CloudFront Viewer Protocol Policy

Risk level: Medium (should be achieved)

Rule ID: CF-007

Ensure that the communication between your Amazon CloudFront CDN distribution and its viewers (end users) is encrypted using HTTPS in order to secure the delivery of your web application content. To enable data in transit encryption, you need to configure the web distribution viewer protocol policy to redirect HTTP requests to HTTPS requests or to require the viewers to use only the HTTPS protocol to access your web content available in the CloudFront distribution cache.

This rule can help you with the following compliance standards:

This rule can help you work with the AWS Well-Architected Framework

This rule resolution is part of the Cloud Conformity Security & Compliance tool for AWS

Security

Using HTTPS for your CloudFront CDN distribution can guarantee that the encrypted traffic between the edge (cache) servers and the application viewers cannot be decrypted by malicious users in case they are able to intercept packets sent across the CDN distribution network.

Audit

To determine if your CloudFront distribution viewer protocol policy is configured to enforce HTTPS for data in transit encryption, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudFront dashboard at https://console.aws.amazon.com/cloudfront/.

03 In the left navigation panel, click Distributions to access the existing distributions.

04 On CloudFront Distribution page, under the main menu, select Web and Enabled from Viewing dropdown menus to list all active web distributions available in your account.

05 Select the CDN distribution that you want to examine.

06 Click the Distribution Settings button from the dashboard top menu to access the resource configuration page.

07 Choose the Behaviors tab and select the distribution default behavior entry.

08 Click the Edit button to access the distribution behavior settings.

09 On the Edit Behavior page, verify the Viewer Protocol Policy configuration settings. If HTTP and HTTPS setting is currently selected, the viewers can use both HTTP and HTTPS protocols to access your web content, therefore the selected CloudFront CDN distribution does not enforce the HTTPS protocol for data in transit and the distribution configuration is not compliant.

10 Repeat steps no. 5 – 9 to verify the viewer protocol policy configuration for other Amazon CloudFront CDN distributions available within your AWS account.

Using AWS CLI

01 Run list-distributions command (OSX/Linux/UNIX) using custom query filters to list the IDs of all CloudFront web distributions provisioned in your account:

aws cloudfront list-distributions
	--output table
	--query 'DistributionList.Items[*].Id'

02 The command output should return a table with the requested IDs:

--------------------
|ListDistributions |
+------------------+
|  AABBCCDDEEFFGG  |
|  BBCCDDEEFFGGHH  |
+------------------+

03 Run get-distribution command (OSX/Linux/UNIX) using the ID of the distribution that you want to examine as identifier with custom filtering, to describe the selected CloudFront CDN distribution viewer protocol policy configuration:

aws cloudfront get-distribution
	--id AABBCCDDEEFFGG
	--query "Distribution.DistributionConfig.DefaultCacheBehavior.ViewerProtocolPolicy"

04 The command output should return the requested configuration information:

"allow-all"

If the get-distribution command output returns "allow-all", as shown in the example above, the viewers can use both HTTP and HTTPS protocols to access your web application content, therefore the selected CloudFront CDN distribution does not enforce encryption (using HTTPS) for data in transit and the web distribution configuration is not compliant.

05 Repeat step no. 3 and 4 to verify the viewer protocol policy configuration for other CloudFront CDN distributions created in your AWS account.

Remediation / Resolution

To ensure that your web content is encrypted between your CloudFront distribution edge locations and your application viewers, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudFront dashboard at https://console.aws.amazon.com/cloudfront/.

03 In the left navigation panel, click Distributions.

04 On CloudFront Distribution page, under the main menu, select Web and Enabled from Viewing dropdown menus to list all active web distributions available within your AWS account.

05 Select the web distribution that you want to reconfigure (see Audit section part I to identify the right distribution).

06 Click the Distribution Settings button from the dashboard top menu to access the resource configuration page.

07 Choose the Behaviors tab and select the distribution default behavior.

08 Click the Edit button to access the behavior configuration settings.

09 On the Edit Behavior page, under Default Cache Behavior Settings, perform one of the following actions to enforce encryption for your web content:

Set the Viewer Protocol Policy configuration attribute to Redirect HTTP to HTTPS so that any HTTP requests are automatically redirected to HTTPS requests. Click Yes, Edit to apply the changes.
Set the Viewer Protocol Policy attribute to HTTPS Only so that your application viewers can only access your web content using HTTPS. Choosing this option will drop any HTTP traffic between edge servers and viewers. Click Yes, Edit to apply the configuration changes.

10 Repeat steps no. 5 – 9 to reconfigure the viewer protocol policy for other Amazon CloudFront CDN distributions available within your AWS account.

Using AWS CLI

01 Run get-distribution-config command (OSX/Linux/UNIX) to extract the configuration information from the CloudFront CDN distribution that you want to reconfigure (see Audit section part II to identify the right resource):

aws cloudfront get-distribution-config
	--id AABBCCDDEEFFGG

02 The command output should return the requested configuration information:

{
    "ETag": "ABCDABCDABCDAB",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Quantity": 0
        },
        "IsIPV6Enabled": false,
        "Logging": {
            "Bucket": "",
            "Prefix": "",
            "Enabled": false,
            "IncludeCookies": false
        },

        ...

