Supported protocols and ciphers between viewers and CloudFront
When you require HTTPS between viewers and your CloudFront distribution, you must choose a security policy, which determines the following settings.

The minimum SSL/TLS protocol that CloudFront uses to communicate with viewers.

The ciphers that CloudFront can use to encrypt the communication with viewers.
To choose a security policy, specify the applicable value for Security Policy. The following table lists the protocols and ciphers that CloudFront can use for each security policy.
A viewer must support at least one of the supported ciphers to establish an HTTPS connection with CloudFront. If you’re using an SSL/TLS certificate in AWS Certificate Manager, a viewer must support one of the *RSA* ciphers. CloudFront chooses a cipher in the listed order from among the ciphers that the viewer supports. See also OpenSSL, s2n, and RFC cipher names.
Security policy  

SSLv3  TLSv1  TLSv1_2016  TLSv1.1_2016  TLSv1.2_2018  TLSv1.2_2019  
SSL/TLS protocols supported  
TLSv1.3¹  ♦  ♦  ♦  ♦  ♦  ♦ 
TLSv1.2  ♦  ♦  ♦  ♦  ♦  ♦ 
TLSv1.1  ♦  ♦  ♦  ♦  
TLSv1  ♦  ♦  ♦  
SSLv3  ♦  
Ciphers supported  
TLS_AES_128_GCM_SHA256  ♦  ♦  ♦  ♦  ♦  ♦ 
TLS_AES_256_GCM_SHA384  ♦  ♦  ♦  ♦  ♦  ♦ 
TLS_CHACHA20_POLY1305_SHA256  ♦  ♦  ♦  ♦  ♦  ♦ 
ECDHERSAAES128GCMSHA256  ♦  ♦  ♦  ♦  ♦  ♦ 
ECDHERSAAES128SHA256  ♦  ♦  ♦  ♦  ♦  ♦ 
ECDHERSAAES128SHA  ♦  ♦  ♦  ♦  
ECDHERSAAES256GCMSHA384  ♦  ♦  ♦  ♦  ♦  ♦ 
ECDHERSACHACHA20POLY1305  ♦  ♦  ♦  ♦  ♦  ♦ 
ECDHERSAAES256SHA384  ♦  ♦  ♦  ♦  ♦  ♦ 
ECDHERSAAES256SHA  ♦  ♦  ♦  ♦  
AES128GCMSHA256  ♦  ♦  ♦  ♦  ♦  
AES256GCMSHA384  ♦  ♦  ♦  ♦  ♦  
AES128SHA256  ♦  ♦  ♦  ♦  ♦  
AES256SHA  ♦  ♦  ♦  ♦  
AES128SHA  ♦  ♦  ♦  ♦  
DESCBC3SHA  ♦  ♦  
RC4MD5  ♦ 
¹CloudFront supports one round trip time (1RTT) handshakes for TLSv1.3, but does not support zero round trip time (0RTT) handshakes.
OpenSSL, s2n, and RFC cipher names
OpenSSL and s2n
For all elliptic curve ciphers, CloudFront supports the following elliptic curves:

prime256v1

secp384r1

X25519
OpenSSL and s2n cipher name  RFC cipher name 

TLS_AES_128_GCM_SHA256 
TLS_AES_128_GCM_SHA256 
TLS_AES_256_GCM_SHA384 
TLS_AES_256_GCM_SHA384 
TLS_CHACHA20_POLY1305_SHA256 
TLS_CHACHA20_POLY1305_SHA256 
ECDHERSAAES128GCMSHA256 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
ECDHERSAAES128SHA256 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 
ECDHERSAAES128SHA 
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 
ECDHERSAAES256GCMSHA384 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 
ECDHERSACHACHA20POLY1305 
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 
ECDHERSAAES256SHA384 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 
ECDHERSAAES256SHA 
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 
AES128GCMSHA256 
TLS_RSA_WITH_AES_128_GCM_SHA256 
AES256GCMSHA384 
TLS_RSA_WITH_AES_256_GCM_SHA384 
AES128SHA256 
TLS_RSA_WITH_AES_128_CBC_SHA256 
AES256SHA 
TLS_RSA_WITH_AES_256_CBC_SHA 
AES128SHA 
TLS_RSA_WITH_AES_128_CBC_SHA 
DESCBC3SHA 
TLS_RSA_WITH_3DES_EDE_CBC_SHA 
RC4MD5 
TLS_RSA_WITH_RC4_128_MD5 
Supported signature schemes between viewers and CloudFront
CloudFront supports the following signature schemes for connections between viewers and CloudFront.

TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA256

TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA384

TLS_SIGNATURE_SCHEME_RSA_PSS_RSAE_SHA512

TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA256

TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA384

TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA512

TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA224

TLS_SIGNATURE_SCHEME_RSA_PKCS1_SHA1