Use the Conformity Knowledge Base AI to help improve your Cloud Posture

CloudFront In Use

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CF-001

Ensure that the Amazon CloudFront Content Delivery Network (CDN) service is used within your AWS account to secure and accelerate the delivery of your web content, media files, or static resources (e.g., CSS files, Javascript files, image files) handled by your websites/web applications.

This rule can help you with the following compliance standards:

  • HIPAA
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security
Performance
efficiency

Using Amazon CloudFront CDN service can have a significant impact on the performance, security, reliability, and availability of your web content delivery process. CloudFront has several advantages over other Content Delivery Network (CDN) providers: is fast – using a global network of 200+ edge locations, CloudFront caches and delivers copies of your static content close to users with minimal latency, is secure – enforces HTTPS connections between the service edge locations and your origin server and can be integrated with Amazon WAF (a web application firewall service made available by Amazon to protect web applications against common attacks), is highly available – engineered for HA and built on top of Amazon’s highly reliable infrastructure, easy to use – you can manage CloudFront distributions with just few clicks using the AWS Management Console or programmatically via AWS API, cost effective – you only pay the web content delivered through the CDN network (pay-as-you-go price plan), and can be easily integrated with other AWS cloud components such as EC2, S3, and WAF.


Audit

To determine if the Amazon CloudFront service is used as Content Delivery Network (CDN) within your AWS account, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.

03 In the left navigation panel, under CloudFront, choose Distributions. A distribution is an Amazon CloudFront service instance that enables you to deliver web content through a worldwide network of cache servers that provide low latency and high data transfer speeds. If there are no distributions listed on the Distributions page, the Amazon CloudFront Content Delivery Network (CDN) service is not used within your AWS cloud account.

Using AWS CLI

01 Run list-distributions command (OSX/Linux/UNIX) with custom query filters to list the identifiers (IDs) of all the Amazon CloudFront distribution created in your AWS account:

aws cloudfront list-distributions
  --query 'DistributionList.Items[*].Id'

02 The command output should return a table with the requested CloudFront distribution ID(s):

null

If the list-distributions command output returns null, as shown in the example above, there are no CloudFront distributions created to deliver your web content, therefore the Amazon CloudFront Content Delivery Network (CDN) service is not used within your AWS cloud account.

Remediation / Resolution

To secure and accelerate the delivery of your web content, you must create and configure Amazon CloudFront CDN distributions. To start using Amazon CloudFront by creating your own distribution, perform the following operations:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"CloudFrontDistribution": {
			"Type": "AWS::CloudFront::Distribution",
			"Properties": {
				"DistributionConfig": {
					"Enabled": true,
					"Comment": "DOMAIN.COM CloudFront CDN Distribution",
					"IsIPV6Enabled": true,
					"Origins": [
						{
							"Id": "cc-cdn-origin",
							"DomainName": "domain.com"
						}
					],
					"DefaultRootObject": "index.html",
					"DefaultCacheBehavior": {
						"AllowedMethods": [
							"HEAD",
							"GET"
						],
						"Compress": true,
						"DefaultTTL": 0,
						"ForwardedValues": {
							"Cookies": {
								"Forward": "none"
							},
							"QueryString": false
						},
						"ViewerProtocolPolicy": "redirect-to-https"
					},
					"HttpVersion": "http2",
					"ViewerCertificate": {
						"CloudFrontDefaultCertificate": true
					},
					"PriceClass": "PriceClass_All"
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	CloudFrontDistribution:
		Type: AWS::CloudFront::Distribution
		Properties:
		DistributionConfig:
			Enabled: true
			Comment: DOMAIN.COM CloudFront CDN Distribution
			IsIPV6Enabled: true
			Origins:
			- Id: cc-cdn-origin
				DomainName: domain.com
			DefaultRootObject: index.html
			DefaultCacheBehavior:
			AllowedMethods:
				- HEAD
				- GET
			Compress: true
			DefaultTTL: 0
			ForwardedValues:
				Cookies:
				Forward: none
				QueryString: false
			ViewerProtocolPolicy: redirect-to-https
			HttpVersion: http2
			ViewerCertificate:
			CloudFrontDefaultCertificate: true
			PriceClass: PriceClass_All

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_cloudfront_distribution" "cloudfront-distribution" {

	enabled             = true
	is_ipv6_enabled     = true
	default_root_object = "index.html"
	comment             = "DOMAIN.COM CloudFront CDN Distribution"

	origin {
		domain_name = "domain.com"
		origin_id   = "cc-cdn-origin"
	}

	default_cache_behavior {
		target_origin_id = "cc-domain-origin"
		allowed_methods  = ["GET", "HEAD"]
		cached_methods   = ["GET", "HEAD"]
		forwarded_values {
			query_string = false
			cookies {
				forward = "none"
			}
		}
		min_ttl                = 0
		default_ttl            = 3600
		max_ttl                = 86400
		compress               = true
		viewer_protocol_policy = "redirect-to-https"
	}

	viewer_certificate {
		cloudfront_default_certificate = true
	}

	price_class = "PriceClass_All"

	tags = {
		Environment = "Production"
	}

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.

