CloudFront In Use

Risk level: Medium (should be achieved)

Rule ID: CF-001

Ensure that AWS CloudFront Content Delivery Network (CDN) service is used within your AWS account to secure and accelerate the delivery of your websites, media files or static resources (e.g., CSS files, JavaScript files, images) handled by your web applications.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Using AWS CloudFront CDN service can have a significant impact on the performance, security, reliability and availability of your websites/applications content delivery process. CloudFront has several advantages over other Content Delivery Network providers: is fast – using a global network of 59 edge locations, CloudFront caches and delivers copies of your static content close to users with minimal latency, is secure - enforces HTTPS connections between the service edge locations and your origin server and can be integrated with AWS WAF (a web application firewall service made available by Amazon to protect web applications against common attacks), is highly available – engineered for HA and built on top of Amazon’s highly reliable infrastructure, easy to use - you can manage CloudFront distributions with just few clicks using the Management Console or programmatically via AWS API, cost effective - you only pay the web content delivered through the CDN network (pay-as-you-go price plan) and can be easily integrated with other AWS components such as EC2, S3 and AWS WAF.

Audit

To determine if the Cloudfront service is used as Content Delivery Network within your AWS account, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.

03 In the left navigation panel, click Distributions. A web distribution is a Cloudfront service instance that enables you to deliver web content through a worldwide network of cache servers that provide low latency and high data transfer speeds. If there are no Cloudfront distributions listed, instead a Getting Started page is displayed:

If there are no Cloudfront distributions listed, instead a Getting Started page is displayed

the Cloudfront CDN service is not currently used within your AWS account.

Using AWS CLI

01 Run list-distributions command (OSX/Linux/UNIX) to list all Cloudfront distributions available in your account:

aws cloudfront list-distributions

02If there are any created, the command output should return each distribution metadata, as shown in the example below:

{
    "DistributionList": {
        "Items": [
            {
                "Status": "Deployed",
                "CacheBehaviors": {
                    "Quantity": 0
                },
                "WebACLId": "",

                ...

                "Id": "E32XTCMOY00ZMN",
                "Restrictions": {
                    "GeoRestriction": {
                        "RestrictionType": "none",
                        "Quantity": 0
                    }
                },
                "Aliases": {
                    "Quantity": 1
                }
            }
        ]
    }
}

If the list-distributions command does not return an output at all, the AWS Cloudfront CDN service is not currently used to deliver your web content through its global network of edge locations.

Remediation / Resolution

In order to utilize AWS Cloudfront as a CDN service to secure and accelerate the delivery of your websites, media files or other static resources, you must create and configure Cloudfront web distributions. To create your own distribution, perform the following:

Using AWS Console

01 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.

02 In the left navigation panel, click Distributions.

03 On Amazon CloudFront Getting Started page, click Create Distribution.

04 On Select a delivery method for your content page, under Web section, click Get Started to initiate the web distribution setup process.

05 On Create distribution page, perform the following actions:

For the Origin Settings configuration category, provide the following information:

In the Origin Domain Name box, enter the DNS domain name for your web content origin. The origin can be an S3 bucket (e.g. web-app-static-content.s3.amazonaws.com), a web server instance (e.g. ec2-54-162-64-210.compute-1.amazonaws.com), a custom domain name (e.g. cloudconformity.com) or an AWS Elastic Load Balancer (e.g. web-app-1086495062.us-east-1.elb.amazonaws.com). As example, this rule will use a custom domain name (e.g. cloudconformity.com) for the Origin Domain Name configuration parameter.
(Optional) To request your web content from a directory available at your origin web server instance, enter the directory path (e.g. /static/images) in the Origin Path box. CloudFront will append the provided directory path to the value entered in the Origin Domain Name box, for example: cloudconformity.com/static/images and fill out the Origin ID box to create the distribution unique ID.
In the Origin SSL Protocols section, select which SSL protocols Cloudfront is allowed to use for the HTTPS connection between the distribution edge servers and your origin. Cloud Conformity strongly recommends using TLSv1 protocols or just the TLSv1.2 version if your origin supports it.
In the Origin Protocol Policy section, select HTTPS only (recommended) to connect the CloudFront distribution to your origin over HTTPS (the origin application must match the protocol selected).
(Optional) If required, in the HTTPS Port box, enter the custom HTTPS port that your origin listens on. The default port used is 443.
In the Origin Custom Headers section, specify the custom headers that will be attached to every request sent to your origin. In the Header Name box type the custom header name (e.g. Cache-Control) and in the Value box enter the value for the header (e.g. no-cache). If required, click the + button to define more custom headers for the distribution.

