- Knowledge Base
- Amazon Web Services
- Amazon CloudFront
- Missing S3 Bucket
Ensure that your Amazon CloudFront distributions point to existent S3 origins (S3 buckets) in order to function correctly, provide a positive user experience, and avoid unnecessary errors and costs.
This rule can help you work with the AWS Well-Architected Framework.
Security 
Reliability By ensuring the existence of the S3 bucket for your CloudFront distribution, you guarantee the availability, performance, integrity, and monitoring capabilities of your Content Delivery Network (CDN). It enables Amazon CloudFront to retrieve, cache, and deliver your content effectively, enhancing the overall user experience on your website or web application.
Audit
To determine if your Amazon CloudFront distributions are pointing to existent S3 origins (S3 buckets), perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.
03 In the left navigation panel, under CloudFront, choose Distributions.
04 Click on the ID (link) of the Amazon CloudFront distribution that you want to examine.
05 Select the Origins tab to access the origins created for the selected distribution.
06 Choose the S3 origin that you want to examine and copy the name of the S3 bucket used for distribution origin from the Origin domain column. The origin name has the following format: [bucket-name].s3.us-east-1.amazonaws.com, where [bucket-name] is the name of the S3 bucket used for the origin.
07 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.
08 Paste the name of the S3 bucket copied at step no. 6 in the Find buckets by name search box and press Enter. If no results are returned, the S3 bucket used for distribution origin is not available anymore in your AWS cloud account, therefore the selected Amazon CloudFront distribution points to an non-existent S3 origin.
09 Repeat steps no. 6 – 8 for each S3 origin created for the selected Amazon CloudFront distribution.
10 Repeat steps no. 4 – 9 for each CloudFront distribution available within your AWS cloud account.
Using AWS CLI
01 Run list-distributions command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon CloudFront distribution created in your AWS cloud account:
aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id'
02 The command output should return a table with the requested distribution ID(s):
-------------------- |ListDistributions | +------------------+ | AAAABBBBCCCCDD | | ABCDABCDABCDAB | | AABBCCDDAABBCC | +------------------+
03 Run get-distribution-config command (OSX/Linux/UNIX) using the ID of the Amazon CloudFront distribution that you want to examine as the identifier parameter and custom filtering to describe the domain name of each origin configured for the selected distribution Domain names that end with .s3.us-east-1.amazonaws.com are used for S3 origins:
aws cloudfront get-distribution-config --id AAAABBBBCCCCDD --query 'DistributionConfig.Origins.Items[*].DomainName'
04 The command output should return the domain name(s) used for distribution origin(s). The domain name of an S3 origin has the following format: [bucket-name].s3.us-east-1.amazonaws.com, where [bucket-name] is the name of the S3 bucket used for the origin:
[ "trendmicro.com.s3.us-east-1.amazonaws.com" ]
05 Run list-buckets command (OSX/Linux/UNIX) using custom query filters to list the names of all Amazon S3 buckets available in your AWS cloud account:
aws s3api list-buckets --query 'Buckets[*].Name'
06 The command output should return an array with the requested bucket names:
[ "cc-internal-data", "cc-project5-logs" ]
If the name of the S3 bucket returned at step no. 4 is not included in the list of buckets returned at step no. 6, the S3 bucket used for distribution origin is not available anymore in your AWS cloud account, therefore the selected Amazon CloudFront distribution points to an non-existent S3 origin.
07 Repeat steps no. 3 - 6 for each CloudFront distribution deployed within your AWS cloud account.
Remediation / Resolution
To ensure that your Amazon CloudFront distributions point to existent S3 origins (S3 buckets), perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon S3 console at https://console.aws.amazon.com/s3/.
03 Choose Create bucket from the console top menu to create a new Amazon S3 bucket.
04 On the Create bucket setup page, perform the following actions:
- For Bucket name, provide the appropriate bucket name.
