diff --git a/README.md b/README.md
index 66cb71ee..ac4dd300 100644
--- a/README.md
+++ b/README.md
@@ -112,6 +112,7 @@ Available targets:
 | log_standard_transition_days | Number of days to persist in the standard storage tier before moving to the glacier tier | string | `30` | no |
 | max_ttl | Maximum amount of time (in seconds) that an object is in a CloudFront cache | string | `31536000` | no |
 | min_ttl | Minimum amount of time that you want objects to stay in CloudFront caches | string | `0` | no |
+| minimum_protocol_version | Cloudfront TLS minimum protocol version | string | `TLSv1` | no |
 | name | Name  (e.g. `bastion` or `db`) | string | - | yes |
 | namespace | Namespace (e.g. `cp` or `cloudposse`) | string | - | yes |
 | null | an empty string | string | `` | no |
diff --git a/docs/terraform.md b/docs/terraform.md
index 9f88d61a..57fce106 100644
--- a/docs/terraform.md
+++ b/docs/terraform.md
@@ -32,6 +32,7 @@
 | log_standard_transition_days | Number of days to persist in the standard storage tier before moving to the glacier tier | string | `30` | no |
 | max_ttl | Maximum amount of time (in seconds) that an object is in a CloudFront cache | string | `31536000` | no |
 | min_ttl | Minimum amount of time that you want objects to stay in CloudFront caches | string | `0` | no |
+| minimum_protocol_version | Cloudfront TLS minimum protocol version | string | `TLSv1` | no |
 | name | Name  (e.g. `bastion` or `db`) | string | - | yes |
 | namespace | Namespace (e.g. `cp` or `cloudposse`) | string | - | yes |
 | null | an empty string | string | `` | no |
diff --git a/main.tf b/main.tf
index 82e2cc2d..f2115592 100644
--- a/main.tf
+++ b/main.tf
@@ -132,7 +132,7 @@ resource "aws_cloudfront_distribution" "default" {
   viewer_certificate {
     acm_certificate_arn            = "${var.acm_certificate_arn}"
     ssl_support_method             = "sni-only"
-    minimum_protocol_version       = "TLSv1"
+    minimum_protocol_version       = "${var.minimum_protocol_version}"
     cloudfront_default_certificate = "${var.acm_certificate_arn == "" ? true : false}"
   }
 
diff --git a/variables.tf b/variables.tf
index 61a91c65..662ff225 100644
--- a/variables.tf
+++ b/variables.tf
@@ -41,6 +41,11 @@ variable "acm_certificate_arn" {
   default     = ""
 }
 
+variable "minimum_protocol_version" {
+  description = "Cloudfront TLS minimum protocol version"
+  default     = "TLSv1"
+}
+
 variable "aliases" {
   type        = "list"
   description = "List of FQDN's - Used to set the Alternate Domain Names (CNAMEs) setting on Cloudfront"