CloudFront Traffic To Origin Unencrypted

Risk level: Medium (should be achieved)

Rule ID: CF-003

Ensure that the communication between your AWS CloudFront distributions and their custom origins is encrypted using HTTPS in order to secure the delivery of your web content and fulfill compliance requirements for data in transit encryption.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Using HTTPS for your AWS Cloudfront distributions can offer you the guarantee that the encrypted traffic between the edge servers and the custom origin cannot be unsealed by malicious users in case they are able to capture packets sent across Cloudfront Content Distribution Network (CDN).

Note: This rule does not apply if you have an AWS S3 bucket configured as website endpoint because the S3 service does not support HTTPS connections in this particular configuration.

Audit

To determine if your Cloudfront CDN distributions are configured to use HTTPS for data in transit encryption, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.

03 On the Distributions page, select the CDN distribution that you want to examine.

04 Click the Distribution Settings button from the dashboard top menu to access the selected distribution configuration page.

05 Select the Origins tab and choose the distribution origin that you want to verify from the Origins list.

06 Click the Edit button to access the origin settings.

07 On the Origin Settings page, verify the Origin Protocol Policy current configuration. If HTTP Only is currently enabled:

the traffic between the Cloudfront distribution edge servers and the selected origin is not encrypted. If the Match Viewer option is currently selected:

If the Match Viewer option is currently selected

and the viewer requests to CloudFront are made using HTTP, CloudFront is also connecting to the origin using HTTP, therefore the traffic is not encrypted.

08 Repeat steps no. 5 – 7 for each origin created for the selected distribution.

09 Repeat steps no. 3 – 8 for each Cloudfront CDN distribution available in your AWS account.

Using AWS CLI

01Run list-distributions command (OSX/Linux/UNIX) using necessary filters to list the IDs of all Cloudfront distributions available in your account:

aws cloudfront list-distributions
    --output table
    --query 'DistributionList.Items[*].Id'

02The command output should return a table with the requested metadata:

--------------------
|ListDistributions |
+------------------+
|  E2ZZAENK18GEUD  |
|  E2RX3E6TS8SFB9  |
|  GDE6G5KZMPD0BF  |
+------------------+

03Run get-distribution command (OSX/Linux/UNIX) using the ID of the distribution that you want to examine as parameter with appropriate filtering, to expose the Cloudfront distribution origin(s) HTTP/HTTPS protocol policy configuration:

aws cloudfront get-distribution
    --id E2ZZAENK18GEUD
    --query 'Distribution.DistributionConfig.Origins.Items[*].CustomOriginConfig'

04 The command output should return the requested configuration metadata:

[
    {
        "OriginProtocolPolicy": "http-only",
        "HTTPPort": 80,
        "OriginSslProtocols": {
            "Items": [
                "TLSv1",
                "TLSv1.1",
                "TLSv1.2"
            ],
            "Quantity": 3
        },
        "HTTPSPort": 443
    }
]

If the OriginProtocolPolicy property value (highlighted) is set to "http-only", the traffic between the selected Cloudfront distribution and its origin is not encrypted. Also, if the property value is set to "match-viewer" and the viewer requests to CloudFront are made using HTTP only, the traffic is not encrypted.

05 Repeat step no. 3 and 4 to examine other CDN distributions available within your AWS account.

Remediation / Resolution

To enable HTTPS for encrypting the traffic between your CloudFront distributions edge locations and their origins, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.

03 On the Distributions page, select the CDN distribution that you want to update (see Audit section part I to identify the ones that are not using HTTPS).

04 Click the Distribution Settings button from the dashboard top menu to access the selected distribution configuration page.

05 Select the Origins tab and choose the origin that you want to update from the Origins list.

06 Click the Edit button to access the origin settings.

07 On the Origin Settings page, select HTTPS Only from the Origin Protocol Policy list to enable HTTPS and encrypt any objects sent between the distribution edge servers and the selected origin.

08 Click Yes, Edit to save the changes. On the Distributions page, the distribution status will change from In Progress to Deployed once the changes are deployed through the Cloudfront network.

09 Repeat steps no. 5 – 8 to update other custom origins available (if any).

10 Repeat steps no. 3 – 9 to update other Cloudfront distributions that are not using HTTPS, available in your AWS account.

Using AWS CLI

01 Run get-distribution-config command (OSX/Linux/UNIX) to extract the configuration information from your Cloudfront distribution that is not using HTTPS to encrypt traffic (to identify it see Audit section part II). The following command returns the configuration of a CDN distribution which delivers the content using HTTP only, identified by the ID E2ZZAENK18GEUD:

aws cloudfront get-distribution-config
    --id E2ZZAENK18GEUD

02 The command output should return the selected distribution configuration information:

{
    "ETag": "EWSAJGYMS6BTZ",
    "DistributionConfig": {
        "CacheBehaviors": {
            "Quantity": 0
        },

        ...

        "Origins": {
            "Items": [
                {
                    "OriginPath": "/static/files",
                    "CustomOriginConfig": {
                        "OriginProtocolPolicy": "http-only",
                        "HTTPPort": 80,
                        "OriginSslProtocols": {
                            "Items": [
                                "TLSv1",
                                "TLSv1.1",
                                "TLSv1.2"
                            ],
                            "Quantity": 3
                        },
                        "HTTPSPort": 443
                    },
                    "CustomHeaders": {
                        "Quantity": 0
                    },
                    "Id": "cloudconformity.com-custom-origin",
                    "DomainName": "cloudconformity.com"
                }
            ],
            "Quantity": 1
        },

        ...

        "Aliases": {
            "Items": [
                "cdn.cloudconformity.com"
            ],
            "Quantity": 1
        }
    }
}

03 Modify the configuration information returned at the previous step to enable HTTPS by editing the OriginProtocolPolicy config object (as shown in the example below) and save the new configuration in a JSON document named distconfig-enable-encryption.json:

{
    "ETag": "EQP0D4W05BAOE",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Quantity": 0
        },
        "Logging": {
            "Bucket": "aws-cf-access-logs.s3.amazonaws.com",
            "Prefix": "cloudconformity/",
            "Enabled": true,
            "IncludeCookies": false
        },
        "WebACLId": "",
        "Origins": {
            "Items": [
                {
                    "OriginPath": "/static/files",
                    "CustomOriginConfig": {
                        "OriginProtocolPolicy": "https-only",
                        "HTTPPort": 80,
                        "OriginSslProtocols": {
                            "Items": [
                                "TLSv1",
                                "TLSv1.1",
                                "TLSv1.2"
                            ],
                            "Quantity": 3
                        },
                        "HTTPSPort": 443
                    },
                    "CustomHeaders": {
                        "Quantity": 0
                    },
                    "Id": "cloudconformity.com-custom-origin",
                    "DomainName": "cloudconformity.com"
                }
            ],
            "Quantity": 1
        },
        "DefaultRootObject": "index.html",
        "PriceClass": "PriceClass_All",
        "Enabled": true,
        "DefaultCacheBehavior": {
            "TrustedSigners": {
                "Enabled": false,
                "Quantity": 0
            },
            "TargetOriginId": "cloudconformity.com-custom-origin",
            "ViewerProtocolPolicy": "allow-all",
            "ForwardedValues": {
                "Headers": {
                    "Quantity": 0
                },
                "Cookies": {
                    "Forward": "none"
                },
                "QueryString": false
            },
            "MaxTTL": 31536000,
            "SmoothStreaming": false,
            "DefaultTTL": 86400,
            "AllowedMethods": {
                "Items": [
                    "HEAD",
                    "DELETE",
                    "POST",
                    "GET",
                    "OPTIONS",
                    "PUT",
                    "PATCH"
                ],
                "CachedMethods": {
                    "Items": [
                        "HEAD",
                        "GET",
                        "OPTIONS"
                    ],
                    "Quantity": 3
                },
                "Quantity": 7
            },
            "MinTTL": 0,
            "Compress": false
        },
        "CallerReference": "1472460217570",
        "ViewerCertificate": {
            "CloudFrontDefaultCertificate": true,
            "MinimumProtocolVersion": "SSLv3",
            "CertificateSource": "cloudfront"
        },
        "CustomErrorResponses": {
            "Quantity": 0
        },
        "Restrictions": {
            "GeoRestriction": {
                "RestrictionType": "none",
                "Quantity": 0
            }
        },
        "Aliases": {
            "Items": [
                "cdn.cloudconformity.com"
            ],
            "Quantity": 1
        }
    }
}

04 Run update-distribution command (OSX/Linux/UNIX) to update your AWS Cloudfront distribution in order to enable HTTPS. The following command example updates a CloudFront CDN web distribution with the ID E2ZZAENK18GEUD and the ETag EQP0D4W05BAOE (an ETag is a header ID exposed when a CDN distribution configuration is retrieved, e.g. "ETag": "EQP0D4W05BAOE"), using a JSON configuration document with the file name distconfig- enable-encryption.json:

aws cloudfront update-distribution
    --id E2ZZAENK18GEUD
    --distribution-config file://distconfig-enable-encryption.json
    --if-match EQP0D4W05BAOE

05 The command output should return the metadata for the modified CDN distribution:

{
    "Distribution": {
        "Status": "InProgress",

        ...

            "Origins": {
                "Items": [
                    {
                        "OriginPath": "/static/files",
                        "CustomOriginConfig": {
                            "OriginProtocolPolicy": "https-only",
                            "HTTPPort": 80,
                            "OriginSslProtocols": {
                                "Items": [
                                    "TLSv1",
                                    "TLSv1.1",
                                    "TLSv1.2"
                                ],
                                "Quantity": 3
                            },
                            "HTTPSPort": 443
                        },
                        "CustomHeaders": {
                            "Quantity": 0
                        },
                        "Id": "cloudconformity.com-custom-origin",
                        "DomainName": "cloudconformity.com"
                    }
                ],
                "Quantity": 1
            },

        ...

    "ETag": "E114Z923VWUZCD"
}

References

AWS Command Line Interface (CLI) Documentation
cloudfront
list-distributions
get-distribution
get-distribution-config
update-distribution

Publication date Aug 29, 2016

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

CloudFront Traffic To Origin Unencrypted

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related CloudFront rules