- For AWS Region, select the AWS cloud region where the new S3 bucket will be created.
- For Object Ownership, choose ACLs disabled (recommended).
- For Block Public Access settings for this bucket, select Block all public access to ensure that all public access to the new bucket and its objects is blocked.
- For Bucket Versioning, choose whether or not to enable bucket versioning for your bucket.
- (Optional) For Tags, use the Add tag button to create and apply user-defined tags to the new S3 bucket. You can track storage cost and other criteria by tagging your bucket.
- For Default encryption, choose Server-side encryption with AWS Key Management Service keys (SSE-KMS) to encrypt your S3 objects using an encryption key protected by AWS Key Management Service (SSE-KMS). If you choose this option, you must select a KMS-managed key from the AWS KMS key section.
- For Advanced settings, choose whether or not to enable Object Lock feature. Enabling Object Lock automatically enables bucket versioning.
- Choose Create bucket to create your new, compliant Amazon S3 bucket.
05 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.
06 In the left navigation panel, under CloudFront, choose Distributions.
07 Click on the ID (link) of the Amazon CloudFront distribution that you want to configure.
08 Select the Origins tab to access the origins created for the selected distribution.
09 Select the S3 origin that you want to reconfigure from the Origins section and choose Edit.
10 Click inside the Origin domain box and select the name of your new S3 bucket, listed under Amazon S3.
11 Configure the origin settings based on your application needs, then choose Save changes to apply the changes.
12 Repeat steps no. 3 – 11 for each Amazon CloudFront distribution available in your AWS cloud account.
Using AWS CLI
01 Run create-bucket command (OSX/Linux/UNIX) to create the compliant Amazon S3 bucket that will serve as S3 origin for your CloudFront distribution:
aws s3api create-bucket --region us-east-1 --bucket trendmicro.com --acl private
02 The command output should return the name of the newly created S3 bucket:
{
"Location": "/trendmicro.com"
}
03 Run put-public-access-block command (OSX/Linux/UNIX) to enable the S3 Public Access Block feature for the new Amazon S3 bucket (the command should not produce an output):
aws s3api put-public-access-block --region us-east-1 --bucket trendmicro.com --public-access-block-configuration BlockPublicAcls=true,IgnorePublicAcls=true,BlockPublicPolicy=true,RestrictPublicBuckets=true
04 Run get-distribution-config command (OSX/Linux/UNIX) to extract all the configuration information from the Amazon CloudFront distribution that you want to configure:
aws cloudfront get-distribution-config --id ABCDABCDABCDAB --query 'DistributionConfig'
05 The command output should return the requested configuration information:
{
"CallerReference": "abcd1234-abcd-1234-abcd-1234abcd1234",
"Aliases": {
"Quantity": 0
},
"DefaultRootObject": "",
"Origins": {
"Quantity": 1,
"Items": [
{
"Id": "trendmicro.com",
"DomainName": "trendmicro.com",
"OriginPath": "",
"CustomHeaders": {
"Quantity": 0
},
"CustomOriginConfig": {
"HTTPPort": 80,
"HTTPSPort": 443,
"OriginProtocolPolicy": "https-only",
"OriginSslProtocols": {
"Quantity": 1,
"Items": [
"TLSv1.2"
]
},
"OriginReadTimeout": 30,
"OriginKeepaliveTimeout": 5
},
"ConnectionAttempts": 3,
"ConnectionTimeout": 10,
