Use encrypted connection between CloudFront and origin server

Enforce HTTPS-only traffic between a CloudFront distribution and the origin. It is recommended to use HTTPS for secure communications between your CloudFront distribution and end users to guarantee encryption of traffic and prevent malicious actors from intercepting your traffic. This rule runs on all the origins except S3 Buckets

Risk Level: High
Cloud Entity: Amazon CloudFront
CloudGuard Rule ID: D9.AWS.CRY.17
Covered by Spectral: Yes
Category: Networking & Content Delivery


CloudFront where not with [ s3OriginConfig] should have with [ customOriginConfig.originProtocolPolicy='https-only' ]or distributionConfig.defaultCacheBehavior.viewerProtocolPolicy='redirect-to-https' or distributionConfig.defaultCacheBehavior.viewerProtocolPolicy='https-only'


From Portal
Use following steps to configure HTTPS between CloudFront and your custom origin

  1. Sign in to the AWS Management Console and open the CloudFront console.
  2. In the top pane of the CloudFront console, choose the ID for the distribution that you want to update.
  3. On the Origins tab, choose the origin that you want to update, and then choose Edit.
  4. Update the following settings:
    Origin Protocol Policy - Change the Origin Protocol Policy for the applicable origins in your distribution:
    a. HTTPS Only - CloudFront uses only HTTPS to communicate with your custom origin.
    b. Match Viewer - CloudFront communicates with your custom origin using HTTP or HTTPS, depending on the protocol of the viewer request. For example, if you choose Match Viewer for Origin Protocol Policy and the viewer uses HTTPS to request an object from CloudFront, CloudFront also uses HTTPS to forward the request to your origin.

Note: Choose Match Viewer only if you specify Redirect HTTP to HTTPS or HTTPS Only for Viewer Protocol Policy. CloudFront caches the object only once even if viewers make requests using both HTTP and HTTPS protocols.
5. Choose Yes, Edit.
6. Confirm the following before you use the updated configuration in a production environment:
a. The path pattern in each cache behavior applies only to the requests that you want viewers to use HTTPS for.
b. The cache behaviors are listed in the order that you want CloudFront to evaluate them in. For more information, see Path pattern.
c. The cache behaviors are routing requests to the origins that you changed the Origin Protocol Policy for.

From TF

resource "aws_cloudfront_distribution" "test" {
	domain_name = ""
	custom_origin_config = {
		http_port              = 80
		https_port             = 443
		origin_protocol_policy = "https-only"
		origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]

From Command Line

  1. Run following command to extract the configuration for selected Amazon CloudFront distribution.
aws cloudfront get-distribution-config --id DISTRIBUTION_ID --query DISTRIBUTION_CONFIG
  1. Run following command to describe the current version for selected Amazon CloudFront distribution
aws cloudfront get-distribution-config --id DISTRIBUTION_ID --query DISTRIBUTION_CONFIG
  1. Change the configuration document extracted from above command to enforce the HTTPS protocol and encrypt the traffic between the distribution server and the custom origin i.e OriginProtocolPolicy: https-only. Save the document with the modified configuration to a JSON file.
  2. Run following command using json file saved in step 3 to reconfigure the selected Amazon CloudFront distribution in order to enable HTTPS-only for the selected origin.
aws cloudfront update-distribution --id DISTRIBUTION_ID --if-match PUT_VALUE --distribution-config JSON_FILE_PATH



Amazon CloudFront

Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css, .php, image, and media files, to end users. CloudFront delivers your content through a worldwide network of edge locations. When an end user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so content is delivered with the best possible performance. If the content is already in that edge location, CloudFront delivers it immediately.

Compliance Frameworks

  • AWS CSA CCM v.3.0.1
  • AWS CSA CCM v.4.0.1
  • AWS CloudGuard Best Practices
  • AWS CloudGuard CheckUp
  • AWS CloudGuard SOC2 based on AICPA TSC 2017
  • AWS CloudGuard Well Architected Framework
  • AWS HITRUST v11.0.0
  • AWS ISO 27001:2013
  • AWS ISO27001:2022
  • AWS ITSG-33
  • AWS MAS TRM Framework
  • AWS MITRE ATT&CK Framework v10
  • AWS MITRE ATT&CK Framework v11.3
  • AWS NIST 800-171
  • AWS NIST 800-53 Rev 4
  • AWS NIST 800-53 Rev 5
  • AWS NIST CSF v1.1
  • AWS PCI-DSS 3.2
  • AWS PCI-DSS 4.0
  • CloudGuard AWS All Rules Ruleset