CloudFront distributions should require encryption in transit

HTTPS (TLS) can be used to help prevent potential attackers from using person-in-the-middle or similar attacks to eavesdrop on or manipulate network traffic. Only encrypted connections over HTTPS (TLS) should be allowed. Encrypting data in transit can affect performance. You should test your application with this feature to understand the performance profile and the impact of TLS.

Risk Level: Medium
Cloud Entity: Amazon CloudFront
CloudGuard Rule ID: D9.AWS.CRY.78
Covered by Spectral: No
Category: Networking & Content Delivery

GSL LOGIC

CloudFront should have distributionConfig.cacheBehaviors.items contain-none [ viewerProtocolPolicy='allow-all' ] and distributionConfig.defaultCacheBehavior.viewerProtocolPolicy!='allow-all'

REMEDIATION

From Portal

  1. Sign in to the AWS Management Console.
  2. Navigate to CloudFront dashboard at https://console.aws.amazon.com/cloudfront/.
  3. In the left navigation panel, click Distributions.
  4. On CloudFront Distribution page, under the main menu, select Web and Enabled from Viewing dropdown menus to list all active web distributions available within your AWS account.
  5. Select the web distribution that you want to reconfigure.
  6. Click the Distribution Settings button from the dashboard top menu to access the resource configuration page.
  7. Choose the Behaviors tab and select the distribution default behavior.
  8. Click the Edit button to access the behavior configuration settings.
  9. On the Edit Behavior page, under Default Cache Behavior Settings, perform one of the following actions to enforce encryption for your web content:
    a. Set the Viewer Protocol Policy configuration attribute to Redirect HTTP to HTTPS so that any HTTP requests are automatically redirected to HTTPS requests. Click Yes, Edit to apply the changes.
    b. Set the Viewer Protocol Policy attribute to HTTPS Only so that your application viewers can only access your web content using HTTPS. Choosing this option will drop any HTTP traffic between edge servers and viewers. Click Yes, Edit to apply the configuration changes.

From Command Line
Run following command to update the configuration for the selected Amazon CloudFront CDN distribution in order to enforce encryption. The following command example updates the web distribution using a JSON configuration document named example-encryption.json

aws cloudfront update-distribution --id Example_ID --distribution-config file://example-encryption.json --if-match ETag_header_value

References

  1. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html
  2. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html
  3. https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html

Amazon CloudFront

Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css, .php, image, and media files, to end users. CloudFront delivers your content through a worldwide network of edge locations. When an end user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so content is delivered with the best possible performance. If the content is already in that edge location, CloudFront delivers it immediately.

Compliance Frameworks

  • AWS CloudGuard Best Practices
  • AWS ISO27001:2022
  • AWS NIST 800-53 Rev 5
  • CloudGuard AWS All Rules Ruleset