For the Default Cache Behavior Settings configuration category, provide the following information:

In the Viewer Protocol Policy section, select HTTPS only to enforce the website/application users to access your web content using only the HTTPS protocol (recommended) for a secure connection between viewers and the distribution edge locations.
In the Allowed HTTP Methods section, choose the list of HTTP methods to process and forward to your origin by the Cloudfront distribution.
For Cached HTTP Methods setting, specify whether you want CloudFront to cache responses from your origin server when users send OPTIONS requests. GET and HEAD responses are always cached.
From the Forward Headers dropdown menu, select None (Improve Caching) to forward the default headers to your origin server without caching the objects (files) based on their headers value.
In the Object Caching section, select one of the following options based on your requirements:
1. Select Use Origin Cache Headers to preserve the Cache-Control header value attached to your objects by your origin server.
2. Select Customize to define the expiration time in seconds for the objects in the CloudFront cache regardless of Cache-Control headers value set by the origin. Use Minimum TTL (the default is 0 seconds), Maximum TTL and Default TTL fields to specify the minimum, maximum or the default time to keep your objects in the CloudFront cache.
From the Forward Cookies dropdown menu, select None (Improve Caching) to remove the Cookie header from requests forwarded to your origin server and to remove the Set-Cookie header from responses returned to your application users in order to improve caching.
In the Forward Query Strings section, select whether you want this CloudFront distribution to include query strings in the request URLs forwarded to your origin.
For Smooth Streaming choose No.
For Restrict Viewer Access (Use Signed URLs or Signed Cookies) option, choose No.
For Compress Objects Automatically choose No.

For the Distribution Settings configuration category, provide the following information:

From the Price Class dropdown menu, select Use All Edge Locations (Best Performance) to use all edge locations made available by the Cloudfront global network for minimal latency. This price class provides worldwide coverage at higher cost.
To integrate Cloudflare with AWS WAF in order to allow or block requests based on your application requirements, select an existing web ACL (Access Control List) from the AWS WAF Web ACL dropdown list.
(Optional) In the Alternate Domain Names (CNAMEs) box, enter your custom CNAME record (for example, media.cloudconformity.com) to use your own domain name instead of the AWS CloudFront distribution domain name (for example, d1ams0mx9tn8g.cloudfront.net). Within your DNS zone file, set your CNAME record to route queries for your domain name to CloudFront distribution domain name.
In the SSL Certificate section, choose one of the following options:
1. Select Default CloudFront Certificate (*.cloudfront.net) to use the default Cloudfront URL structure for your objects (e.g., https:// d1ams0mx9tn8g.cloudfront.net/static/images/logo.png).
2. Select Custom SSL Certificate to use your own domain name for the objects URL structure (e.g., https://media.cloudconformity.com/static/images/logo.png). Choose the applicable SSL certificate from the section dropdown list or use the Request an ACM certificate button to provision a new SSL certificate through AWS Certificate Manager (ACM) service.
(Optional) In the Default Root Object box, specify a default root object (e.g., index.html) available your origin root directory to avoid exposing the contents of your distribution.
In the Logging section, select whether you want to log all user requests made for the objects available in the Cloudfront distribution. To log the requests, provide the S3 bucket name that will store the access logs, a unique prefix for the log files (optional) and whether you want CloudFront to include cookies in these logs.
(Optional) In the Comment box, enter a small description for the distribution.
Set Distribution State to Enabled.

06 Click Create Distribution button located in the bottom right corner to create the new Cloudfront web distribution. The distribution status will change from In Progress to Deployed once is deployed worldwide (it should take less than 15 minutes).

Using AWS CLI

01In order to create an AWS Cloudfront web distribution, you must define first the distribution configuration file in JSON format. The following example describes a Cloudfront configuration file (e.g., web-cf-distribution.json) created for a custom domain name (e.g., cloudconformity.com):

{
  "CallerReference": "my-cf-web-distribution-2016-08-05",
  "Aliases": {
    "Quantity": 0
  },
  "DefaultRootObject": "index.html",
  "Origins": {
    "Quantity": 1,
    "Items": [
      {
        "Id": "custom-cloudconformity.com-images",
        "DomainName": "cloudconformity.com",
        "OriginPath": "/static/images",
        "CustomOriginConfig": {
            "OriginProtocolPolicy": "https-only",
            "HTTPPort": 80,
            "OriginSslProtocols": {
                "Items": [
                    "TLSv1.2"
                ],
                "Quantity": 1
            },
            "HTTPSPort": 443
        },
        "CustomHeaders": {
            "Quantity": 0
        }
      }
    ]
  },
  "DefaultCacheBehavior": {
    "TargetOriginId": "custom-cloudconformity.com-images",
    "ForwardedValues": {
      "QueryString": false,
      "Cookies": {
        "Forward": "none"
      }
    },
    "AllowedMethods": {
        "Items": [
            "HEAD",
            "DELETE",
            "POST",
            "GET",
            "OPTIONS",
            "PUT",
            "PATCH"
        ],
        "CachedMethods": {
            "Items": [
                "HEAD",
                "GET",
                "OPTIONS"
            ],
            "Quantity": 3
        },
        "Quantity": 7
    },
    "TrustedSigners": {
      "Enabled": false,
      "Quantity": 0
    },
    "ViewerProtocolPolicy": "https-only",
    "MinTTL": 0,
    "MaxTTL": 31536000,
    "DefaultTTL": 86400,
    "Compress": false
  },
  "CacheBehaviors": {
    "Quantity": 0
  },
  "Comment": "cloudconformity.com global web distribution",
  "Logging": {
    "Enabled": true,
    "IncludeCookies": false,
    "Bucket": "aws-cf-access-logs.s3.amazonaws.com",
    "Prefix": ""
  },
  "Aliases": {
    "Items": [
        "media.cloudconformity.com"
    ],
    "Quantity": 1
  },
  "PriceClass": "PriceClass_All",
  "Enabled": true
}

