Risk Level: High
Cloud Entity: Amazon CloudFront
CloudGuard Rule ID: D9.AWS.CRY.42
Covered by Spectral: Yes
Category: Networking & Content Delivery

GSL LOGIC

CloudFront should have distributionConfig.cacheBehaviors.items contain [ viewerProtocolPolicy='https-only' or viewerProtocolPolicy='redirect-to-https']

REMEDIATION

From Portal

Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/.
In the top pane of the CloudFront console, choose the ID for the distribution that you want to update.
On the Behaviors tab, choose the cache behavior that you want to update, and then choose Edit.
Specify one of the following values for Viewer Protocol Policy:
a. Redirect HTTP to HTTPS or
b. HTTPS Only
Choose Yes, Edit.

From TF

resource "aws_cloudfront_distribution" "test" {
	origin {
		...
	}
	default_cache_behavior {
		...
	}
	restrictions {
		geo_restriction {
			restriction_type = "whitelist"
			locations        = ["US", "CA", "GB", "DE"]
		}
	}
	+   viewer_certificate {
		+   cloudfront_default_certificate = false
		+   minimum_protocol_version = "TLSv1.2_2019"
		+   viewer_protocol_policy = "https-only" # OR "redirect-to-https"
	+ }
}

From Command Line
To add a policy to encrypt the data in transit, run:

aws cloudfront update-distribution --id CLOUDFRONT_ID --distribution-config file://policy.json

References

Amazon CloudFront

Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css, .php, image, and media files, to end users. CloudFront delivers your content through a worldwide network of edge locations. When an end user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so content is delivered with the best possible performance. If the content is already in that edge location, CloudFront delivers it immediately.

Compliance Frameworks

AWS CSA CCM v.4.0.1
AWS CloudGuard Best Practices
AWS CloudGuard SOC2 based on AICPA TSC 2017
AWS HITRUST
AWS HITRUST v11.0.0
AWS ISO27001:2022
AWS ITSG-33
AWS MITRE ATT&CK Framework v10
AWS MITRE ATT&CK Framework v11.3
AWS NIST 800-53 Rev 5
AWS PCI-DSS 4.0
CloudGuard AWS All Rules Ruleset