diff --git a/avd_docs/aws/cloudfront/AVD-AWS-0186/docs.md b/avd_docs/aws/cloudfront/AVD-AWS-0186/docs.md
new file mode 100644
index 000000000..257305356
--- /dev/null
+++ b/avd_docs/aws/cloudfront/AVD-AWS-0186/docs.md
@@ -0,0 +1,13 @@
+
+CloudFront distribution uses outdated SSL/TLS protocols.
+
+### Impact
+<!-- Add Impact here -->
+
+<!-- DO NOT CHANGE -->
+{{ remediationActions }}
+
+### Links
+- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html
+
+
diff --git a/internal/rules/policies/cloud/policies/aws/cloudfront/use_secure_tls_policy.rego b/internal/rules/policies/cloud/policies/aws/cloudfront/use_secure_tls_policy.rego
new file mode 100644
index 000000000..a42cba961
--- /dev/null
+++ b/internal/rules/policies/cloud/policies/aws/cloudfront/use_secure_tls_policy.rego
@@ -0,0 +1,25 @@
+# METADATA
+# title: "Cloudfront Use Secure TLS Policy"
+# description: "CloudFront distribution uses outdated SSL/TLS protocols."
+# scope: package
+# schemas:
+# - input: schema.input
+# related_resources:
+# - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/secure-connections-supported-viewer-protocols-ciphers.html
+# custom:
+#   avd_id: AVD-AWS-0186
+#   provider: aws
+#   service: cloudfront
+#   severity: HIGH
+#   short_code: use-secure-tls-policy
+#   recommended_action: "You should not use outdated/insecure TLS versions for encryption. You should be using TLS v1.2+."
+#   input:
+#     selector:
+#     - type: cloud
+package builtin.aws.cloudfront.aws0186
+
+deny[res] {
+	dist := input.aws.cloudfront.distributions[_]
+	dist.viewercertificate.minimumprotocolversion.value != "TLSv1.2_2021"
+	res := result.new("Distribution allows unencrypted communications.", dist.viewercertificate.minimumprotocolversion)
+}
diff --git a/internal/rules/policies/cloud/policies/aws/cloudfront/use_secure_tls_policy_test.rego b/internal/rules/policies/cloud/policies/aws/cloudfront/use_secure_tls_policy_test.rego
new file mode 100644
index 000000000..10c256535
--- /dev/null
+++ b/internal/rules/policies/cloud/policies/aws/cloudfront/use_secure_tls_policy_test.rego
@@ -0,0 +1,11 @@
+package builtin.aws.cloudfront.aws0186
+
+test_unsecure_tls_policy {
+	r := deny with input as {"aws": {"cloudfront": {"distributions": [{"viewercertificate": {"minimumprotocolversion": {"value": "TLSv1.0"}}}]}}}
+	count(r) == 1
+}
+
+test_secure_tls_policy {
+	r := deny with input as {"aws": {"cloudfront": {"distributions": [{"viewercertificate": {"minimumprotocolversion": {"value": "TLSv1.2_2021"}}}]}}}
+	count(r) == 0
+}
\ No newline at end of file