01 Run get-distribution-config command (OSX/Linux/UNIX) to extract the configuration information from the CloudFront CDN distribution that you want to reconfigure (see Audit section part II to identify the right resource):
aws cloudfront get-distribution-config
--id AABBCCDDEEFFGG
02 The command output should return the requested configuration information:
{
"ETag": "ABCDABCDABCDAB",
"DistributionConfig": {
"Comment": "",
"CacheBehaviors": {
"Quantity": 0
},
"IsIPV6Enabled": false,
"Logging": {
"Bucket": "",
"Prefix": "",
"Enabled": false,
"IncludeCookies": false
},
...
"ViewerCertificate": {
"CloudFrontDefaultCertificate": true,
"MinimumProtocolVersion": "TLSv1",
"CertificateSource": "cloudfront"
},
"CustomErrorResponses": {
"Quantity": 0
},
"HttpVersion": "http2",
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none",
"Quantity": 0
}
}
}
}
03 Modify the configuration document returned at the previous step to enforce HTTPS by setting the ViewerProtocolPolicy configuration attribute value to "https-only" or "redirect-to-https" (as shown in the example below), then save the new configuration in a JSON document named "enable-encryption.json". Replace <domain_name> and other necessary configuration details with your own details:
{
"ETag": "ABCDABCDABCDAB",
"DistributionConfig": {
"Comment": "",
"CacheBehaviors": {
"Quantity": 0
},
"IsIPV6Enabled": false,
"Logging": {
"Bucket": "",
"Prefix": "",
"Enabled": false,
"IncludeCookies": false
},
"WebACLId": "",
"Origins": {
"Items": [
{
"OriginPath": "/media/images",
"CustomOriginConfig": {
"OriginSslProtocols": {
"Items": [
"TLSv1.2"
],
"Quantity": 1
},
"OriginProtocolPolicy": "https-only",
"OriginReadTimeout": 30,
"HTTPPort": 80,
"HTTPSPort": 443,
"OriginKeepaliveTimeout": 5
},
"CustomHeaders": {
"Quantity": 0
},
"Id": "Custom-<domain_name>/media/images",
"DomainName": "<domain_name>"
}
],
"Quantity": 1
},
"DefaultRootObject": "",
"PriceClass": "PriceClass_100",
"Enabled": true,
"DefaultCacheBehavior": {
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"LambdaFunctionAssociations": {
"Quantity": 0
},
"TargetOriginId": "Custom-<domain_name>/media/images",
"ViewerProtocolPolicy": "redirect-to-https",
"ForwardedValues": {
"Headers": {
"Quantity": 0
},
"Cookies": {
"Forward": "none"
},
"QueryStringCacheKeys": {
"Quantity": 0
},
"QueryString": false
},
"MaxTTL": 31536000,
"SmoothStreaming": false,
"DefaultTTL": 86400,
"AllowedMethods": {
"Items": [
"HEAD",
"GET"
],
"CachedMethods": {
"Items": [
"HEAD",
"GET"
],
"Quantity": 2
},
"Quantity": 2
},
"MinTTL": 0,
"Compress": false
},
"CallerReference": "12345678901234",
"ViewerCertificate": {
"CloudFrontDefaultCertificate": true,
"MinimumProtocolVersion": "TLSv1",
"CertificateSource": "cloudfront"
},
"CustomErrorResponses": {
"Quantity": 0
},
"HttpVersion": "http2",
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none",
"Quantity": 0
}
},
"Aliases": {
"Quantity": 0
}
}
}
04 Run update-distribution command (OSX/Linux/UNIX) to update the configuration for the selected Amazon CloudFront CDN distribution (see Audit section part II to identify the right distribution) in order to enforce encryption. The following command example updates your web distribution using a JSON configuration document named "enable-encryption.json":
aws cloudfront update-distribution
--id AABBCCDDEEFFGG
--distribution-config file://enable-encryption.json
--if-match ABCDABCDABCDAB
05 The command output should return the metadata for the modified CloudFront web distribution:
{
"Distribution": {
"Status": "InProgress",
...
"DefaultCacheBehavior": {
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"LambdaFunctionAssociations": {
"Quantity": 0
},
"TargetOriginId": "Custom-<domain_name>/media/images",
"ViewerProtocolPolicy": "redirect-to-https",
"ForwardedValues": {
"Headers": {
"Quantity": 0
},
"Cookies": {
"Forward": "none"
},
"QueryStringCacheKeys": {
"Quantity": 0
},
"QueryString": false
},
"MaxTTL": 31536000,
"SmoothStreaming": false,
"DefaultTTL": 86400,
"AllowedMethods": {
"Items": [
"HEAD",
"GET"
],
"CachedMethods": {
"Items": [
"HEAD",
"GET"
],
"Quantity": 2
},
"Quantity": 2
},
"MinTTL": 0,
"Compress": false
},
...
"ETag": "ABCDABCDABCDAB"
}
06 Repeat steps no. 1 – 6 to reconfigure the viewer protocol policy for other CloudFront CDN distributions available in your AWS account.