIGNATURE_SCHEME_RSA_PSS_PSS_SHA512

TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA256

TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA384

TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA512

TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA256

TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA384

TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA512

TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA224

TLS_SIGNATURE_SCHEME_ECDSA_SHA256

TLS_SIGNATURE_SCHEME_ECDSA_SHA384

TLS_SIGNATURE_SCHEME_ECDSA_SHA512

TLS_SIGNATURE_SCHEME_ECDSA_SHA224

TLS_SIGNATURE_SCHEME_ECDSA_SECP256R1_SHA256

TLS_SIGNATURE_SCHEME_ECDSA_SECP384R1_SHA384

TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA1

TLS_SIGNATURE_SCHEME_ECDSA_SHA1