02Run create-distribution command (OSX/Linux/UNIX) to create a new AWS Cloudfront web distribution. The following command example creates a CloudFront CDN web distribution for a custom domain name using a JSON configuration document with the file name web-cf-distribution.json:

aws cloudfront create-distribution
	--distribution-config file://web-cf-distribution.json

03The command output should return the metadata for the newly created web distribution:

{
    "Distribution": {
        "Status": "InProgress",
        "DomainName": "d1ams0mx9tn8g.cloudfront.net",
        "InProgressInvalidationBatches": 0,
        "DistributionConfig": {
            "Comment": "cloudconformity.com global web distribution",
            "CacheBehaviors": {
                "Quantity": 0
            },
            "Logging": {
                "Bucket": "aws-cf-access-logs.s3.amazonaws.com",
                "Prefix": "",
                "Enabled": true,
                "IncludeCookies": false
            },
            "WebACLId": "",
            "Origins": {
                "Items": [
                    {
                        "OriginPath": "/static/images",
                        "CustomOriginConfig": {
                            "OriginProtocolPolicy": "https-only",
                            "HTTPPort": 80,
                            "OriginSslProtocols": {
                                "Items": [
                                    "TLSv1.2"
                                ],
                                "Quantity": 1
                            },
                            "HTTPSPort": 443
                        },
                        "CustomHeaders": {
                            "Quantity": 0
                        },
                        "Id": "custom-cloudconformity.com-images",
                        "DomainName": "cloudconformity.com"
                    }
                ],
                "Quantity": 1
            },
            "DefaultRootObject": "index.html",
            "PriceClass": "PriceClass_All",
            "Enabled": true,
            "DefaultCacheBehavior": {
                "TrustedSigners": {
                    "Enabled": false,
                    "Quantity": 0
                },
                "TargetOriginId": "custom-cloudconformity.com-images",
                "ViewerProtocolPolicy": "https-only",
                "ForwardedValues": {
                    "Headers": {
                        "Quantity": 0
                    },
                    "Cookies": {
                        "Forward": "none"
                    },
                    "QueryString": false
                },
                "MaxTTL": 31536000,
                "SmoothStreaming": false,
                "DefaultTTL": 86400,
                "AllowedMethods": {
                    "Items": [
                        "HEAD",
                        "DELETE",
                        "POST",
                        "GET",
                        "OPTIONS",
                        "PUT",
                        "PATCH"
                    ],
                    "CachedMethods": {
                        "Items": [
                            "HEAD",
                            "GET",
                            "OPTIONS"
                        ],
                        "Quantity": 3
                    },
                    "Quantity": 7
                },
                "MinTTL": 0,
                "Compress": false
            },
            "CallerReference": "my-cf-web-distribution-2016-08-05",
            "ViewerCertificate": {
                "CloudFrontDefaultCertificate": true,
                "MinimumProtocolVersion": "SSLv3",
                "CertificateSource": "cloudfront"
            },
            "CustomErrorResponses": {
                "Quantity": 0
            },
            "Restrictions": {
                "GeoRestriction": {
                    "RestrictionType": "none",
                    "Quantity": 0
                }
            },
            "Aliases": {
                "Items": [
                    "media.cloudconformity.com"
                ],
                "Quantity": 1
            }
        },
        "ActiveTrustedSigners": {
            "Enabled": false,
            "Quantity": 0
        },
        "LastModifiedTime": "2016-08-25T11:45:17.617Z",
        "Id": "E2RX3E6TS8SFB9"
    },
    "ETag": "E2JUEZYU773FIQ",
    "Location": "https://cloudfront.amazonaws.com/2016-01-28/distribution/E2RX3E6TS8SFB9"
}

References

AWS Command Line Interface (CLI) Documentation
cloudfront
list-distributions
create-distribution

Publication date Aug 16, 2016

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

CloudFront In Use

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related CloudFront rules