- Knowledge Base
- Amazon Web Services
- Amazon CloudFront
- CloudFront Viewer Protocol Policy
Ensure that the communication between your Amazon CloudFront distribution and its viewers is encrypted using HTTPS in order to secure the delivery of your web content. To enable encryption in transit for your distribution, you need to configure the distribution's viewer protocol policy to redirect HTTP requests to HTTPS or to require the viewers to use only the HTTPS protocol to access your web content available in the distribution cache.
This rule can help you with the following compliance standards:
- PCI
- HIPAA
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
This rule resolution is part of the Conformity Security & Compliance tool for AWS.
Using HTTPS for your Amazon CloudFront distribution can guarantee that the encrypted traffic between the edge (cache) servers and the content viewers can't be decrypted by malicious users in case they are able to intercept packets sent across the distribution network.
Audit
To determine if your CloudFront distribution viewer protocol policy is configured to enforce HTTPS for encryption in transit, perform the following actions:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.
03 In the left navigation panel, under CloudFront, choose Distributions.
04 Click on the name (link) of the Amazon CloudFront distribution that you want to examine.
05 Select the Behaviors tab to access the cache behavior(s) configured for the selected distribution.
06 Select the cache behavior that you want to examine and choose Edit.
07 On the Edit behavior configuration page, check the Viewer protocol policy configuration setting. If the Viewer protocol policy setting is set to HTTP and HTTPS, the distribution viewers can use both HTTP and HTTPS to access your CDN content.
08 Repeat steps no. 6 and 7 to determine the setting status for each cache behavior associated with the selected distribution. If the Viewer protocol policy setting is set to HTTP and HTTPS for all the associated cache behavior(s), the selected Amazon CloudFront distribution is not configured to enforce the HTTPS protocol and enable encryption in transit.
09 Repeat steps no. 4 – 8 for each CloudFront distribution available within your AWS cloud account.
Using AWS CLI
01 Run list-distributions command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon CloudFront distribution created in your AWS account:
aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id'
02 The command output should return a table with the requested distribution ID(s):
-------------------- |ListDistributions | +------------------+ | ABCDABCDABCDAB | | AABBCCDDAABBCC | +------------------+
03 Run get-distribution-config command (OSX/Linux/UNIX) using the ID of the Amazon CloudFront distribution that you want to examine as the identifier parameter and custom query filters to describe the viewer protocol policies configured for the selected distribution:
aws cloudfront get-distribution-config --id ABCDABCDABCDAB --query 'DistributionConfig.CacheBehaviors.Items[*].ViewerProtocolPolicy'
04 The command output should return an array with the configured viewer protocol policies:
[ "allow-all" ]
If the get-distribution-config command output returns "allow-all" for one or more viewer protocol policies, as shown in the example above, the distribution viewers can use both HTTP and HTTPS to access your CDN content, therefore the selected Amazon CloudFront distribution is not configured to enforce the HTTPS protocol and enable encryption in transit.
05 Repeat steps no. 3 and 4 for each CloudFront distribution deployed in your AWS cloud account.
Remediation / Resolution
To encrypt the data transferred between Cloudfront distribution edge locations and your content viewers, perform the following actions:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.
03 In the left navigation panel, under CloudFront, choose Distributions.
04 Click on the name of the Amazon CloudFront distribution that you want to reconfigure.
05 Select the Behaviors tab to access the cache behavior(s) configured for the selected distribution.
06 Select the cache behavior that you want to reconfigure and choose Edit.
07 On the Edit behavior configuration page, under Viewer protocol policy, select one of the following options to enforce HTTPS for your distribution content:
- Select HTTP and HTTPS so that the distribution viewers can only access your content using HTTPS. Choosing this option will drop any HTTP traffic between viewers and edge servers. Choose Save changes to apply the changes.
- Choose Redirect HTTP to HTTPS so that any HTTP requests are automatically redirected to HTTPS. Choose Save changes to apply the changes.