"OriginShield": {
"Enabled": false
}
}
]
},
"OriginGroups": {
"Quantity": 0
},
"DefaultCacheBehavior": {
"TargetOriginId": "trendmicro.com",
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"TrustedKeyGroups": {
"Enabled": false,
"Quantity": 0
},
"ViewerProtocolPolicy": "allow-all",
"AllowedMethods": {
"Quantity": 2,
"Items": [
"HEAD",
"GET"
],
"CachedMethods": {
"Quantity": 2,
"Items": [
"HEAD",
"GET"
]
}
},
"SmoothStreaming": false,
"Compress": true,
"LambdaFunctionAssociations": {
"Quantity": 0
},
"FunctionAssociations": {
"Quantity": 0
},
"FieldLevelEncryptionId": "",
"ForwardedValues": {
"QueryString": false,
"Cookies": {
"Forward": "none"
},
"Headers": {
"Quantity": 0
},
"QueryStringCacheKeys": {
"Quantity": 0
}
},
"MinTTL": 0,
"DefaultTTL": 86400,
"MaxTTL": 31536000
},
"CacheBehaviors": {
"Quantity": 1,
"Items": [
{
"PathPattern": "/images",
"TargetOriginId": "trendmicro.com",
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"TrustedKeyGroups": {
"Enabled": false,
"Quantity": 0
},
"ViewerProtocolPolicy": "allow-all",
"AllowedMethods": {
"Quantity": 2,
"Items": [
"HEAD",
"GET"
],
"CachedMethods": {
"Quantity": 2,
"Items": [
"HEAD",
"GET"
]
}
},
"SmoothStreaming": false,
"Compress": true,
"LambdaFunctionAssociations": {
"Quantity": 0
},
"FunctionAssociations": {
"Quantity": 0
},
"FieldLevelEncryptionId": "",
"ForwardedValues": {
"QueryString": false,
"Cookies": {
"Forward": "none"
},
"Headers": {
"Quantity": 0
},
"QueryStringCacheKeys": {
"Quantity": 0
}
},
"MinTTL": 0,
"DefaultTTL": 86400,
"MaxTTL": 31536000
}
]
},
"CustomErrorResponses": {
"Quantity": 0
},
"Comment": "",
"Logging": {
"Enabled": false,
"IncludeCookies": false,
"Bucket": "",
"Prefix": ""
},
"PriceClass": "PriceClass_100",
"Enabled": true,
"ViewerCertificate": {
"CloudFrontDefaultCertificate": false,
"ACMCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234",
"SSLSupportMethod": "sni-only",
"MinimumProtocolVersion": "TLSv1.2_2021",
"Certificate": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234",
"CertificateSource": "acm"
},
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none",
"Quantity": 0
}
},
"AliasICPRecordals": [
{
"CNAME": "trendmicro.com",
"ICPRecordalStatus": "APPROVED"
}
],
"WebACLId": "",
"HttpVersion": "http1.1",
"IsIPV6Enabled": false
}
06 Run get-distribution-config command (OSX/Linux/UNIX) to describe the current version of the configuration available for the selected distribution (i.e. ETag):
aws cloudfront get-distribution-config --id ABCDABCDABCDAB --query 'ETag'
07 The command output should return the requested information:
"AAAABBBBCCCCD"
08 Modify the configuration document returned at step no. 2 to configure the S3 origin. Save the document with the modified distribution configuration to a JSON file named s3-origin-config.json:
{
"CallerReference": "abcd1234-abcd-1234-abcd-1234abcd1234",
"Aliases": {
"Quantity": 0
},
"DefaultRootObject": "index.html",
"Origins": {
"Quantity": 1,
"Items": [
{
"Id": "new-trendmicro.com",
"DomainName": "trendmicro.com",
"OriginPath": "",
"CustomHeaders": {
"Quantity": 0
},
"CustomOriginConfig": {
"HTTPPort": 80,
"HTTPSPort": 443,
"OriginProtocolPolicy": "https-only",
"OriginSslProtocols": {
"Quantity": 1,
"Items": [
"TLSv1.2"
]
},
"OriginReadTimeout": 30,
"OriginKeepaliveTimeout": 5
},
"ConnectionAttempts": 3,
"ConnectionTimeout": 10,
"OriginShield": {
"Enabled": false
}
}
]
},
