Use Cloudfront Content Distribution Network

Risk level: Medium (should be achieved)

Ensure that your web application is using Amazon Cloudfront Content Distribution Network (CDN) to secure its content delivery (media files and static resource files such as .html, .css, .js). Prior to running this rule by the Cloud Conformity engine, your web application domain name needs to be configured in the rule settings, on your Cloud Conformity account dashboard.

Security

The Cloudfront Content Distribution Network can have a significant impact on the security of your web application content delivery process. AWS Cloudfront can accelerate and deliver your web content securely over HTTPS from all of its edge locations (CDN servers). In addition to delivering securely from the edge, you can also configure Cloudfront to use HTTPS connections for origin fetches so that your content is encrypted end-to-end from the application origin to your end users. The AWS Cloudfront CDN service improves the ability of your web application to absorb and mitigate potential Distributed Denial of Service (DDoS) attacks and keep the application available for legitimate users. The CDN distribution can be also integrated with AWS WAF service - a web application firewall service made available by Amazon to protect web applications against common attacks.

Audit

To determine if the AWS Cloudfront service is used as Content Delivery Network (CDN) for your web application content delivery, perform the following actions:

Using AWS Console

01 Sign in to your Cloud Conformity console, access Use Cloudfront Content Distribution Network conformity rule settings and copy the domain name configured for your web application (e.g. <domain_name>).

02 Sign in to the AWS Management Console.

03 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.

04 In the left navigation panel, click Distributions. A web distribution is a Cloudfront service instance that enables you to deliver your web content through a secure and fast network of cache servers (also known as edge locations).

05 On Cloudfront Distribution page, under the main menu, select Web and Enabled from Viewing dropdown menus, then paste the domain name copied at step no. 1 into the search box and press Enter. If the search process does not return any results, instead a "No Data" message is displayed, there are no Amazon Cloudfront CDN distributions created for your web application within the selected AWS account.

Using AWS CLI

02Run list-distributions command (OSX/Linux/UNIX) with custom query filters to list the origin configuration metadata of the Cloudfront CDN distribution created for your web application. Replace <domain_name> with your own domain name:

aws cloudfront list-distributions
	--query "DistributionList.Items[*].Origins.Items[?DomainName == '<domain_name>']"

03 The command output should return the requested origin configuration metadata:

[]

If the list-distributions command output returns an empty array (i.e. []), as shown in the example above, there are no Amazon Cloudfront CDN distributions created for your web application within the current AWS account.

Remediation / Resolution

To use Amazon Cloudfront as a Content Distribution Network to secure and accelerate the content delivery of your web application, you need to create and configure a Cloudfront web distribution. To create the required distribution, perform the following actions:

Using AWS Console

02 Sign in to the AWS Management Console.

03 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.

04 In the left navigation panel, click Distributions.

05 On Cloudfront distributions page, click Create Distribution.

06 On Select a delivery method for your content page, under Web section, click Get Started to initiate the web distribution setup process.

