01 Run get-distribution-config command (OSX/Linux/UNIX) to extract the configuration information from your Cloudfront distribution that is not using HTTPS to encrypt traffic (to identify it see Audit section part II). The following command returns the configuration of a CDN distribution which delivers the content using HTTP only, identified by the ID E2ZZAENK18GEUD:
aws cloudfront get-distribution-config
--id E2ZZAENK18GEUD
02 The command output should return the selected distribution configuration information:
{
"ETag": "EWSAJGYMS6BTZ",
"DistributionConfig": {
"CacheBehaviors": {
"Quantity": 0
},
...
"Origins": {
"Items": [
{
"OriginPath": "/static/files",
"CustomOriginConfig": {
"OriginProtocolPolicy": "http-only",
"HTTPPort": 80,
"OriginSslProtocols": {
"Items": [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
],
"Quantity": 3
},
"HTTPSPort": 443
},
"CustomHeaders": {
"Quantity": 0
},
"Id": "cloudconformity.com-custom-origin",
"DomainName": "cloudconformity.com"
}
],
"Quantity": 1
},
...
"Aliases": {
"Items": [
"cdn.cloudconformity.com"
],
"Quantity": 1
}
}
}
03 Modify the configuration information returned at the previous step to enable HTTPS by editing the OriginProtocolPolicy config object (as shown in the example below) and save the new configuration in a JSON document named distconfig-enable-encryption.json:
{
"ETag": "EQP0D4W05BAOE",
"DistributionConfig": {
"Comment": "",
"CacheBehaviors": {
"Quantity": 0
},
"Logging": {
"Bucket": "aws-cf-access-logs.s3.amazonaws.com",
"Prefix": "cloudconformity/",
"Enabled": true,
"IncludeCookies": false
},
"WebACLId": "",
"Origins": {
"Items": [
{
"OriginPath": "/static/files",
"CustomOriginConfig": {
"OriginProtocolPolicy": "https-only",
"HTTPPort": 80,
"OriginSslProtocols": {
"Items": [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
],
"Quantity": 3
},
"HTTPSPort": 443
},
"CustomHeaders": {
"Quantity": 0
},
"Id": "cloudconformity.com-custom-origin",
"DomainName": "cloudconformity.com"
}
],
"Quantity": 1
},
"DefaultRootObject": "index.html",
"PriceClass": "PriceClass_All",
"Enabled": true,
"DefaultCacheBehavior": {
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"TargetOriginId": "cloudconformity.com-custom-origin",
"ViewerProtocolPolicy": "allow-all",
"ForwardedValues": {
"Headers": {
"Quantity": 0
},
"Cookies": {
"Forward": "none"
},
"QueryString": false
},
"MaxTTL": 31536000,
"SmoothStreaming": false,
"DefaultTTL": 86400,
"AllowedMethods": {
"Items": [
"HEAD",
"DELETE",
"POST",
"GET",
"OPTIONS",
"PUT",
"PATCH"
],
"CachedMethods": {
"Items": [
"HEAD",
"GET",
"OPTIONS"
],
"Quantity": 3
},
"Quantity": 7
},
"MinTTL": 0,
"Compress": false
},
"CallerReference": "1472460217570",
"ViewerCertificate": {
"CloudFrontDefaultCertificate": true,
"MinimumProtocolVersion": "SSLv3",
"CertificateSource": "cloudfront"
},
"CustomErrorResponses": {
"Quantity": 0
},
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none",
"Quantity": 0
}
},
"Aliases": {
"Items": [
"cdn.cloudconformity.com"
],
"Quantity": 1
}
}
}
04 Run update-distribution command (OSX/Linux/UNIX) to update your AWS Cloudfront distribution in order to enable HTTPS. The following command example updates a CloudFront CDN web distribution with the ID E2ZZAENK18GEUD and the ETag EQP0D4W05BAOE (an ETag is a header ID exposed when a CDN distribution configuration is retrieved, e.g. "ETag": "EQP0D4W05BAOE"), using a JSON configuration document with the file name distconfig- enable-encryption.json:
aws cloudfront update-distribution
--id E2ZZAENK18GEUD
--distribution-config file://distconfig-enable-encryption.json
--if-match EQP0D4W05BAOE
05 The command output should return the metadata for the modified CDN distribution:
{
"Distribution": {
"Status": "InProgress",
...
"Origins": {
"Items": [
{
"OriginPath": "/static/files",
"CustomOriginConfig": {
"OriginProtocolPolicy": "https-only",
"HTTPPort": 80,
"OriginSslProtocols": {
"Items": [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
],
"Quantity": 3
},
"HTTPSPort": 443
},
"CustomHeaders": {
"Quantity": 0
},
"Id": "cloudconformity.com-custom-origin",
"DomainName": "cloudconformity.com"
}
],
"Quantity": 1
},
...
"ETag": "E114Z923VWUZCD"
}