CloudFront Viewer Protocol Policy
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product features
Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!
Start a Free Trial Product featuresEnsure that the communication between your Amazon CloudFront CDN distribution and its viewers (end users) is encrypted using HTTPS in order to secure the delivery of your web application content. To enable data in transit encryption, you need to configure the web distribution viewer protocol policy to redirect HTTP requests to HTTPS requests or to require the viewers to use only the HTTPS protocol to access your web content available in the CloudFront distribution cache.
This rule can help you with the following compliance standards:
This rule can help you work with the AWS Well-Architected Framework
This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS
Using HTTPS for your CloudFront CDN distribution can guarantee that the encrypted traffic between the edge (cache) servers and the application viewers cannot be decrypted by malicious users in case they are able to intercept packets sent across the CDN distribution network.
To determine if your CloudFront distribution viewer protocol policy is configured to enforce HTTPS for data in transit encryption, perform the following actions:
01 Sign in to the AWS Management Console.
02 Navigate to CloudFront dashboard at https://console.aws.amazon.com/cloudfront/.
03 In the left navigation panel, click Distributions to access the existing distributions.
04 On CloudFront Distribution page, under the main menu, select Web and Enabled from Viewing dropdown menus to list all active web distributions available in your account.
05 Select the CDN distribution that you want to examine.
06 Click the Distribution Settings button from the dashboard top menu to access the resource configuration page.
07 Choose the Behaviors tab and select the distribution default behavior entry.
08 Click the Edit button to access the distribution behavior settings.
09 On the Edit Behavior page, verify the Viewer Protocol Policy configuration settings. If HTTP and HTTPS setting is currently selected, the viewers can use both HTTP and HTTPS protocols to access your web content, therefore the selected CloudFront CDN distribution does not enforce the HTTPS protocol for data in transit and the distribution configuration is not compliant.
10 Repeat steps no. 5 – 9 to verify the viewer protocol policy configuration for other Amazon CloudFront CDN distributions available within your AWS account.
01 Run list-distributions command (OSX/Linux/UNIX) using custom query filters to list the IDs of all CloudFront web distributions provisioned in your account:
aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id'
02 The command output should return a table with the requested IDs:
-------------------- |ListDistributions | +------------------+ | AABBCCDDEEFFGG | | BBCCDDEEFFGGHH | +------------------+
03 Run get-distribution command (OSX/Linux/UNIX) using the ID of the distribution that you want to examine as identifier with custom filtering, to describe the selected CloudFront CDN distribution viewer protocol policy configuration:
aws cloudfront get-distribution --id AABBCCDDEEFFGG --query "Distribution.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy"
04 The command output should return the requested configuration information:
"allow-all"
05 Repeat step no. 3 and 4 to verify the viewer protocol policy configuration for other CloudFront CDN distributions created in your AWS account.
To ensure that your web content is encrypted between your CloudFront distribution edge locations and your application viewers, perform the following actions:
01 Sign in to the AWS Management Console.
02 Navigate to CloudFront dashboard at https://console.aws.amazon.com/cloudfront/.
03 In the left navigation panel, click Distributions.
04 On CloudFront Distribution page, under the main menu, select Web and Enabled from Viewing dropdown menus to list all active web distributions available within your AWS account.
05 Select the web distribution that you want to reconfigure (see Audit section part I to identify the right distribution).
06 Click the Distribution Settings button from the dashboard top menu to access the resource configuration page.
07 Choose the Behaviors tab and select the distribution default behavior.
08 Click the Edit button to access the behavior configuration settings.
09 On the Edit Behavior page, under Default Cache Behavior Settings, perform one of the following actions to enforce encryption for your web content:
10 Repeat steps no. 5 – 9 to reconfigure the viewer protocol policy for other Amazon CloudFront CDN distributions available within your AWS account.
01 Run get-distribution-config command (OSX/Linux/UNIX) to extract the configuration information from the CloudFront CDN distribution that you want to reconfigure (see Audit section part II to identify the right resource):
aws cloudfront get-distribution-config --id AABBCCDDEEFFGG
02 The command output should return the requested configuration information:
{
"ETag": "ABCDABCDABCDAB",
"DistributionConfig": {
"Comment": "",
"CacheBehaviors": {
"Quantity": 0
},
"IsIPV6Enabled": false,
"Logging": {
"Bucket": "",
"Prefix": "",
"Enabled": false,
"IncludeCookies": false
},
...