07 On Create distribution page, perform the following actions:

For the Origin Settings configuration category, provide the following information:
- In the Origin Domain Name box, paste the domain name for your web application origin, copied at step no. 1 (e.g. <domain_name>).
- (Optional) To request your web content from a directory available at your origin, enter the directory path (e.g. /media/images) in the Origin Path box. Cloudfront service will append the provided directory path to the value entered in the Origin Domain Name box, for example: <domain_name>/media/images and fill out the Origin ID box to create the web distribution unique ID.
- In the Origin SSL Protocols section, select which SSL protocols Cloudfront is allowed to use for the HTTPS connection between the distribution edge servers and your origin. Cloud Conformity strongly recommends using TLSv1 protocols. If your application origin supports all TLSv1 protocols, use just the TLSv1.2 protocol.
- In the Origin Protocol Policy section, select HTTPS only in order to connect the web distribution to your origin over HTTPS (your web application must match the same protocol at origin).
- (Optional) If required, within the HTTPS Port box, enter the custom HTTPS port that your origin listens on. The default port used is 443 (recommended).
- In the Origin Custom Headers section, specify the custom headers that will be attached to every HTTPS request sent to your web application origin. In the Header Name box type the custom header name (e.g. Cache-Control) and in the Value box enter the value for the header (e.g. no-cache). If required, click the + button to define additional custom headers for the distribution.
For the Default Cache Behavior Settings configuration category, perform the following:
- In the Viewer Protocol Policy section, select HTTPS only to enforce web content access using the HTTPS protocol for a secure connection between viewers (end users) and the web distribution edge locations.
- In the Allowed HTTP Methods section, choose the list of HTTP(S) methods to process and forward to your origin by the Cloudfront distribution.
- (Optional) If required, use Field-level Encryption Config dropdown list to select the field-level encryption configuration for private content.
- For Cached HTTP Methods setting, specify whether you want AWS Cloudfront to cache responses from your application origin when users send OPTIONS requests. GET and HEAD responses are always cached (default).
- From Cache Based on Selected Request Headers dropdown list, select None (Improve Caching) to forward the default headers to your origin without caching the objects (files) based on their headers value.
- In the Object Caching section, select one of the following options based on your application requirements:
  - Select Use Origin Cache Headers to preserve the Cache-Control header value attached to your objects by your web application origin.
  - Select Customize to define the expiration time in seconds for the objects in the Cloudfront cache regardless of Cache-Control headers value set by the origin. Use Minimum TTL (the default is 0 seconds), Maximum TTL and Default TTL fields to specify the minimum, maximum or the default time to keep your objects in the distribution cache.
- From Forward Cookies dropdown list, select None (Improve Caching) to remove the Cookie header from requests forwarded to your origin and to remove the Set-Cookie header from responses returned to your web application users in order to improve caching.
- From Query String Forwarding and Caching dropdown list, select whether you want the new Cloudfront distribution to include query strings in the request URLs forwarded to your origin.
- For Smooth Streaming choose No.
- For Restrict Viewer Access (Use Signed URLs or Signed Cookies) option, choose No.
- For Compress Objects Automatically choose No.
- (Optional) For Lambda Function Associations, specify the ARN of the Lambda function to be associated with a specific event type. Event types available are Viewer Request, Viewer Response, Origin Request and Origin Response. You can set only one ARN for a given event type.
For the Distribution Settings configuration category, provide the following information:
- From the Price Class dropdown menu, select Use All Edge Locations (Best Performance) to use all edge servers made available by the AWS Cloudfront global network for minimal latency. This price class provides worldwide coverage at higher cost.
- (Optional) To integrate the web distribution with AWS WAF in order to allow or block requests based on your web application requirements, select an existing web ACL (Access Control List) from the AWS WAF Web ACL dropdown list.
- In the Alternate Domain Names (CNAMEs) box, enter your custom CNAME record (for example, media.) to use your own domain name instead of the AWS Cloudfront web distribution domain name (requires configuring a CNAME record within your domain DNS setting).
- In the SSL Certificate section, choose Custom SSL Certificate to use your own domain name for the objects URL structure (e.g., https://media.&LT;domain_name>/media/images/logo.png). Choose the applicable SSL certificate from the section dropdown list or use the Request an ACM certificate button to request a new SSL certificate through AWS Certificate Manager (ACM) service.
- (Optional) For Supported HTTP Versions, choose the versions of the HTTP protocol that you want CloudFront to accept. Select HTTP/2, HTTP/1.1, HTTP/1.0 for faster delivery. Amazon CloudFront always forwards requests to the application origin using HTTP/1.1
- (Optional) In the Default Root Object box, specify a default root object (e.g., index.html) available in your origin root directory to avoid exposing the contents of your distribution.
- For Logging, select whether you want to log all user requests made for the objects available in the distribution. To log the requests, provide the S3 bucket name that will store the access logs, a unique prefix for the log files (optional) and whether you want Cloudfront to include cookies in these logs.
- (Optional) Check Enable IPv6 checkbox to enable IPv6 version of the IP protocol if you have users on IPv6 networks who want to access your web content.
- (Optional) In the Comment box, enter a small description for the web distribution.
- Set Distribution State to Enabled.