03 In the left navigation panel, under CloudFront, choose Distributions.

04 Choose Create distribution to initiate the CloudFront distribution setup process.

05 On the Create distribution setup page, perform the following actions:

  1. For Origin, provide the following configuration information:
    • Click inside the Origin domain box and choose a distribution origin, or enter your origin's domain name. A distribution origin can be an S3 bucket, an Elastic load balancer, a MediaStore container, a MediaPackage container, or a web server from which you want Amazon CloudFront to get your web content.
    • For Protocol, select whether you want Amazon CloudFront to connect to your distribution origin using only HTTP, only HTTPS, or to connect by matching the protocol used by the viewer. If you enabled HTTPS for your origin, choose which SSL/TLS protocol is allowed to be used when establishing an HTTPS connection to your origin from the Minimum origin SSL protocol list. It is strongly recommended to use the latest SSL/TLS protocol supported by Amazon CloudFront.
    • (Optional) For Origin path – optional, enter a URL path to append to the origin domain name for origin requests.
    • For Name, enter a unique name for your distribution origin.
    • (Optional) For Add custom header – optional, use the Add header button to create the custom header keys and values to be included in every request made to the origin.
    • Choose Yes under Enable Origin Shield to enable and configure the Origin Shield feature.
    • (Optional) Select Additional settings if you need to change the connection settings available by default for the distribution origin.
  2. For Default cache behavior, perform the following actions:
    • Choose Yes under Compress objects automatically to enable Amazon CloudFront to automatically compress files that it receives from the distribution origin before delivering them to the viewer.
    • Under Viewer protocol policy, select one of the following options to enforce HTTPS for your distribution content:
      • Select HTTP and HTTPS so that the distribution viewers can only access your content using HTTPS. Choosing this option will drop any HTTP traffic between viewers and edge servers.
      • Choose Redirect HTTP to HTTPS so that any HTTP requests are automatically redirected to HTTPS.
    • Under Allowed HTTP methods, choose the list of HTTP(S) methods to process and forward to your distribution origin.
    • Under Restrict viewer access, choose whether or not to restrict viewer access to your CDN content. If you restrict viewer access, viewers must use Amazon CloudFront signed URLs or signed cookies to access your content.
    • For Cache key and origin requests, choose Cache policy and origin request policy (recommended), then select a managed cache policy and a managed origin request policy to control the cache key and the origin requests.
    • Choose Additional settings and enable field-level encryption and real-time logging for your new CloudFront distribution.
  3. (Optional) For Function associations – optional, choose whether to configure an edge function to associate with the distribution cache behavior, and select the CloudFront event that invokes the function. You can choose from two types of edge functions, CloudFront functions and Lambda@Edge functions. CloudFront functions are only available for viewer request and viewer response event types. With Lambda@Edge, your function code can access the body of the HTTP request.
  4. For Settings, perform the following actions:
    1. Under Price class, choose the price class associated with the maximum price that you want to pay in order to deliver your web content. For example, select Use all edge locations (best performance) to use all the edge servers made available by the Amazon Cloudfront global network for minimal latency. This price class provides worldwide coverage at higher cost.
    2. (Optional) To integrate your new CloudFront distribution with Amazon WAF in order to allow or block requests based on your application requirements, select a web ACL from the AWS WAF web ACL – optional dropdown list or create a new web ACL and associate it with your distribution.
    3. (Optional) For Alternate domain name (CNAME) – optional, choose Add item, and provide your custom CNAME record (for example, media.) to use your own domain name instead of the CloudFront distribution domain name (requires configuring a CNAME record within your domain DNS setting). To add a list of alternative domain names, use the bulk editor made available by Amazon CloudFront.
    4. (Optional) Choose whether to associate a custom SSL certificate with the new distribution by selecting an existing SSL certificate from the Custom SSL certificate – optional dropdown list. If you need to purchase a new SSL certificate from the AWS Certificate Manager (ACM), choose Request certificate and follow the ACM steps to request an SSL certificate.
    5. (Optional) For Supported HTTP versions, choose to enable HTTP/2 for faster content delivery. HTTP/1.0 and HTTP/1.1 are already supported by default.
    6. (Optional) For Default root object – optional, specify a default root object (e.g., index.html) available in your origin root directory to avoid exposing the contents of your distribution.
    7. Choose On under Standard logging to enable access (standard) logging for your CDN distribution.
    8. (Optional) Select On under IPv6 checkbox to enable IPv6 version of the IP protocol if you have viewers on IPv6 networks who want to access your distribution content.
    9. (Optional) Provide a short description for your new distribution in the Description – optional box.
    10. Choose Create distribution to deploy your new Amazon CloudFront distribution. The distribution status will change from Deploying to Enabled once the content is fully deployed.