"OriginGroups": {
"Quantity": 0
},
"DefaultCacheBehavior": {
"TargetOriginId": "trendmicro.com",
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"TrustedKeyGroups": {
"Enabled": false,
"Quantity": 0
},
"ViewerProtocolPolicy": "allow-all",
"AllowedMethods": {
"Quantity": 2,
"Items": [
"HEAD",
"GET"
],
"CachedMethods": {
"Quantity": 2,
"Items": [
"HEAD",
"GET"
]
}
},
"SmoothStreaming": false,
"Compress": true,
"LambdaFunctionAssociations": {
"Quantity": 0
},
"FunctionAssociations": {
"Quantity": 0
},
"FieldLevelEncryptionId": "",
"ForwardedValues": {
"QueryString": false,
"Cookies": {
"Forward": "none"
},
"Headers": {
"Quantity": 0
},
"QueryStringCacheKeys": {
"Quantity": 0
}
},
"MinTTL": 0,
"DefaultTTL": 86400,
"MaxTTL": 31536000
},
"CacheBehaviors": {
"Quantity": 1,
"Items": [
{
"PathPattern": "/images",
"TargetOriginId": "trendmicro.com",
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"TrustedKeyGroups": {
"Enabled": false,
"Quantity": 0
},
"ViewerProtocolPolicy": "allow-all",
"AllowedMethods": {
"Quantity": 2,
"Items": [
"HEAD",
"GET"
],
"CachedMethods": {
"Quantity": 2,
"Items": [
"HEAD",
"GET"
]
}
},
"SmoothStreaming": false,
"Compress": true,
"LambdaFunctionAssociations": {
"Quantity": 0
},
"FunctionAssociations": {
"Quantity": 0
},
"FieldLevelEncryptionId": "",
"ForwardedValues": {
"QueryString": false,
"Cookies": {
"Forward": "none"
},
"Headers": {
"Quantity": 0
},
"QueryStringCacheKeys": {
"Quantity": 0
}
},
"MinTTL": 0,
"DefaultTTL": 86400,
"MaxTTL": 31536000
}
]
},
"CustomErrorResponses": {
"Quantity": 0
},
"Comment": "",
"Logging": {
"Enabled": false,
"IncludeCookies": false,
"Bucket": "",
"Prefix": ""
},
"PriceClass": "PriceClass_100",
"Enabled": true,
"ViewerCertificate": {
"CloudFrontDefaultCertificate": false,
"ACMCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234",
"SSLSupportMethod": "sni-only",
"MinimumProtocolVersion": "TLSv1.2_2021",
"Certificate": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234",
"CertificateSource": "acm"
},
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none",
"Quantity": 0
}
},
"AliasICPRecordals": [
{
"CNAME": "trendmicro.com",
"ICPRecordalStatus": "APPROVED"
}
],
"WebACLId": "",
"HttpVersion": "http1.1",
"IsIPV6Enabled": false
}
09 Run update-distribution command (OSX/Linux/UNIX) using the document modified at the previous step (i.e. s3-origin-config.json) as the new distribution configuration document, to ensure that the selected Amazon CloudFront distribution points to an existing S3 origin. --if-match parameter represents the current version of the configuration, returned at step no. 4:
aws cloudfront update-distribution --id ABCDABCDABCDAB --if-match AAAABBBBCCCCD --distribution-config file://s3-origin-config.json --query 'Distribution.Status'
10 The command output should return the status of the modified CloudFront distribution:
"InProgress"
11 Repeat steps no. 1 – 10 for each Amazon CloudFront distribution deployed within your AWS cloud account.
References
- AWS Documentation
- Amazon CloudFront FAQs
- Using various origins with CloudFront distributions
- Updating a distribution
- AWS Command Line Interface (CLI) Documentation
- list-distributions
- list-buckets
- put-public-access-block
- get-distribution
- get-distribution-config
- update-distribution
Related CloudFront rules
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Missing S3 Bucket
Risk Level: High