Open menu
-->

Enable Field-Level Encryption for CloudFront Distributions

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that field-level encryption is enabled for your Amazon CloudFront web distributions in order to help protect sensitive data like credit card numbers or social security numbers, and to help protect your data across application services.

With CloudFront field-level encryption you add an additional layer of security, along with SSL encryption (HTTPS), that lets you protect specific sensitive data throughout system processing so that only certain applications within your environment can see this data.

Audit

To determine if your AWS CloudFront web distributions are using field-level encryption, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudFront dashboard at .

03 In the left navigation panel, click Distributions to access the your CloudFront distributions.

04 On CloudFront Distribution page, under the main menu, select Web and Enabled from Viewing dropdown menus to list all active web distributions available in your AWS account.

05 Select the web distribution that you want to examine.

06 Click the Distribution Settings button from the dashboard top menu to access the resource configuration page.

07 Choose the Behaviors tab and select the default behavior for the distribution.

08 Click the Edit button to access the configuration settings for the selected distribution behavior.

09 On the Edit Behavior page, check Field-level Encryption Config configuration setting. If Field-level Encryption Config dropdown list is empty, the selected Amazon Cloudfront CDN distribution is not configured to use field-level encryption to protect private data.

10 Repeat steps no. 5 – 9 to determine if field-level encryption is enabled for other Amazon CloudFront distributions available in your AWS account.

Using AWS CLI

01 Run list-distributions command (OSX/Linux/UNIX) using custom query filters to list the IDs of all CloudFront distributions provisioned in your AWS account:

aws cloudfront list-distributions
    --output table
    --query 'DistributionList.Items[*].Id'

02 The command output should return a table with the requested distribution IDs:

--------------------
|ListDistributions |
+------------------+
|  AABBCCDDAABBCC  |
|  ABCDABCDABCDAB  |
+------------------+

03 Run get-distribution command (OSX/Linux/UNIX) using the ID of the distribution that you want to examine as identifier and custom query filters to get the ID for the field-level encryption configuration defined for the selected Amazon CloudFront web distribution:

aws cloudfront get-distribution
    --region us-east-1
    --id AABBCCDDAABBCC
    --query 'Distribution.DistributionConfig.DefaultCacheBehavior.FieldLevelEncryptionId'

04 The command output should return the requested configuration ID:

""

If get-distribution command output returns and empty string, i.e. "", as shown in the example above, the selected Amazon Cloudfront web distribution is not configured to use field-level encryption to protect private content.

05 Repeat step no. 3 and 4 to determine if field-level encryption is enabled for other Amazon CloudFront distributions available in your AWS account.

Remediation / Resolution

To enable field-level encryption for your Amazon CloudFront web distributions, perform the following actions:

Using AWS Console

01 Create an RSA key pair. Use OpenSSL or another tool to create your own key pair.

02 Sign in to the AWS Management Console.

03 Navigate to CloudFront dashboard at https://console.aws.amazon.com/cloudfront/.

04 In the left navigation panel, under Security, choose Public key.

05 Click Add public key button to initiate the key setup process.

06 In the Add public key dialog box, perform the following:

  1. In the Key name box, enter a unique name for your public key.
  2. In the Key value box, paste the encoded key value for your public key, generated at step no. 1. The key value must include the "-----BEGIN PUBLIC KEY-----" and "-----END PUBLIC KEY-----" lines.
  3. In the Comment box, provide an optional comment.
  4. Click Add to add your public key.

07 In the left navigation panel, choose Field-level encryption.

08 Click Create profile button to start the field-level encryption profile setup.

09 On Create encryption profile page, provide the following information:

  1. For Profile name type a unique name for the new field-level encryption profile.
  2. (Optional) In the Comment box type a comment about the profile.
  3. Select the name of a public key created earlier in the process from Public key name dropdown list.
  4. For Provider name type a phrase to help identify the key, such as the provider where you got the key pair.
  5. For Field name pattern to match, type the names of the data fields, or patterns that identify data field names in the request, that you want CloudFront to encrypt. Choose the + option to add all the fields that you want to encrypt with this key.
  6. Click Create profile to save the changes and create your new field-level encryption profile.

10 In the Encryption configurations section, click Create configuration button to initiate the configuration setup.

11 On Create configuration page, perform the following actions:

  1. From the Default profile ID dropdown list, choose the newly created field-level encryption profile.
  2. Select Forward request to origin when request’s content type is not configured checkbox if you want to allow the request to go to your origin, if you have not specified a profile to use for the content type of the request.
  3. Select Override the profile for a content type with a provided query argument checkbox if you want to allow a profile provided in a query argument to override the profile that you have specified for a content type.
  4. (Optional) Provide a short description in the Comment box.
  5. Click Create configuration to create the new field-level encryption configuration to associate with the cache behavior set for your CloudFront distribution.

12 Go back to the navigation panel and choose Distributions.

13 On CloudFront Distribution page, in the main menu, select Web and Enabled from Viewing dropdown menus to list all active web distributions available in your AWS account.

14 Select the web distribution that you want to reconfigure.

15 Click the Distribution Settings button from the dashboard top menu to access the resource configuration page.

16 Choose the Behaviors tab and select the default behavior for the distribution.

17 Click the Edit button to edit the configuration settings for the selected distribution behavior.

18 On the Edit Behavior page, select the name/ID of the field-level encryption configuration created at step no. 11 from the Field-level Encryption Config dropdown list. Note that you can set the field-level encryption configuration only when Viewer Protocol Policy and Origin Protocol Policy settings are using HTTPS.

19 Click Yes, Edit to save the changes and enable field-level encryption for the selected AWS CloudFront web distribution.

20 Repeat steps no. 1 – 19 to enable field-level encryption feature for other Amazon CloudFront CDN distributions provisioned in your AWS account.

Using AWS CLI

01 Create an RSA key pair. Use OpenSSL or another tool to create your own key pair.

02 Run create-public-key command (OSX/Linux/UNIX) using the encoded public key value (including -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY-----) generated at the previous step as command parameter to create a public key for Amazon CloudFront to use for field-level encryption:

aws cloudfront create-public-key
     --region us-east-1
     --public-key-config CallerReference="1234567890123",Name="cc-encryption-public-key",EncodedKey="-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----",Comment="Public key for CloudFront field-level encryption."

03 The command output should return the command request metadata:

{
    "PublicKey": {
        "CreatedTime": "2019-01-25T11:32:41.223Z",
        "Id": "ABCD1234ABCDA",
        "PublicKeyConfig": {
            "Comment": "Public key for CloudFront field-level encryption.",
            "EncodedKey": "-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----\n",
            "CallerReference": "1234567890123",
            "Name": "cc-encryption-public-key"
        }
    },
    "ETag": "AABBAABBAABBA",
    "Location": "https://cloudfront.amazonaws.com/2018-06-18/public-key/ABCD1234ABCDA"
}

04 Define the required parameters for the create-field-level-encryption-profile command and save the document to a file named "cc-fle-profile.json". Replace the necessary configuration details, such as "PublicKeyId" parameter value, returned at the previous step, with your own details:

{
  "Name": "cc-field-level-encryption-profile",
  "CallerReference": "1234567890123",
  "Comment": "CloudFront field-level encryption profile.",
  "EncryptionEntities": {
    "Quantity": 1,
    "Items": [
      {
        "PublicKeyId": "ABCD1234ABCDA",
        "ProviderId": "cloud-conformity",
        "FieldPatterns": {
          "Quantity": 2,
          "Items": ["UserName", "CreditCard"]
        }
      }
    ]
  }
}    

05 Run create-field-level-encryption-profile command (OSX/Linux/UNIX) using the parameters defined at the previous step to create the required AWS CloudFront field-level encryption profile:

aws cloudfront create-field-level-encryption-profile
    --field-level-encryption-profile-config file://cc-fle-profile.json

06 The command output should return the command request metadata:

{
    "FieldLevelEncryptionProfile": {
        "LastModifiedTime": "2019-01-26T10:39:51.343Z",
        "FieldLevelEncryptionProfileConfig": {
            "Comment": "CloudFront field-level encryption profile.",
            "EncryptionEntities": {
                "Items": [
                    {
                        "FieldPatterns": {
                            "Items": [
                                "CreditCard",
                                "UserName"
                            ],
                            "Quantity": 2
                        },
                        "ProviderId": "cloud-conformity",
                        "PublicKeyId": "ABCD1234ABCDA"
                    }
                ],
                "Quantity": 1
            },
            "CallerReference": "1234567890123",
            "Name": "cc-field-level-encryption-profile"
        },
        "Id": "1234AABB1234CC"
    },
    "ETag": "AAABBBCCCDDDA",
    "Location": "https://cloudfront.amazonaws.com/2018-06-18/field-level-encryption-profile/1234AABB1234CC"
}

07 Now define the parameters for the create-field-level-encryption-config command and save the JSON document to a file named "cc-fle-config.json". Replace the necessary configuration details, such as "ProfileId" parameter value (i.e. the ID of the field-level encryption profile), with your own configuration details:

{
  "CallerReference": "1234567890123",
  "Comment": "CloudFront field-level encryption configuration.",
  "QueryArgProfileConfig": {
    "ForwardWhenQueryArgProfileIsUnknown": false,
    "QueryArgProfiles": {
      "Quantity": 0,
      "Items": []
    }
  },
  "ContentTypeProfileConfig": {
    "ForwardWhenContentTypeIsUnknown": false,
    "ContentTypeProfiles": {
      "Quantity": 1,
      "Items": [
        {
          "Format": "URLEncoded",
          "ProfileId": "1234AABB1234CC",
          "ContentType": "application/x-www-form-urlencoded"
        }
      ]
    }
  }
} 

08 Run create-field-level-encryption-config command (OSX/Linux/UNIX) using the parameters defined at the previous step to create the field-level encryption configuration that will be associated with your CloudFront web distribution:

aws cloudfront create-field-level-encryption-config
    --field-level-encryption-config file://cc-fle-config.json

09 The command output should return the create-field-level-encryption-config command request metadata (including the field-level encryption configuration ID):

{
    "FieldLevelEncryption": {
        "LastModifiedTime": "2019-01-26T10:45:03.500Z",
        "Id": "AB1234CD1234AB",
        "FieldLevelEncryptionConfig": {
            "Comment": "CloudFront field-level encryption configuration.",
            "QueryArgProfileConfig": {
                "ForwardWhenQueryArgProfileIsUnknown": false,
                "QueryArgProfiles": {
                    "Items": [],
                    "Quantity": 0
                }
            },
            "ContentTypeProfileConfig": {
                "ContentTypeProfiles": {
                    "Items": [
                        {
                            "ProfileId": "1234AABB1234CC",
                            "ContentType": "application/x-www-form-urlencoded",
                            "Format": "URLEncoded"
                        }
                    ],
                    "Quantity": 1
                },
                "ForwardWhenContentTypeIsUnknown": false
            },
            "CallerReference": "1234567890123"
        }
    },
    "ETag": "AAAAAAABBBBBBB",
    "Location": "https://cloudfront.amazonaws.com/2018-06-18/field-level-encryption/AB1234CD1234AB"
}

10 Run get-distribution-config command (OSX/Linux/UNIX) to get the configuration information from the Amazon CloudFront web distribution that you want to reconfigure (see Audit section part II to identify the right distribution):

aws cloudfront get-distribution-config
    --region us-east-1
    --id AABBCCDDAABBCC

11 The command output should return the specified web distribution configuration information:

{
    "ETag": "AAAAABBBBCCCC",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Quantity": 0
        },
        "IsIPV6Enabled": true,
        "Logging": {
            "Bucket": "",
            "Prefix": "",
            "Enabled": false,
            "IncludeCookies": false
        },
        "WebACLId": "",
 
        ...
 
        "CallerReference": "123456789012",
        "ViewerCertificate": {
            "CloudFrontDefaultCertificate": true,
            "MinimumProtocolVersion": "TLSv1",
            "CertificateSource": "cloudfront"
        },
        "HttpVersion": "http2",
        "Restrictions": {
            "GeoRestriction": {
                "RestrictionType": "none",
                "Quantity": 0
            }
        },
        "Aliases": {
            "Quantity": 0
        }
    }
}

12 Modify the configuration metadata returned at the previous step to enable CloudFront field-level encryption by adding the ID of the field-level encryption configuration returned at step no. 9 to the "FieldLevelEncryptionId" attribute (as highlighted in the example below). Save the new distribution configuration in a JSON document named "enable-field-level-encryption.json". You can set the field-level encryption configuration only when Viewer Protocol Policy and Origin Protocol Policy settings are using HTTPS. Make sure that you update the following configuration file according to your own web distribution configuration settings:

{
    "ETag": "1234ABCD1234AD",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Quantity": 0
        },
        "IsIPV6Enabled": true,
        "Logging": {
            "Bucket": "",
            "Prefix": "",
            "Enabled": false,
            "IncludeCookies": false
        },
        "WebACLId": "",
        "Origins": {
            "Items": [
                {
                    "OriginPath": "",
                    "CustomOriginConfig": {
                        "OriginSslProtocols": {
                            "Items": [
                                "TLSv1",
                                "TLSv1.1",
                                "TLSv1.2"
                            ],
                            "Quantity": 3
                        },
                        "OriginProtocolPolicy": "https-only",
                        "OriginReadTimeout": 30,
                        "HTTPPort": 80,
                        "HTTPSPort": 443,
                        "OriginKeepaliveTimeout": 5
                    },
                    "CustomHeaders": {
                        "Quantity": 0
                    },
                    "Id": "custom-cloudconformity.com",
                    "DomainName": "cloudconformity.com"
                }
            ],
            "Quantity": 1
        },
        "DefaultRootObject": "",
        "PriceClass": "PriceClass_100",
        "Enabled": true,
        "DefaultCacheBehavior": {
            "FieldLevelEncryptionId": "AB1234CD1234AB",
            "TrustedSigners": {
                "Enabled": false,
                "Quantity": 0
            },
            "LambdaFunctionAssociations": {
                "Quantity": 0
            },
            "TargetOriginId": "custom-cloudconformity.com",
            "ViewerProtocolPolicy": "https-only",
            "ForwardedValues": {
                "Headers": {
                    "Quantity": 0
                },
                "Cookies": {
                    "Forward": "none"
                },
                "QueryStringCacheKeys": {
                    "Quantity": 0
                },
                "QueryString": false
            },
            "MaxTTL": 31536000,
            "SmoothStreaming": false,
            "DefaultTTL": 86400,
            "AllowedMethods": {
                "Items": [
                    "HEAD",
                    "DELETE",
                    "POST",
                    "GET",
                    "OPTIONS",
                    "PUT",
                    "PATCH"
                ],
                "CachedMethods": {
                    "Items": [
                        "HEAD",
                        "GET"
                    ],
                    "Quantity": 2
                },
                "Quantity": 7
            },
            "MinTTL": 0,
            "Compress": false
        },
        "CallerReference": "123456789012",
        "ViewerCertificate": {
            "CloudFrontDefaultCertificate": true,
            "MinimumProtocolVersion": "TLSv1",
            "CertificateSource": "cloudfront"
        },
        "CustomErrorResponses": {
            "Quantity": 0
        },
        "HttpVersion": "http2",
        "Restrictions": {
            "GeoRestriction": {
                "RestrictionType": "none",
                "Quantity": 0
            }
        },
        "Aliases": {
            "Quantity": 0
        }
    }
}

13 Run update-distribution command (OSX/Linux/UNIX) to update the configuration for the selected Amazon CloudFront CDN distribution (see Audit section part II to identify the right resource) in order to enable field-level encryption. The following command example updates the specified CloudFront web distribution using the JSON configuration document defined at the previous step, i.e "enable-field-level-encryption.json". --if-match parameter value represents the ID of the ETag header that you received when retrieving your web distribution's configuration:

aws cloudfront update-distribution
    --id AABBCCDDAABBCC
    --distribution-config file://enable-field-level-encryption.json
    --if-match 1234ABCD1234AD

14 The command output should return the metadata for the modified CloudFront distribution:

{
    "Distribution": {
        "Status": "InProgress",
        
            ...
 
            "DefaultCacheBehavior": {
            "TrustedSigners": {
                "Enabled": false,
                "Quantity": 0
            },
            "LambdaFunctionAssociations": {
                "Quantity": 0
            },
            "TargetOriginId": "custom-cloudconformity.com",
            "ViewerProtocolPolicy": "https-only",
            "ForwardedValues": {
                "Headers": {
                    "Quantity": 0
                },
                "Cookies": {
                    "Forward": "none"
                },
                "QueryStringCacheKeys": {
                    "Quantity": 0
                },
                "QueryString": false
            },
            "MaxTTL": 31536000,
            "SmoothStreaming": false,
            "DefaultTTL": 86400,
            "AllowedMethods": {
                "Items": [
                    "HEAD",
                    "DELETE",
                    "POST",
                    "GET",
                    "OPTIONS",
                    "PUT",
                    "PATCH"
                ],
                "CachedMethods": {
                    "Items": [
                        "HEAD",
                        "GET"
                    ],
                    "Quantity": 2
                },
                "Quantity": 7
            },
            "MinTTL": 0,
            "Compress": false
        },
        
        ...
 
    "ETag": "1234ABCD1234AD"
} 

15 Repeat steps no. 1 – 14 to enable field-level encryption feature for other Amazon CloudFront web distributions available within your AWS account

References

Publication date Jan 27, 2019