AWS CloudFront Best Practices

Best practice rules for Amazon CloudFront

Trend Micro Cloud One™ – Conformity monitors Amazon CloudFront with the following rules:

• CloudFront Compress Objects Automatically

  Ensure CloudFront distributions are configured to automatically compress content.

• CloudFront Geo Restriction

  Ensure Geo Restriction is enabled for CloudFront CDN distributions.

• CloudFront In Use

  Ensure CloudFront global content delivery network (CDN) service is in use.

• CloudFront Insecure Origin SSL Protocols

  Ensure CloudFront origins don't use insecure SSL protocols.

• CloudFront Integrated With WAF

  Ensure CloudFront is integrated with WAF to protect web applications from exploit attempts that can compromise security or place unnecessary load on your application.

• CloudFront Logging Enabled

  Ensure CloudFront logging is enabled.

• CloudFront Security Policy

  Ensure AWS CloudFront distributions are using improved security policies for HTTPS connections.

• CloudFront Traffic To Origin Unencrypted

  Ensure traffic between a CloudFront distribution and the origin is encrypted.

• CloudFront Viewer Protocol Policy

  Ensure CloudFront Viewer Protocol Policy enforces encryption.

• Configure Default Root Object

  Ensure that CloudFront distributions are configured to use a default root object.

• Enable Origin Access Control for Distributions with S3 Origin

  Ensure that CloudFront distributions are using an origin access control configuration for their origin S3 buckets.

• Enable Origin Failover

  Ensure that CloudFront distributions are using the Origin Failover feature to maintain high availability.

• Enable Origin Shield

  Ensure that Amazon CloudFront distributions are using the Origin Shield feature.

• Enable Real-Time Logging

  Ensure that CloudFront distributions are using the Real-Time Logging feature.

• FieldLevel Encryption

  Enable Field-Level Encryption for CloudFront Distributions.

• Missing S3 Bucket

  Ensure that CloudFront distributions do not point to non-existent S3 origins.

• Use CloudFront Content Distribution Network

  Use Amazon CloudFront Content Distribution Network for secure web content delivery.

• Use Custom SSL/TLS Certificates

  Ensure that CloudFront distributions are configured to use a custom SSL/TLS certificate.

• Use SNI to Serve HTTPS Requests

  Ensure that CloudFront distributions are configured to use Server Name Indication (SNI).