08 Click Create Distribution button to create your AWS Cloudfront web distribution. The distribution status should change from In Progress to Deployed once this is deployed worldwide.

Using AWS CLI

02 To create an AWS Cloudfront CDN distribution for your web application, you must define first the distribution configuration file in JSON format. The following example describes a Cloudfront distribution configuration file named "web-app-cdn-distribution.json", created for the domain name copied at the previous step. Replace <domain_name> with your own domain name:

{
  "CallerReference": "cc-web-app-cdn-distribution-2018-04-05",
  "Aliases": {
    "Quantity": 0
  },
  "DefaultRootObject": "index.html",
  "Origins": {
    "Quantity": 1,
    "Items": [
      {
        "Id": "custom-<domain_name>/media/images",
        "DomainName": "<domain_name>",
        "OriginPath": "/media/images",
        "CustomOriginConfig": {
            "OriginProtocolPolicy": "https-only",
            "HTTPPort": 80,
            "OriginSslProtocols": {
                "Items": [
                    "TLSv1.2"
                ],
                "Quantity": 1
            },
            "HTTPSPort": 443
        },
        "CustomHeaders": {
            "Quantity": 0
        }
      }
    ]
  },
  "DefaultCacheBehavior": {
    "TargetOriginId": "custom-<domain_name>/media/images",
    "ForwardedValues": {
      "QueryString": false,
      "Cookies": {
        "Forward": "none"
      }
    },
    "AllowedMethods": {
        "Items": [
            "HEAD",
            "DELETE",
            "POST",
            "GET",
            "OPTIONS",
            "PUT",
            "PATCH"
        ],
        "CachedMethods": {
            "Items": [
                "HEAD",
                "GET",
                "OPTIONS"
            ],
            "Quantity": 3
        },
        "Quantity": 7
    },
    "TrustedSigners": {
      "Enabled": false,
      "Quantity": 0
    },
    "ViewerProtocolPolicy": "https-only",
    "MinTTL": 0,
    "MaxTTL": 31536000,
    "DefaultTTL": 86400,
    "Compress": false
  },
  "CacheBehaviors": {
    "Quantity": 0
  },
  "Comment": "<domain_name> web application CDN distribution",
  "Logging": {
    "Enabled": true,
    "IncludeCookies": false,
    "Bucket": "web-distribution-access-logs.s3.amazonaws.com",
    "Prefix": ""
  },
  "Aliases": {
    "Items": [
        "media.<domain_name>"
    ],
    "Quantity": 1
  },
  "PriceClass": "PriceClass_All",
  "Enabled": true
}

03 Run create-distribution command (OSX/Linux/UNIX) to create a new Amazon Cloudfront CDN distribution for your web application. The following command example creates a web distribution for a custom domain name (e.g. ) using the JSON configuration document created at the previous step (e.g. web-app-cdn-distribution.json):

aws cloudfront create-distribution
	--distribution-config file://web-app-cdn-distribution.json

04 The command output should return the metadata for the newly created web distribution:

{
    "Distribution": {
        "Status": "InProgress",
        "DomainName": "media.<domain_name>",
        "InProgressInvalidationBatches": 0,
        "DistributionConfig": {

        ...

        },
        "ActiveTrustedSigners": {
            "Enabled": false,
            "Quantity": 0
        },
        "LastModifiedTime": "2018-04-05T12:15:34.617Z",
        "Id": "AAAABBBBCCCCDD"
    }
}

References

AWS Command Line Interface (CLI) Documentation
cloudfront
list-distributions
create-distribution

Publication date Apr 20, 2018

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

Use Cloudfront Content Distribution Network

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related CloudFront rules