CloudFront distributions should encrypt traffic to custom origins
HTTPS (TLS) can be used to help prevent eavesdropping or manipulation of network traffic. Only encrypted connections over HTTPS (TLS) should be allowed.
Risk Level: Medium
Cloud Entity: Amazon CloudFront
CloudGuard Rule ID: D9.AWS.CRY.79
Covered by Spectral: No
Category: Networking & Content Delivery
GSL LOGIC
CloudFront where distributionConfig.origins.items contain [ customOriginConfig ] should have distributionConfig.origins.items contain-none [ customOriginConfig.originProtocolPolicy='http-only' ] and distributionConfig.origins.items contain-none [ viewerProtocolPolicy='allow-all' and customOriginConfig.originProtocolPolicy='match-viewer' ]
REMEDIATION
From Portal
- Sign in to the AWS Management Console.
- Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.
- In the left navigation panel, under CloudFront, choose Distributions.
- Click on the name of the CloudFront distribution that you want to reconfigure.
- Select the Origins tab to access the origins created for the selected distribution.
- Select the custom distribution origin that you want to reconfigure and choose Edit.
- On the Edit origin page, select HTTPS only under Protocol to enforce HTTPS and encrypt the traffic between the CloudFront distribution edge servers and the selected origin. Choose Save changes to apply the configuration changes.
From Command Line
- Run following command to extract the configuration information from your Amazon CloudFront Distributions.
aws cloudfront get-distribution-config --id Distribution_ID --query 'DistributionConfig'
- Run following command to describe the current version of the configuration available for the selected distributions.
aws cloudfront get-distribution-config --id Distribution_ID --query 'ETag'
- Modify the configuration document returned at previous step to enforce the HTTPS protocol (OriginProtocolPolicy: https-only,) and encrypt the traffic between the distribution edge servers and the custom origin. Save the modified distribution configuration to a JSON file.
- Run following command using the json file modified at the previous step to reconfigure the selected Amazon CloudFront distribution in order to enable HTTPS-only for the specified origin.
aws cloudfront update-distribution --id Distribution_ID --if-match ETag_header_value --distribution-config file://example.json --query 'Distribution.Status'
References
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/get-distribution-config.html
- https://awscli.amazonaws.com/v2/documentation/api/latest/reference/cloudfront/update-distribution.html
Amazon CloudFront
Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css, .php, image, and media files, to end users. CloudFront delivers your content through a worldwide network of edge locations. When an end user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so content is delivered with the best possible performance. If the content is already in that edge location, CloudFront delivers it immediately.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS ISO27001:2022
- AWS NIST 800-53 Rev 5
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago