01 Run get-distribution-config command (OSX/Linux/UNIX) to extract the configuration information from the Cloudfront distribution(s) marked as insecure (see Audit section, part II). The following command returns the configuration of an insecure distribution identified by the ID E2RX3E6TS8SFB9:
aws cloudfront get-distribution-config
--id E2RX3E6TS8SFB9
02The command output should return the selected distribution configuration information:
{
"ETag": "E5TUH6VDXMQ72",
"DistributionConfig": {
"Comment": "",
"CacheBehaviors": {
"Quantity": 0
},
...
"Origins": {
"Items": [
{
"OriginPath": "/static/images",
"CustomOriginConfig": {
"OriginProtocolPolicy": "https-only",
"HTTPPort": 80,
"OriginSslProtocols": {
"Items": [
"SSLv3",
"TLSv1",
"TLSv1.1",
"TLSv1.2"
],
"Quantity": 4
},
"HTTPSPort": 443
},
"CustomHeaders": {
"Quantity": 0
},
"Id": "custom-cloudconformity.com-images",
"DomainName": "cloudconformity.com"
}
],
"Quantity": 1
},
...
"Aliases": {
"Items": [
"media.cloudconformity.com"
],
"Quantity": 1
}
}
}
03 Modify the configuration information returned at the previous step to disable the origin SSLv3 protocol by editing the OriginSslProtocols config object (highlighted) and save the new configuration in a JSON document named distconfig-secure-origin.json:
{
"ETag": "E5TUH6VDXMQ72",
"DistributionConfig": {
"Comment": "",
"CacheBehaviors": {
"Quantity": 0
},
"Logging": {
"Bucket": "aws-cf-access-logs.s3.amazonaws.com",
"Prefix": "cloudconformity",
"Enabled": true,
"IncludeCookies": false
},
"WebACLId": "",
"Origins": {
"Items": [
{
"OriginPath": "/static/images",
"CustomOriginConfig": {
"OriginProtocolPolicy": "https-only",
"HTTPPort": 80,
"OriginSslProtocols": {
"Items": [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
],
"Quantity": 3
},
"HTTPSPort": 443
},
"CustomHeaders": {
"Quantity": 0
},
"Id": "custom-cloudconformity.com-images",
"DomainName": "cloudconformity.com"
}
],
"Quantity": 1
},
"DefaultRootObject": "index.html",
"PriceClass": "PriceClass_All",
"Enabled": true,
"DefaultCacheBehavior": {
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"TargetOriginId": "custom-cloudconformity.com-images",
"ViewerProtocolPolicy": "https-only",
"ForwardedValues": {
"Headers": {
"Quantity": 0
},
"Cookies": {
"Forward": "none"
},
"QueryString": false
},
"MaxTTL": 31536000,
"SmoothStreaming": false,
"DefaultTTL": 86400,
"AllowedMethods": {
"Items": [
"HEAD",
"DELETE",
"POST",
"GET",
"OPTIONS",
"PUT",
"PATCH"
],
"CachedMethods": {
"Items": [
"HEAD",
"GET",
"OPTIONS"
],
"Quantity": 3
},
"Quantity": 7
},
"MinTTL": 0,
"Compress": false
},
"CallerReference": "my-cf-web-distribution-2016-08-05",
"ViewerCertificate": {
"CloudFrontDefaultCertificate": true,
"MinimumProtocolVersion": "SSLv3",
"CertificateSource": "cloudfront"
},
"CustomErrorResponses": {
"Quantity": 0
},
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none",
"Quantity": 0
}
},
"Aliases": {
"Items": [
"media.cloudconformity.com"
],
"Quantity": 1
}
}
}
04Run update-distribution command (OSX/Linux/UNIX) to update the required AWS Cloudfront distribution. The following command example updates a CloudFront CDN web distribution with the ID E2RX3E6TS8SFB9 and the ETag E5TUH6VDXMQ72 (an ETag is a header ID exposed when a CDN distribution configuration is retrieved, e.g. "ETag": " E5TUH6VDXMQ72"), using a JSON configuration document with the file name distconfig-secure-origin.json:
aws cloudfront update-distribution
--id E2RX3E6TS8SFB9
--distribution-config file://distconfig-secure-origin.json
--if-match E5TUH6VDXMQ72
05The command output should return the metadata for the updated distribution:
{
"Distribution": {
"Status": "InProgress",
"DomainName": "d1ams0mx9tn8g.cloudfront.net",
...
"Origins": {
"Items": [
{
"OriginPath": "/static/images",
"CustomOriginConfig": {
"OriginProtocolPolicy": "https-only",
"HTTPPort": 80,
"OriginSslProtocols": {
"Items": [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
],
"Quantity": 3
},
"HTTPSPort": 443
},
"CustomHeaders": {
"Quantity": 0
},
"Id": "custom-cloudconformity.com-images",
"DomainName": "cloudconformity.com"
}
],
"Quantity": 1
},
...
"LastModifiedTime": "2016-08-27T10:32:39.561Z",
"Id": "E2RX3E6TS8SFB9"
},
"ETag": "E5TUH6VDXMQ72"
}