Ensure that the communication between your AWS CloudFront distributions and their custom origins is encrypted using HTTPS in order to secure the delivery of your web content and fulfill compliance requirements for data in transit encryption.
This rule can help you with the following compliance standards:
- Payment Card Industry Data Security Standard (PCI DSS)
- Health Insurance Portability and Accountability Act (HIPAA)
- NIST 800-53 (Rev. 4)
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using HTTPS for your AWS Cloudfront distributions can offer you the guarantee that the encrypted traffic between the edge servers and the custom origin cannot be unsealed by malicious users in case they are able to capture packets sent across Cloudfront Content Distribution Network (CDN).
Note: This rule does not apply if you have an AWS S3 bucket configured as website endpoint because the S3 service does not support HTTPS connections in this particular configuration.
To determine if your Cloudfront CDN distributions are configured to use HTTPS for data in transit encryption, perform the following:
Remediation / Resolution
To enable HTTPS for encrypting the traffic between your CloudFront distributions edge locations and their origins, perform the following:
- AWS Documentation
- Amazon CloudFront FAQs
- Using an HTTPS Connection to Access Your Objects
- Request and Response Behavior for Custom Origins
- Values that You Specify When You Create or Update a Web Distribution
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
CloudFront Traffic To Origin Unencrypted
Risk level: Medium