"ViewerCertificate": {
"CloudFrontDefaultCertificate": true,
"MinimumProtocolVersion": "TLSv1",
"CertificateSource": "cloudfront"
},
"CustomErrorResponses": {
"Quantity": 0
},
"HttpVersion": "http2",
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none",
"Quantity": 0
}
}
}
}
03 Modify the configuration document returned at the previous step to enforce HTTPS by setting the ViewerProtocolPolicy configuration attribute value to "https-only" or "redirect-to-https" (as shown in the example below), then save the new configuration in a JSON document named "enable-encryption.json". Replace <domain_name> and other necessary configuration details with your own details:
{
"ETag": "ABCDABCDABCDAB",
"DistributionConfig": {
"Comment": "",
"CacheBehaviors": {
"Quantity": 0
},
"IsIPV6Enabled": false,
"Logging": {
"Bucket": "",
"Prefix": "",
"Enabled": false,
"IncludeCookies": false
},
"WebACLId": "",
"Origins": {
"Items": [
{
"OriginPath": "/media/images",
"CustomOriginConfig": {
"OriginSslProtocols": {
"Items": [
"TLSv1.2"
],
"Quantity": 1
},
"OriginProtocolPolicy": "https-only",
"OriginReadTimeout": 30,
"HTTPPort": 80,
"HTTPSPort": 443,
"OriginKeepaliveTimeout": 5
},
"CustomHeaders": {
"Quantity": 0
},
"Id": "Custom-<domain_name>/media/images",
"DomainName": "<domain_name>"
}
],
"Quantity": 1
},
"DefaultRootObject": "",
"PriceClass": "PriceClass_100",
"Enabled": true,
"DefaultCacheBehavior": {
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"LambdaFunctionAssociations": {
"Quantity": 0
},
"TargetOriginId": "Custom-<domain_name>/media/images",
"ViewerProtocolPolicy": "redirect-to-https",
"ForwardedValues": {
"Headers": {
"Quantity": 0
},
"Cookies": {
"Forward": "none"
},
"QueryStringCacheKeys": {
"Quantity": 0
},
"QueryString": false
},
"MaxTTL": 31536000,
"SmoothStreaming": false,
"DefaultTTL": 86400,
"AllowedMethods": {
"Items": [
"HEAD",
"GET"
],
"CachedMethods": {
"Items": [
"HEAD",
"GET"
],
"Quantity": 2
},
"Quantity": 2
},
"MinTTL": 0,
"Compress": false
},
"CallerReference": "12345678901234",
"ViewerCertificate": {
"CloudFrontDefaultCertificate": true,
"MinimumProtocolVersion": "TLSv1",
"CertificateSource": "cloudfront"
},
"CustomErrorResponses": {
"Quantity": 0
},
"HttpVersion": "http2",
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none",
"Quantity": 0
}
},
"Aliases": {
"Quantity": 0
}
}
}
04 Run update-distribution command (OSX/Linux/UNIX) to update the configuration for the selected Amazon CloudFront CDN distribution (see Audit section part II to identify the right distribution) in order to enforce encryption. The following command example updates your web distribution using a JSON configuration document named "enable-encryption.json":
aws cloudfront update-distribution --id AABBCCDDEEFFGG --distribution-config file://enable-encryption.json --if-match ABCDABCDABCDAB
05 The command output should return the metadata for the modified CloudFront web distribution:
{
"Distribution": {
"Status": "InProgress",
...
"DefaultCacheBehavior": {
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"LambdaFunctionAssociations": {
"Quantity": 0
},
"TargetOriginId": "Custom-<domain_name>/media/images",
"ViewerProtocolPolicy": "redirect-to-https",
"ForwardedValues": {
"Headers": {
"Quantity": 0
},
"Cookies": {
"Forward": "none"
},
"QueryStringCacheKeys": {
"Quantity": 0
},
"QueryString": false
},
"MaxTTL": 31536000,
"SmoothStreaming": false,
"DefaultTTL": 86400,
"AllowedMethods": {
"Items": [
"HEAD",
"GET"
],
"CachedMethods": {
"Items": [
"HEAD",
"GET"
],
"Quantity": 2
},
"Quantity": 2
},
"MinTTL": 0,
"Compress": false
},
...
"ETag": "ABCDABCDABCDAB"
}
06 Repeat steps no. 1 – 6 to reconfigure the viewer protocol policy for other CloudFront CDN distributions available in your AWS account.
Whether your AWS exploration is just starting to take shape, you’re mid-way through a migration or you’re already running complex workloads in the cloud, Cloud Conformity offers full visibility of your infrastructure and provides continuous assurance it’s secure, optimized and compliant.
Chat with us to set up your onboarding session and start a free trial
Let’s Chat