Ensure that the Viewer Protocol policy is compliant to only use the HTTPS protocol
Ensure that for web distributions, CloudFront is configured to require that viewers use HTTPS to request your objects, so that connections are encrypted when CloudFront communicates with viewers. This enables data in transit encryption and the application viewers cannot be decrypted by malicious users in case they are able to intercept packets sent across the CDN distribution network.
Risk Level: High
Cloud Entity: Amazon CloudFront
CloudGuard Rule ID: D9.AWS.CRY.42
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
CloudFront should have distributionConfig.cacheBehaviors.items contain [ viewerProtocolPolicy='https-only' or viewerProtocolPolicy='redirect-to-https']
REMEDIATION
From Portal
- Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/.
- In the top pane of the CloudFront console, choose the ID for the distribution that you want to update.
- On the Behaviors tab, choose the cache behavior that you want to update, and then choose Edit.
- Specify one of the following values for Viewer Protocol Policy:
a. Redirect HTTP to HTTPS or
b. HTTPS Only - Choose Yes, Edit.
From TF
resource "aws_cloudfront_distribution" "test" {
origin {
...
}
default_cache_behavior {
...
}
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = ["US", "CA", "GB", "DE"]
}
}
+ viewer_certificate {
+ cloudfront_default_certificate = false
+ minimum_protocol_version = "TLSv1.2_2019"
+ viewer_protocol_policy = "https-only" # OR "redirect-to-https"
+ }
}
From Command Line
To add a policy to encrypt the data in transit , run:
aws cloudfront update-distribution --id CLOUDFRONT_ID --distribution-config file://policy.json
References
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-defaultcachebehavior.html
Amazon CloudFront
Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css, .php, image, and media files, to end users. CloudFront delivers your content through a worldwide network of edge locations. When an end user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so content is delivered with the best possible performance. If the content is already in that edge location, CloudFront delivers it immediately.
Compliance Frameworks
- AWS CSA CCM v.4.0.1
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS ITSG-33
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- AWS PCI-DSS 4.0
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago