- Knowledge Base
- Amazon Web Services
- Amazon CloudFront
- CloudFront Traffic To Origin Unencrypted
Ensure that the communication between your Amazon CloudFront distributions and their custom origins is encrypted using HTTPS in order to secure the delivery of your web content and fulfill compliance requirements for encryption in transit.
This rule can help you with the following compliance standards:
- PCI
- HIPAA
- APRA
- MAS
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using HTTPS for your Amazon CloudFront distributions can offer you the guarantee that the encrypted traffic between the edge servers and the custom origin can't be unsealed by malicious viewers in case they are able to capture packets sent across the Content Distribution Network.
Note: This rule does not apply if you have an S3 bucket configured as a website endpoint because the Amazon S3 service does not support HTTPS connections in this particular configuration.
Audit
To determine if your CloudFront CDN distributions are configured to use HTTPS for encryption in transit, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.
03 In the left navigation panel, under CloudFront, choose Distributions.
04 Click on the name (link) of the CloudFront distribution that you want to examine.
05 Select the Origins tab to access the origins created for the selected distribution.
06 Select the custom distribution origin that you want to examine and choose Edit. A custom origin has the Origin type set to Custom Origin.
07 On the Edit origin page, check the Protocol configuration setting to determine the protocol that Amazon CloudFront uses when connecting to the selected origin. If Protocol is set to HTTP only, CloudFront uses only HTTP to access the origin, therefore the traffic between the distribution edge servers and the selected origin is not encrypted. If Protocol is set to Match viewer and the protocol of the viewer request is HTTP, Amazon CloudFront is connecting to the origin using HTTP, therefore the traffic between the edge servers and the selected origin is not encrypted.
08 Repeat steps no. 6 and 7 for each custom origin created for the selected Amazon CloudFront distribution.
09 Repeat steps no. 4 – 8 for each CloudFront distribution available within your AWS cloud account.
Using AWS CLI
01 Run list-distributions command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon CloudFront distribution created in your AWS account:
aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id'
02 The command output should return a table with the requested distribution ID(s):
-------------------- |ListDistributions | +------------------+ | ABCDABCDABCDAB | | AABBCCDDAABBCC | +------------------+
03 Run get-distribution command (OSX/Linux/UNIX) using the ID of the Amazon CloudFront distribution that you want to examine as the identifier parameter and custom filtering to describe the protocol policies used by the custom distribution origins:
aws cloudfront get-distribution --id ABCDABCDABCDAB --query 'Distribution.DistributionConfig.Origins.Items[*].CustomOriginConfig.OriginProtocolPolicy'
04 The command output should return an array with the requested protocol policies:
[ "http-only" ]
If the get-distribution command output returns "http-only", as shown in the example above, CloudFront uses only HTTP to access the origin, therefore the traffic between the distribution edge servers and the selected origin is not encrypted. If the command output returns "match-viewer" and the protocol of the viewer request is also HTTP, Amazon CloudFront is connecting to the origin using HTTP, therefore the traffic between the edge servers and the selected origin is not encrypted.
05 Repeat steps no. 3 and 4 for each Amazon CloudFront distribution deployed in your AWS cloud account.
Remediation / Resolution
To enforce HTTPS-only for your Amazon Cloudfront custom origins, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "CloudFrontDistribution": { "Type": "AWS::CloudFront::Distribution", "Properties": { "DistributionConfig": { "Enabled": true, "Comment": "CloudFront CDN Web Distribution", "Origins": [ { "Id": "cc-cdn-origin", "DomainName": "domain.com", "CustomOriginConfig": { "HTTPPort": 80, "HTTPSPort": 443, "OriginKeepaliveTimeout": 15, "OriginSSLProtocols": [ "TLSv1.2" ], "OriginProtocolPolicy": "https-only" } } ], "DefaultRootObject": "index.html", "DefaultCacheBehavior": { "Compress": true, "AllowedMethods": [ "HEAD", "GET" ], "DefaultTTL": 0, "ForwardedValues": { "Cookies": { "Forward": "none" }, "QueryString": false }, "ViewerProtocolPolicy": "https-only" }, "HttpVersion": "http2", "ViewerCertificate": { "CloudFrontDefaultCertificate": true }, "PriceClass": "PriceClass_All" } } } } }
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Resources: CloudFrontDistribution: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: Enabled: true Comment: CloudFront CDN Web Distribution Origins: - Id: cc-cdn-origin DomainName: domain.com CustomOriginConfig: HTTPPort: 80 HTTPSPort: 443 OriginKeepaliveTimeout: 15 OriginSSLProtocols: - TLSv1.2 OriginProtocolPolicy: https-only DefaultRootObject: index.html DefaultCacheBehavior: Compress: true AllowedMethods: - HEAD - GET DefaultTTL: 0 ForwardedValues: Cookies: Forward: none QueryString: false ViewerProtocolPolicy: https-only HttpVersion: http2 ViewerCertificate: CloudFrontDefaultCertificate: true PriceClass: PriceClass_All
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform { required_providers { aws = { source = "hashicorp/aws" version = "~> 4.0" } } required_version = ">= 0.14.9" } provider "aws" { profile = "default" region = "us-east-1" } resource "aws_cloudfront_distribution" "cloudfront-distribution" { enabled = true default_root_object = "index.html" comment = "CloudFront CDN Web Distribution" origin { domain_name = "domain.com" origin_id = "cc-cdn-origin" custom_origin_config = { http_port = 80 https_port = 443 origin_keepalive_timeout = 15 origin_ssl_protocols = ["TLSv1.2"] origin_protocol_policy = "https-only" } } default_cache_behavior { compress = true target_origin_id = "cc-domain-origin" allowed_methods = ["GET", "HEAD"] cached_methods = ["GET", "HEAD"] forwarded_values { query_string = false cookies { forward = "none" } } min_ttl = 0 default_ttl = 3600 max_ttl = 86400 viewer_protocol_policy = "https-only" } viewer_certificate { cloudfront_default_certificate = true } price_class = "PriceClass_All" }
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.
03 In the left navigation panel, under CloudFront, choose Distributions.
04 Click on the name of the CloudFront distribution that you want to reconfigure.
05 Select the Origins tab to access the origins created for the selected distribution.
06 Select the custom distribution origin that you want to reconfigure and choose Edit.
07 On the Edit origin page, select HTTPS only under Protocol to enforce HTTPS and encrypt the traffic between the CloudFront distribution edge servers and the selected origin. Choose Save changes to apply the configuration changes.
08 Repeat steps no. 6 and 7 for each custom origin defined for the selected CloudFront distribution.
09 Repeat steps no. 4 – 8 for each Amazon CloudFront distribution available within your AWS cloud account.
Using AWS CLI
01 Run get-distribution-config command (OSX/Linux/UNIX) to extract all the configuration information from the Amazon CloudFront distribution that you want to reconfigure:
aws cloudfront get-distribution-config --id ABCDABCDABCDAB --query 'DistributionConfig'
02 The command output should return the requested configuration information:
{ "CallerReference": "abcd1234-abcd-1234-abcd-1234abcd1234", "Aliases": { "Quantity": 0 }, "DefaultRootObject": "", "Origins": { "Quantity": 1, "Items": [ { "Id": "cloudconformity.com", "DomainName": "cloudconformity.com", "OriginPath": "", "CustomHeaders": { "Quantity": 0 }, "CustomOriginConfig": { "HTTPPort": 80, "HTTPSPort": 443, "OriginProtocolPolicy": "http-only", "OriginSslProtocols": { "Quantity": 1, "Items": [ "TLSv1.2" ] }, "OriginReadTimeout": 30, "OriginKeepaliveTimeout": 5 }, "ConnectionAttempts": 3, "ConnectionTimeout": 10, "OriginShield": { "Enabled": false } } ] }, "OriginGroups": { "Quantity": 0 }, "DefaultCacheBehavior": { "TargetOriginId": "cloudconformity.com", "TrustedSigners": { "Enabled": false, "Quantity": 0 }, "TrustedKeyGroups": { "Enabled": false, "Quantity": 0 }, "ViewerProtocolPolicy": "allow-all", "AllowedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ], "CachedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ] } }, "SmoothStreaming": false, "Compress": true, "LambdaFunctionAssociations": { "Quantity": 0 }, "FunctionAssociations": { "Quantity": 0 }, "FieldLevelEncryptionId": "", "ForwardedValues": { "QueryString": false, "Cookies": { "Forward": "none" }, "Headers": { "Quantity": 0 }, "QueryStringCacheKeys": { "Quantity": 0 } }, "MinTTL": 0, "DefaultTTL": 86400, "MaxTTL": 31536000 }, "CacheBehaviors": { "Quantity": 1, "Items": [ { "PathPattern": "/images", "TargetOriginId": "cloudconformity.com", "TrustedSigners": { "Enabled": false, "Quantity": 0 }, "TrustedKeyGroups": { "Enabled": false, "Quantity": 0 }, "ViewerProtocolPolicy": "allow-all", "AllowedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ], "CachedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ] } }, "SmoothStreaming": false, "Compress": true, "LambdaFunctionAssociations": { "Quantity": 0 }, "FunctionAssociations": { "Quantity": 0 }, "FieldLevelEncryptionId": "", "ForwardedValues": { "QueryString": false, "Cookies": { "Forward": "none" }, "Headers": { "Quantity": 0 }, "QueryStringCacheKeys": { "Quantity": 0 } }, "MinTTL": 0, "DefaultTTL": 86400, "MaxTTL": 31536000 } ] }, "CustomErrorResponses": { "Quantity": 0 }, "Comment": "", "Logging": { "Enabled": false, "IncludeCookies": false, "Bucket": "", "Prefix": "" }, "PriceClass": "PriceClass_100", "Enabled": true, "ViewerCertificate": { "CloudFrontDefaultCertificate": true, "MinimumProtocolVersion": "TLSv1", "CertificateSource": "cloudfront" }, "Restrictions": { "GeoRestriction": { "RestrictionType": "none", "Quantity": 0 } }, "WebACLId": "", "HttpVersion": "http1.1", "IsIPV6Enabled": false }
03 Run get-distribution-config command (OSX/Linux/UNIX) to describe the current version of the configuration available for the selected distribution (i.e. eTag):
aws cloudfront get-distribution-config --id ABCDABCDABCDAB --query 'ETag'
04 The command output should return the requested information:
"AAAABBBBCCCCD"
05 Modify the configuration document returned at step no. 2 to enforce the HTTPS protocol and encrypt the traffic between the distribution edge servers and the custom origin(s) (as highlighted in the example below). Save the document with the modified distribution configuration (highlighted) to a JSON file named enforce-https.json:
{ "CallerReference": "abcd1234-abcd-1234-abcd-1234abcd1234", "Aliases": { "Quantity": 0 }, "DefaultRootObject": "", "Origins": { "Quantity": 1, "Items": [ { "Id": "cloudconformity.com", "DomainName": "cloudconformity.com", "OriginPath": "", "CustomHeaders": { "Quantity": 0 }, "CustomOriginConfig": { "HTTPPort": 80, "HTTPSPort": 443, "OriginProtocolPolicy": "https-only", "OriginSslProtocols": { "Quantity": 1, "Items": [ "TLSv1.2" ] }, "OriginReadTimeout": 30, "OriginKeepaliveTimeout": 5 }, "ConnectionAttempts": 3, "ConnectionTimeout": 10, "OriginShield": { "Enabled": false } } ] }, "OriginGroups": { "Quantity": 0 }, "DefaultCacheBehavior": { "TargetOriginId": "cloudconformity.com", "TrustedSigners": { "Enabled": false, "Quantity": 0 }, "TrustedKeyGroups": { "Enabled": false, "Quantity": 0 }, "ViewerProtocolPolicy": "allow-all", "AllowedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ], "CachedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ] } }, "SmoothStreaming": false, "Compress": true, "LambdaFunctionAssociations": { "Quantity": 0 }, "FunctionAssociations": { "Quantity": 0 }, "FieldLevelEncryptionId": "", "ForwardedValues": { "QueryString": false, "Cookies": { "Forward": "none" }, "Headers": { "Quantity": 0 }, "QueryStringCacheKeys": { "Quantity": 0 } }, "MinTTL": 0, "DefaultTTL": 86400, "MaxTTL": 31536000 }, "CacheBehaviors": { "Quantity": 1, "Items": [ { "PathPattern": "/images", "TargetOriginId": "cloudconformity.com", "TrustedSigners": { "Enabled": false, "Quantity": 0 }, "TrustedKeyGroups": { "Enabled": false, "Quantity": 0 }, "ViewerProtocolPolicy": "allow-all", "AllowedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ], "CachedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ] } }, "SmoothStreaming": false, "Compress": true, "LambdaFunctionAssociations": { "Quantity": 0 }, "FunctionAssociations": { "Quantity": 0 }, "FieldLevelEncryptionId": "", "ForwardedValues": { "QueryString": false, "Cookies": { "Forward": "none" }, "Headers": { "Quantity": 0 }, "QueryStringCacheKeys": { "Quantity": 0 } }, "MinTTL": 0, "DefaultTTL": 86400, "MaxTTL": 31536000 } ] }, "CustomErrorResponses": { "Quantity": 0 }, "Comment": "", "Logging": { "Enabled": false, "IncludeCookies": false, "Bucket": "", "Prefix": "" }, "PriceClass": "PriceClass_100", "Enabled": true, "ViewerCertificate": { "CloudFrontDefaultCertificate": true, "MinimumProtocolVersion": "TLSv1", "CertificateSource": "cloudfront" }, "Restrictions": { "GeoRestriction": { "RestrictionType": "none", "Quantity": 0 } }, "WebACLId": "", "HttpVersion": "http1.1", "IsIPV6Enabled": false }
06 Run update-distribution command (OSX/Linux/UNIX) using the document modified at the previous step (i.e. enforce-https.json) as the distribution configuration document, to reconfigure the selected Amazon CloudFront distribution in order to enable HTTPS-only for the specified origin(s). --if-match parameter represents the current version of the configuration, returned at step no. 4:
aws cloudfront update-distribution --id ABCDABCDABCDAB --if-match AAAABBBBCCCCD --distribution-config file://enforce-https.json --query 'Distribution.Status'
07 The command output should return the status of the modified CloudFront distribution:
"InProgress"
08 Repeat steps no. 6 and 7 for each Amazon CloudFront distribution deployed in your AWS cloud account.
References
- AWS Documentation
- Amazon CloudFront FAQs
- Using HTTPS with CloudFront
- Request and response behavior for custom origins
- Values that you specify when you create or update a distribution
- AWS Command Line Interface (CLI) Documentation
- cloudfront
- list-distributions
- get-distribution
- get-distribution-config
- update-distribution