feat(aws): add cloudfront_distributions_pqc_tls_enabled check

[pedrooot]

Context

CloudFront's quantum-safe key exchanges (X25519MLKEM768, SecP256r1MLKEM768) are only negotiated over TLS 1.3. A distribution that still allows TLS 1.2 falls back to classical key exchange and remains exposed to "harvest now, decrypt later" attacks. Prowler had no check for this.

Description

Adds the cloudfront_distributions_pqc_tls_enabled check. It evaluates each distribution's MinimumProtocolVersion against a configurable allowlist (cloudfront_pqc_min_protocol_versions, default: TLSv1.3_2025). Distributions using the default CloudFront certificate are pinned to the legacy TLSv1 policy and fail. The cloudfront service is extended to expose MinimumProtocolVersion. Severity: low.

Steps to review

1. Check implementation: prowler/providers/aws/services/cloudfront/cloudfront_distributions_pqc_tls_enabled/
2. Service change exposing MinimumProtocolVersion: prowler/providers/aws/services/cloudfront/cloudfront_service.py
3. Run the tests: poetry run pytest tests/providers/aws/services/cloudfront/cloudfront_distributions_pqc_tls_enabled/ tests/providers/aws/services/cloudfront/cloudfront_service_test.py -v
4. Optionally run against a real environment: prowler aws --check cloudfront_distributions_pqc_tls_enabled

Checklist

Community Checklist

• This feature/issue is listed in here or roadmap.prowler.com
• Is it assigned to me, if not, request it via the issue/feature in here or Prowler Community Slack

• Review if the code is being covered by tests.
• Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
• Review if backport is needed.
• Review if is needed to change the Readme.md
• Ensure new entries are added to CHANGELOG.md, if applicable.

SDK/CLI

• Are there new checks included in this PR? Yes
  • No new permissions needed: CloudFront read permissions are already covered by the AWS managed SecurityAudit policy.

License

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[mintlify]

Preview deployment for your docs. Learn more about Mintlify Previews.

Project	Status	Preview	Updated (UTC)
prowler	🟢 Ready	View Preview	May 21, 2026, 10:23 PM

💡 Tip: Enable Workflows to automatically generate PRs for you.

[github-actions]

✅ All necessary CHANGELOG.md files have been updated.

[github-actions]

Compliance Mapping Review

This PR adds new checks. Please verify that they have been mapped to the relevant compliance framework requirements.

New checks already mapped in this PR

• cloudfront_distributions_pqc_tls_enabled (aws): aws_well_architected_framework_security_pillar_aws, ccc_aws, csa_ccm_4.0_aws, ens_rd2022_aws, fedramp_moderate_revision_4_aws, ffiec_aws, gxp_21_cfr_part_11_aws, iso27001_2013_aws, kisa_isms_p_2023_aws, kisa_isms_p_2023_korean_aws, nist_800_171_revision_2_aws, nist_800_53_revision_5_aws, rbi_cyber_security_framework_aws, secnumcloud_3.2_aws

Use the no-compliance-check label to skip this check.

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[codecov]

Codecov Report

❌ Patch coverage is 95.45455% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 6.86%. Comparing base (7d03bc5) to head (48a87b0).
⚠️ Report is 13 commits behind head on master.

❗ There is a different number of reports uploaded between BASE (7d03bc5) and HEAD (48a87b0). Click for more details.

HEAD has 1 upload less than BASE

Flag	BASE (7d03bc5)	HEAD (48a87b0)
api	1	0

Additional details and impacted files

@@             Coverage Diff             @@
##           master   #11317       +/-   ##
===========================================
- Coverage   93.97%    6.86%   -87.11%     
===========================================
  Files         237      858      +621     
  Lines       34829    25140     -9689     
===========================================
- Hits        32729     1725    -31004     
- Misses       2100    23415    +21315     

Flag	Coverage Δ
api	?
prowler-py3.10-aws	6.40% <95.45%> (?)
prowler-py3.10-config	6.86% <95.45%> (?)
prowler-py3.11-aws	6.40% <95.45%> (?)
prowler-py3.11-config	6.86% <95.45%> (?)
prowler-py3.12-aws	6.40% <95.45%> (?)
prowler-py3.12-config	6.86% <95.45%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
prowler	6.86% <95.45%> (∅)
api	∅ <ø> (∅)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

🔒 Container Security Scan

Image: prowler:00a98b4
Last scan: 2026-05-21 22:34:03 UTC

📊 Vulnerability Summary

Severity	Count
🔴 Critical	6
Total	6

5 package(s) affected

⚠️ Action Required

Critical severity vulnerabilities detected. These should be addressed before merging:

• Review the detailed scan results
• Update affected packages to patched versions
• Consider using a different base image if updates are unavailable

---

📋 Resources:

• Download full report (see artifacts)
• View in Security tab
• Scanned with Trivy