08 Repeat steps no. 6 and 7 for each cache behavior associated with the selected distribution.
09 Repeat steps no. 4 – 8 for each CloudFront distribution available within your AWS cloud account.
Using AWS CLI
01 Run get-distribution-config command (OSX/Linux/UNIX) to extract all the configuration information from the Amazon CloudFront distribution that you want to reconfigure:
aws cloudfront get-distribution-config --id ABCDABCDABCDAB --query 'DistributionConfig'
02 The command output should return the requested configuration information:
{ "CallerReference": "abcd1234-abcd-1234-abcd-1234abcd1234", "Aliases": { "Quantity": 0 }, "DefaultRootObject": "", "Origins": { "Quantity": 1, "Items": [ { "Id": "cloudconformity.com", "DomainName": "cloudconformity.com", "OriginPath": "", "CustomHeaders": { "Quantity": 0 }, "CustomOriginConfig": { "HTTPPort": 80, "HTTPSPort": 443, "OriginProtocolPolicy": "http-only", "OriginSslProtocols": { "Quantity": 3, "Items": [ "TLSv1", "TLSv1.1", "TLSv1.2" ] }, "OriginReadTimeout": 30, "OriginKeepaliveTimeout": 5 }, "ConnectionAttempts": 3, "ConnectionTimeout": 10, "OriginShield": { "Enabled": false } } ] }, "OriginGroups": { "Quantity": 0 }, "DefaultCacheBehavior": { "TargetOriginId": "cloudconformity.com", "TrustedSigners": { "Enabled": false, "Quantity": 0 }, "TrustedKeyGroups": { "Enabled": false, "Quantity": 0 }, "ViewerProtocolPolicy": "allow-all", "AllowedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ], "CachedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ] } }, "SmoothStreaming": false, "Compress": false, "LambdaFunctionAssociations": { "Quantity": 0 }, "FunctionAssociations": { "Quantity": 0 }, "FieldLevelEncryptionId": "", "ForwardedValues": { "QueryString": false, "Cookies": { "Forward": "none" }, "Headers": { "Quantity": 0 }, "QueryStringCacheKeys": { "Quantity": 0 } }, "MinTTL": 0, "DefaultTTL": 86400, "MaxTTL": 31536000 }, "CacheBehaviors": { "Quantity": 1, "Items": [ { "PathPattern": "/images", "TargetOriginId": "cloudconformity.com", "TrustedSigners": { "Enabled": false, "Quantity": 0 }, "TrustedKeyGroups": { "Enabled": false, "Quantity": 0 }, "ViewerProtocolPolicy": "allow-all", "AllowedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ], "CachedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ] } }, "SmoothStreaming": false, "Compress": false, "LambdaFunctionAssociations": { "Quantity": 0 }, "FunctionAssociations": { "Quantity": 0 }, "FieldLevelEncryptionId": "", "ForwardedValues": { "QueryString": false, "Cookies": { "Forward": "none" }, "Headers": { "Quantity": 0 }, "QueryStringCacheKeys": { "Quantity": 0 } }, "MinTTL": 0, "DefaultTTL": 86400, "MaxTTL": 31536000 } ] }, "CustomErrorResponses": { "Quantity": 0 }, "Comment": "", "Logging": { "Enabled": false, "IncludeCookies": false, "Bucket": "", "Prefix": "" }, "PriceClass": "PriceClass_100", "Enabled": true, "ViewerCertificate": { "CloudFrontDefaultCertificate": true, "MinimumProtocolVersion": "TLSv1", "CertificateSource": "cloudfront" }, "Restrictions": { "GeoRestriction": { "RestrictionType": "none", "Quantity": 0 } }, "WebACLId": "", "HttpVersion": "http1.1", "IsIPV6Enabled": false }
03 Run get-distribution-config command (OSX/Linux/UNIX) to describe the current version of the configuration available for the selected distribution (i.e. eTag):
aws cloudfront get-distribution-config --id ABCDABCDABCDAB --query 'ETag'
04 The command output should return the requested information:
"AAAABBBBCCCCD"
05 Modify the configuration document returned at step no. 2 to enforce HTTPS by setting the "ViewerProtocolPolicy" configuration property to "https-only" or "redirect-to-https" (as shown in the example below). Save the document with the modified distribution configuration to a JSON file named enable-encryption-in-transit.json:
{ "CallerReference": "abcd1234-abcd-1234-abcd-1234abcd1234", "Aliases": { "Quantity": 0 }, "DefaultRootObject": "", "Origins": { "Quantity": 1, "Items": [ { "Id": "cloudconformity.com", "DomainName": "cloudconformity.com", "OriginPath": "", "CustomHeaders": { "Quantity": 0 }, "CustomOriginConfig": { "HTTPPort": 80, "HTTPSPort": 443,"OriginProtocolPolicy": "https-only",
"OriginSslProtocols": { "Quantity": 3, "Items": [ "TLSv1", "TLSv1.1", "TLSv1.2" ] }, "OriginReadTimeout": 30, "OriginKeepaliveTimeout": 5 }, "ConnectionAttempts": 3, "ConnectionTimeout": 10, "OriginShield": { "Enabled": false } } ] }, "OriginGroups": { "Quantity": 0 }, "DefaultCacheBehavior": { "TargetOriginId": "cloudconformity.com", "TrustedSigners": { "Enabled": false, "Quantity": 0 }, "TrustedKeyGroups": { "Enabled": false, "Quantity": 0 }, "ViewerProtocolPolicy": "allow-all", "AllowedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ], "CachedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ] } }, "SmoothStreaming": false, "Compress": false, "LambdaFunctionAssociations": { "Quantity": 0 }, "FunctionAssociations": { "Quantity": 0 }, "FieldLevelEncryptionId": "", "ForwardedValues": { "QueryString": false, "Cookies": { "Forward": "none" }, "Headers": { "Quantity": 0 }, "QueryStringCacheKeys": { "Quantity": 0 } }, "MinTTL": 0, "DefaultTTL": 86400, "MaxTTL": 31536000 }, "CacheBehaviors": { "Quantity": 1, "Items": [ { "PathPattern": "/images", "TargetOriginId": "cloudconformity.com", "TrustedSigners": { "Enabled": false, "Quantity": 0 }, "TrustedKeyGroups": { "Enabled": false, "Quantity": 0 },"OriginProtocolPolicy": "https-only",
"AllowedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ], "CachedMethods": { "Quantity": 2, "Items": [ "HEAD", "GET" ] } }, "SmoothStreaming": false, "Compress": false, "LambdaFunctionAssociations": { "Quantity": 0 }, "FunctionAssociations": { "Quantity": 0 }, "FieldLevelEncryptionId": "", "ForwardedValues": { "QueryString": false, "Cookies": { "Forward": "none" }, "Headers": { "Quantity": 0 }, "QueryStringCacheKeys": { "Quantity": 0 } }, "MinTTL": 0, "DefaultTTL": 86400, "MaxTTL": 31536000 } ] }, "CustomErrorResponses": { "Quantity": 0 }, "Comment": "", "Logging": { "Enabled": false, "IncludeCookies": false, "Bucket": "", "Prefix": "" }, "PriceClass": "PriceClass_100", "Enabled": true, "ViewerCertificate": { "CloudFrontDefaultCertificate": true, "MinimumProtocolVersion": "TLSv1", "CertificateSource": "cloudfront" }, "Restrictions": { "GeoRestriction": { "RestrictionType": "none", "Quantity": 0 } }, "WebACLId": "", "HttpVersion": "http1.1", "IsIPV6Enabled": false }
06 Run update-distribution command (OSX/Linux/UNIX) using the document modified at the previous step (i.e. enable-encryption-in-transit.json) as the distribution configuration document, to reconfigure the selected Amazon CloudFront distribution in order to enforce HTTPS and enable encryption in transit. --if-match parameter represents the current version of the configuration, returned at step no. 4:
aws cloudfront update-distribution --id ABCDABCDABCDAB --if-match AAAABBBBCCCCD --distribution-config file://enable-encryption-in-transit.json --query 'Distribution.Status'
07 The command output should return the status of the modified CloudFront distribution:
"InProgress"
08 Repeat steps no. 1 – 7 for each Amazon CloudFront distribution deployed in your AWS cloud account.
References
- AWS Documentation
- Amazon CloudFront FAQs
- Overview of distributions
- Values that you specify when you create or update a distribution
- CIS Amazon Web Services Foundations
- AWS Command Line Interface (CLI) Documentation
- cloudfront
- list-distributions
- get-distribution-config
- update-distribution