06 If required, repeat steps no. 4 and 5 to deploy new Amazon CloudFront distributions within your AWS cloud account.

Using AWS CLI

01 To create an Amazon CloudFront distribution in order to deliver your web content, you must define first the distribution configuration in JSON format. The following example describes the configuration of an Amazon CloudFront distribution created to deliver static content for a website with the domain name "cloudconformity.com". Save the distribution configuration document to a JSON file named cloudfront-distribution-config.json:

{
	"CallerReference": "cloudconformity.com-cf-distribution-config",
	"Aliases": {
		"Quantity": 0
	},
	"DefaultRootObject": "",
	"Origins": {
		"Quantity": 1,
		"Items": [
			{
				"Id": "cloudconformity.com",
				"DomainName": "cloudconformity.com",
				"OriginPath": "",
				"CustomHeaders": {
					"Quantity": 0
				},
				"CustomOriginConfig": {
					"HTTPPort": 80,
					"HTTPSPort": 443,
					"OriginProtocolPolicy": "https-only",
					"OriginSslProtocols": {
						"Quantity": 1,
						"Items": [
							"TLSv1.2"
						]
					},
					"OriginReadTimeout": 30,
					"OriginKeepaliveTimeout": 5
				},
				"ConnectionAttempts": 3,
				"ConnectionTimeout": 10,
				"OriginShield": {
					"Enabled": false
				}
			}
		]
	},
	"OriginGroups": {
		"Quantity": 0
	},
	"DefaultCacheBehavior": {
		"TargetOriginId": "cloudconformity.com",
		"TrustedSigners": {
			"Enabled": false,
			"Quantity": 0
		},
		"TrustedKeyGroups": {
			"Enabled": false,
			"Quantity": 0
		},
		"ViewerProtocolPolicy": "allow-all",
		"AllowedMethods": {
			"Quantity": 2,
			"Items": [
				"HEAD",
				"GET"
			],
			"CachedMethods": {
				"Quantity": 2,
				"Items": [
					"HEAD",
					"GET"
				]
			}
		},
		"SmoothStreaming": false,
		"Compress": true,
		"LambdaFunctionAssociations": {
			"Quantity": 0
		},
		"FunctionAssociations": {
			"Quantity": 0
		},
		"FieldLevelEncryptionId": "AB1234CD1234AB",
		"ForwardedValues": {
			"QueryString": false,
			"Cookies": {
				"Forward": "none"
			},
			"Headers": {
				"Quantity": 0
			},
			"QueryStringCacheKeys": {
				"Quantity": 0
			}
		},
		"MinTTL": 0,
		"DefaultTTL": 86400,
		"MaxTTL": 31536000
	},
	"CacheBehaviors": {
		"Quantity": 1,
		"Items": [
			{
				"PathPattern": "/images",
				"TargetOriginId": "cloudconformity.com",
				"TrustedSigners": {
					"Enabled": false,
					"Quantity": 0
				},
				"TrustedKeyGroups": {
					"Enabled": false,
					"Quantity": 0
				},
				"ViewerProtocolPolicy": "allow-all",
				"AllowedMethods": {
					"Quantity": 2,
					"Items": [
						"HEAD",
						"GET"
					],
					"CachedMethods": {
						"Quantity": 2,
						"Items": [
							"HEAD",
							"GET"
						]
					}
				},
				"SmoothStreaming": false,
				"Compress": true,
				"LambdaFunctionAssociations": {
					"Quantity": 0
				},
				"FunctionAssociations": {
					"Quantity": 0
				},
				"FieldLevelEncryptionId": "AB1234CD1234AB",
				"ForwardedValues": {
					"QueryString": false,
					"Cookies": {
						"Forward": "none"
					},
					"Headers": {
						"Quantity": 0
					},
					"QueryStringCacheKeys": {
						"Quantity": 0
					}
				},
				"MinTTL": 0,
				"DefaultTTL": 86400,
				"MaxTTL": 31536000
			}
		]
	},
	"CustomErrorResponses": {
		"Quantity": 0
	},
	"Comment": "",
	"Logging": {
		"Enabled": true,
		"IncludeCookies": true,
		"Bucket": "cc-cloudfront-access-logs.s3.amazonaws.com",
		"Prefix": "cloudconformity.com"
	},
	"PriceClass": "PriceClass_100",
	"Enabled": true,
	"ViewerCertificate": {
		"CloudFrontDefaultCertificate": true,
		"MinimumProtocolVersion": "TLSv1",
		"CertificateSource": "cloudfront"
	},
	"Restrictions": {
		"GeoRestriction": {
			"RestrictionType": "none",
			"Quantity": 0
		}
	},
	"WebACLId": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"HttpVersion": "http1.1",
	"IsIPV6Enabled": false
}

02 Run create-distribution command (OSX/Linux/UNIX) to create your new Amazon CloudFront CDN distribution using the configuration document defined at the previous step (i.e. cloudfront-distribution-config.json):

aws cloudfront create-distribution
  --distribution-config file://cloudfront-distribution-config.json
  --query 'Distribution.Status'

03 The command output should return the status of the new CloudFront distribution. When the status becomes "Deployed", the distribution's information is fully propagated to all Amazon CloudFront edge locations.

"InProgress"

04 If required, repeat steps no. 1 – 3 to deploy new Amazon CloudFront distributions in your AWS cloud account.

References

Publication date Aug 16, 2016