Risk Level: High
Cloud Entity: Amazon CloudFront
CloudGuard Rule ID: D9.AWS.CRY.17
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

CloudFront where not distributionConfig.origins.items with [ s3OriginConfig] should have distributionConfig.origins.items with [ customOriginConfig.originProtocolPolicy='https-only' ]or distributionConfig.defaultCacheBehavior.viewerProtocolPolicy='redirect-to-https' or distributionConfig.defaultCacheBehavior.viewerProtocolPolicy='https-only'

REMEDIATION

From Portal
Use following steps to configure HTTPS between CloudFront and your custom origin

Sign in to the AWS Management Console and open the CloudFront console.
In the top pane of the CloudFront console, choose the ID for the distribution that you want to update.
On the Origins tab, choose the origin that you want to update, and then choose Edit.
Update the following settings:
Origin Protocol Policy - Change the Origin Protocol Policy for the applicable origins in your distribution:
a. HTTPS Only - CloudFront uses only HTTPS to communicate with your custom origin.
b. Match Viewer - CloudFront communicates with your custom origin using HTTP or HTTPS, depending on the protocol of the viewer request. For example, if you choose Match Viewer for Origin Protocol Policy and the viewer uses HTTPS to request an object from CloudFront, CloudFront also uses HTTPS to forward the request to your origin.

Note: Choose Match Viewer only if you specify Redirect HTTP to HTTPS or HTTPS Only for Viewer Protocol Policy. CloudFront caches the object only once even if viewers make requests using both HTTP and HTTPS protocols.
5. Choose Yes, Edit.
6. Confirm the following before you use the updated configuration in a production environment:
a. The path pattern in each cache behavior applies only to the requests that you want viewers to use HTTPS for.
b. The cache behaviors are listed in the order that you want CloudFront to evaluate them in. For more information, see Path pattern.
c. The cache behaviors are routing requests to the origins that you changed the Origin Protocol Policy for.

From TF

resource "aws_cloudfront_distribution" "test" {
	domain_name = "something.example.com"
	custom_origin_config = {
		http_port              = 80
		https_port             = 443
		origin_protocol_policy = "https-only"
		origin_ssl_protocols   = ["TLSv1", "TLSv1.1", "TLSv1.2"]
	}
}

From Command Line

Run following command to extract the configuration for selected Amazon CloudFront distribution.

aws cloudfront get-distribution-config --id DISTRIBUTION_ID --query DISTRIBUTION_CONFIG

Run following command to describe the current version for selected Amazon CloudFront distribution

aws cloudfront get-distribution-config --id DISTRIBUTION_ID --query DISTRIBUTION_CONFIG

Change the configuration document extracted from above command to enforce the HTTPS protocol and encrypt the traffic between the distribution server and the custom origin i.e OriginProtocolPolicy: https-only. Save the document with the modified configuration to a JSON file.
Run following command using json file saved in step 3 to reconfigure the selected Amazon CloudFront distribution in order to enable HTTPS-only for the selected origin.

aws cloudfront update-distribution --id DISTRIBUTION_ID --if-match PUT_VALUE --distribution-config JSON_FILE_PATH

References

Amazon CloudFront

Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css, .php, image, and media files, to end users. CloudFront delivers your content through a worldwide network of edge locations. When an end user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so content is delivered with the best possible performance. If the content is already in that edge location, CloudFront delivers it immediately.

Compliance Frameworks

AWS CSA CCM v.3.0.1
AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard CheckUp
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS CloudGuard Well Architected Framework
AWS HIPAA
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO 27001:2013
AWS ISO27001:2022
AWS ITSG-33
AWS MAS TRM Framework
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-171
AWS NIST 800-53 Rev 4
AWS NIST 800-53 Rev 5
AWS NIST CSF v1.1
AWS PCI-DSS 3.2
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset