Use CloudFront Content Distribution Network

Trend Micro Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 750 automated best practice checks.

Risk level: Medium (should be achieved)
Rule ID: CF-012

Ensure that your websites/web applications are using the Amazon CloudFront Content Distribution Network (CDN) to secure the web content delivery (media files and static resource files such as .html, .css, .js). Before running this rule by the Trend Micro Cloud One™ – Conformity engine, your website/web application domain name needs to be configured in the rule settings, on your Conformity account console.

This rule resolution is part of the Conformity solution.

Security

The Amazon CloudFront Content Distribution Network can have a significant impact on the security of your web content delivery process. Amazon CloudFront can accelerate and deliver your content securely over HTTPS from all of its edge locations (cache servers). In addition to delivering content securely from a worldwide network, you can also configure the CloudFront service to use HTTPS to connect to the distribution origin so that your web content is encrypted end-to-end from the origin to your end users (viewers). The Amazon CloudFront service improves the ability of your websites/web applications to absorb and mitigate potential Distributed Denial of Service (DDoS) attacks and keep the content available for legitimate users.


Audit

To determine if the Amazon CloudFront service is used as a Content Delivery Network (CDN) for your web content delivery, perform the following actions:

Using AWS Console

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Use CloudFront Content Distribution Network conformity rule settings, and copy the domain name configured for your website/web application (e.g. <domain-name>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.

04 In the left navigation panel, under CloudFront, choose Distributions.

05 On the Distributions page, paste your website domain name, copied at step no. 1, into the Search all distributions box and press Enter. If the search process does not return any results, instead a No matches message is displayed, there are no Amazon CloudFront CDN distributions created for your website/web application within your AWS cloud account.

Using AWS CLI

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Use CloudFront Content Distribution Network conformity rule settings, and copy the domain name configured for your website/web application (e.g. <domain-name>).

02 Run list-distributions command (OSX/Linux/UNIX) with custom query filters to determine if an Amazon CloudFront distribution origin is created for your website domain name, copied at the previous step. Replace <domain-name> with your own domain name:

aws cloudfront list-distributions
  --query "DistributionList.Items[*].Origins.Items[?DomainName == '<domain-name>'] | []"

03 The command output should return the origin metadata for the requested domain name:

[]

If the list-distributions command output returns an empty array (i.e. []), as shown in the example above, there are no Amazon CloudFront CDN distributions deployed for your website/web application within your AWS cloud account.

Remediation / Resolution

To use Amazon CloudFront as a Content Distribution Network (CDN) for your websites and web applications, you need to create and configure a CloudFront distribution. To create the required CDN distribution, perform the following actions:

Using AWS Console

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Use CloudFront Content Distribution Network conformity rule settings, and copy the domain name configured for your website/web application (e.g. <domain-name>).

02 Sign in to the AWS Management Console.

03 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.

04 In the left navigation panel, under CloudFront, choose Distributions.

05 Choose Create distribution to start the CloudFront distribution setup process.

06 On the Create distribution page, perform the following operations:

  1. For Origin, provide the following configuration information:
    • Click inside the Origin domain box and enter your website/web application domain name, copied at step no. 1 (e.g. <domain-name>).
    • For Protocol, select whether you want Amazon CloudFront to connect to your distribution origin using only HTTP, only HTTPS, or to connect by matching the protocol used by the viewer. If you enabled HTTPS for your origin, choose which SSL/TLS protocol is allowed to be used when establishing an HTTPS connection to your origin from the Minimum origin SSL protocol list. It is strongly recommended to use the latest SSL/TLS protocol supported by Amazon CloudFront.
    • (Optional) For Origin path – optional, enter a URL path to append to the origin domain name for origin requests.
    • For Name, enter a unique name for your distribution origin.
    • (Optional) For Add custom header – optional, use the Add header button to create the custom header keys and values to be included in every request made to the origin.
    • Choose Yes under Enable Origin Shield to enable and configure the Origin Shield feature.
    • (Optional) Select Additional settings if you need to change the connection settings available by default for the distribution origin.
  2. For Default cache behavior, perform the following actions:
    • Choose Yes under Compress objects automatically to enable Amazon CloudFront to automatically compress files that it receives from the distribution origin before delivering them to the viewer.
    • Under Viewer protocol policy, select one of the following options to enforce HTTPS for your distribution content:
      • Select HTTP and HTTPS so that the distribution viewers can only access your content using HTTPS. Choosing this option will drop any HTTP traffic between viewers and edge servers.
      • Choose Redirect HTTP to HTTPS so that any HTTP requests are automatically redirected to HTTPS.
    • Under Allowed HTTP methods, choose the list of HTTP(S) methods to process and forward to your distribution origin.
    • Under Restrict viewer access, choose whether or not to restrict viewer access to your CDN content. If you restrict viewer access, viewers must use Amazon CloudFront signed URLs or signed cookies to access your content.
    • For Cache key and origin requests, choose Cache policy and origin request policy (recommended), then select a managed cache policy and a managed origin request policy to control the cache key and the origin requests.
    • Choose Additional settings and enable field-level encryption and real-time logging for your new CloudFront distribution.
  3. (Optional) For Function associations – optional, choose whether to configure an edge function to associate with the distribution cache behavior, and select the CloudFront event that invokes the function. You can choose from two types of edge functions, CloudFront functions and Lambda@Edge functions. CloudFront functions are only available for viewer request and viewer response event types. With Lambda@Edge, your function code can access the body of the HTTP request.
  4. For Settings, perform the following actions:
    • Under Price class, choose the price class associated with the maximum price that you want to pay in order to deliver your web content. For example, select Use all edge locations (best performance) to use all the edge servers made available by the Amazon Cloudfront global network for minimal latency. This price class provides worldwide coverage at higher cost.
    • (Optional) To integrate your new CloudFront distribution with Amazon WAF in order to allow or block requests based on your application requirements, select a web ACL from the AWS WAF web ACL – optional dropdown list or create a new web ACL and associate it with your distribution.
    • (Optional) For Alternate domain name (CNAME) – optional, choose Add item, and provide your custom CNAME record (for example, media.<domain-name>) to use your own domain name instead of the CloudFront distribution domain name (requires configuring a CNAME record within your domain DNS setting). To add a list of alternative domain names, use the bulk editor made available by Amazon CloudFront.
    • (Optional) Choose whether to associate a custom SSL certificate with the new distribution by selecting an existing SSL certificate from the Custom SSL certificate – optional dropdown list. If you need to purchase a new SSL certificate from the AWS Certificate Manager (ACM), choose Request certificate and follow the ACM steps to request an SSL certificate.
    • (Optional) For Supported HTTP versions, choose to enable HTTP/2 for faster content delivery. HTTP/1.0 and HTTP/1.1 are already supported by default.
    • (Optional) For Default root object – optional, specify a default root object (e.g., index.html) available in your origin root directory to avoid exposing the contents of your distribution.
    • Choose On under Standard logging to enable access (standard) logging for your CDN distribution.
    • (Optional) Select On under IPv6 checkbox to enable IPv6 version of the IP protocol if you have viewers on IPv6 networks who want to access your distribution content.
    • (Optional) Provide a short description for your new distribution in the Description – optional box.
    • Choose Create distribution to deploy your new Amazon CloudFront distribution. The distribution status will change from Deploying to Enabled once the content is deployed worldwide.

Using AWS CLI

01 Sign in to your Trend Micro Cloud One™ – Conformity account, access Use CloudFront Content Distribution Network conformity rule settings, and copy the domain name configured for your website/web application (e.g. <domain-name>).

02 To create an Amazon CloudFront distribution in order to deliver your website/web application content worldwide, you must define first the distribution configuration in JSON format. Replace <domain-name> with the domain name copied at step no. 1, and save the distribution configuration document to a JSON file named cloudfront-distribution-config.json:

{
    "CallerReference": "cf-web-distribution-config",
    "Aliases": {
        "Quantity": 0
    },
    "DefaultRootObject": "",
    "Origins": {
        "Quantity": 1,
        "Items": [
            {
                "Id": "<domain-name>",
                "DomainName": "<domain-name>",
                "OriginPath": "",
                "CustomHeaders": {
                    "Quantity": 0
                },
                "CustomOriginConfig": {
                    "HTTPPort": 80,
                    "HTTPSPort": 443,
                    "OriginProtocolPolicy": "https-only",
                    "OriginSslProtocols": {
                        "Quantity": 1,
                        "Items": [
                            "TLSv1.2"
                        ]
                    },
                    "OriginReadTimeout": 30,
                    "OriginKeepaliveTimeout": 5
                },
                "ConnectionAttempts": 3,
                "ConnectionTimeout": 10,
                "OriginShield": {
                    "Enabled": false
                }
            }
        ]
    },
    "OriginGroups": {
        "Quantity": 0
    },
    "DefaultCacheBehavior": {
        "TargetOriginId": "<domain-name>",
        "TrustedSigners": {
            "Enabled": false,
            "Quantity": 0
        },
        "TrustedKeyGroups": {
            "Enabled": false,
            "Quantity": 0
        },
        "ViewerProtocolPolicy": "allow-all",
        "AllowedMethods": {
            "Quantity": 2,
            "Items": [
                "HEAD",
                "GET"
            ],
            "CachedMethods": {
                "Quantity": 2,
                "Items": [
                    "HEAD",
                    "GET"
                ]
            }
        },
        "SmoothStreaming": false,
        "Compress": true,
        "LambdaFunctionAssociations": {
            "Quantity": 0
        },
        "FunctionAssociations": {
            "Quantity": 0
        },
        "FieldLevelEncryptionId": "",
        "ForwardedValues": {
            "QueryString": false,
            "Cookies": {
                "Forward": "none"
            },
            "Headers": {
                "Quantity": 0
            },
            "QueryStringCacheKeys": {
                "Quantity": 0
            }
        },
        "MinTTL": 0,
        "DefaultTTL": 86400,
        "MaxTTL": 31536000
    },
    "CacheBehaviors": {
        "Quantity": 1,
        "Items": [
            {
                "PathPattern": "/images",
                "TargetOriginId": "<domain-name>",
                "TrustedSigners": {
                    "Enabled": false,
                    "Quantity": 0
                },
                "TrustedKeyGroups": {
                    "Enabled": false,
                    "Quantity": 0
                },
                "ViewerProtocolPolicy": "allow-all",
                "AllowedMethods": {
                    "Quantity": 2,
                    "Items": [
                        "HEAD",
                        "GET"
                    ],
                    "CachedMethods": {
                        "Quantity": 2,
                        "Items": [
                            "HEAD",
                            "GET"
                        ]
                    }
                },
                "SmoothStreaming": false,
                "Compress": true,
                "LambdaFunctionAssociations": {
                    "Quantity": 0
                },
                "FunctionAssociations": {
                    "Quantity": 0
                },
                "FieldLevelEncryptionId": "",
                "ForwardedValues": {
                    "QueryString": false,
                    "Cookies": {
                        "Forward": "none"
                    },
                    "Headers": {
                        "Quantity": 0
                    },
                    "QueryStringCacheKeys": {
                        "Quantity": 0
                    }
                },
                "MinTTL": 0,
                "DefaultTTL": 86400,
                "MaxTTL": 31536000
            }
        ]
    },
    "CustomErrorResponses": {
        "Quantity": 0
    },
    "Comment": "",
    "Logging": {
        "Enabled": false,
        "IncludeCookies": false
    },
    "PriceClass": "PriceClass_100",
    "Enabled": true,
    "ViewerCertificate": {
        "CloudFrontDefaultCertificate": true,
        "MinimumProtocolVersion": "TLSv1",
        "CertificateSource": "cloudfront"
    },
    "Restrictions": {
        "GeoRestriction": {
            "RestrictionType": "none",
            "Quantity": 0
        }
    },
    "WebACLId": "",
    "HttpVersion": "http1.1",
    "IsIPV6Enabled": false
}

03 Run create-distribution command (OSX/Linux/UNIX) to create your new Amazon CloudFront CDN distribution using the configuration document defined at the previous step (i.e. cloudfront-distribution-config.json):

aws cloudfront create-distribution
  --distribution-config file://cloudfront-distribution-config.json
  --query 'Distribution.Status'

04 The command output should return the status of the new Amazon CloudFront distribution. When the requested status becomes "Deployed", the distribution's content is fully propagated to all CloudFront edge locations.

"InProgress"

References

Publication date Apr 20, 2018

Unlock the Remediation Steps


Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

Confirmity Cloud Platform

No thanks, back to article

You are auditing:

Use CloudFront Content Distribution Network

Risk level: Medium