        "ViewerCertificate": {
            "CloudFrontDefaultCertificate": true,
            "MinimumProtocolVersion": "TLSv1",
            "CertificateSource": "cloudfront"
        },
        "CustomErrorResponses": {
            "Quantity": 0
        },
        "HttpVersion": "http2",
        "Restrictions": {
            "GeoRestriction": {
                "RestrictionType": "none",
                "Quantity": 0
            }
        }
    }
}

03 Modify the configuration document returned at the previous step to enforce HTTPS by setting the ViewerProtocolPolicy configuration attribute value to "https-only" or "redirect-to-https" (as shown in the example below), then save the new configuration in a JSON document named "enable-encryption.json". Replace <domain_name> and other necessary configuration details with your own details:

{
    "ETag": "ABCDABCDABCDAB",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Quantity": 0
        },
        "IsIPV6Enabled": false,
        "Logging": {
            "Bucket": "",
            "Prefix": "",
            "Enabled": false,
            "IncludeCookies": false
        },
        "WebACLId": "",
        "Origins": {
            "Items": [
                {
                    "OriginPath": "/media/images",
                    "CustomOriginConfig": {
                        "OriginSslProtocols": {
                            "Items": [
                                "TLSv1.2"
                            ],
                            "Quantity": 1
                        },
                        "OriginProtocolPolicy": "https-only",
                        "OriginReadTimeout": 30,
                        "HTTPPort": 80,
                        "HTTPSPort": 443,
                        "OriginKeepaliveTimeout": 5
                    },
                    "CustomHeaders": {
                        "Quantity": 0
                    },
                    "Id": "Custom-<domain_name>/media/images",
                    "DomainName": "<domain_name>"
                }
            ],
            "Quantity": 1
        },
        "DefaultRootObject": "",
        "PriceClass": "PriceClass_100",
        "Enabled": true,
        "DefaultCacheBehavior": {
            "TrustedSigners": {
                "Enabled": false,
                "Quantity": 0
            },
            "LambdaFunctionAssociations": {
                "Quantity": 0
            },
            "TargetOriginId": "Custom-<domain_name>/media/images",
            "ViewerProtocolPolicy": "redirect-to-https",
            "ForwardedValues": {
                "Headers": {
                    "Quantity": 0
                },
                "Cookies": {
                    "Forward": "none"
                },
                "QueryStringCacheKeys": {
                    "Quantity": 0
                },
                "QueryString": false
            },
            "MaxTTL": 31536000,
            "SmoothStreaming": false,
            "DefaultTTL": 86400,
            "AllowedMethods": {
                "Items": [
                    "HEAD",
                    "GET"
                ],
                "CachedMethods": {
                    "Items": [
                        "HEAD",
                        "GET"
                    ],
                    "Quantity": 2
                },
                "Quantity": 2
            },
            "MinTTL": 0,
            "Compress": false
        },
        "CallerReference": "12345678901234",
        "ViewerCertificate": {
            "CloudFrontDefaultCertificate": true,
            "MinimumProtocolVersion": "TLSv1",
            "CertificateSource": "cloudfront"
        },
        "CustomErrorResponses": {
            "Quantity": 0
        },
        "HttpVersion": "http2",
        "Restrictions": {
            "GeoRestriction": {
                "RestrictionType": "none",
                "Quantity": 0
            }
        },
        "Aliases": {
            "Quantity": 0
        }
    }
}

04 Run update-distribution command (OSX/Linux/UNIX) to update the configuration for the selected Amazon CloudFront CDN distribution (see Audit section part II to identify the right distribution) in order to enforce encryption. The following command example updates your web distribution using a JSON configuration document named "enable-encryption.json":

aws cloudfront update-distribution
	--id AABBCCDDEEFFGG
	--distribution-config file://enable-encryption.json
	--if-match ABCDABCDABCDAB

05 The command output should return the metadata for the modified CloudFront web distribution:

{
    "Distribution": {
        "Status": "InProgress",

            ...

            "DefaultCacheBehavior": {
            "TrustedSigners": {
                "Enabled": false,
                "Quantity": 0
            },
            "LambdaFunctionAssociations": {
                "Quantity": 0
            },
            "TargetOriginId": "Custom-<domain_name>/media/images",
            "ViewerProtocolPolicy": "redirect-to-https",
            "ForwardedValues": {
                "Headers": {
                    "Quantity": 0
                },
                "Cookies": {
                    "Forward": "none"
                },
                "QueryStringCacheKeys": {
                    "Quantity": 0
                },
                "QueryString": false
            },
            "MaxTTL": 31536000,
            "SmoothStreaming": false,
            "DefaultTTL": 86400,
            "AllowedMethods": {
                "Items": [
                    "HEAD",
                    "GET"
                ],
                "CachedMethods": {
                    "Items": [
                        "HEAD",
                        "GET"
                    ],
                    "Quantity": 2
                },
                "Quantity": 2
            },
            "MinTTL": 0,
            "Compress": false
        },

        ...

    "ETag": "ABCDABCDABCDAB"
}

06 Repeat steps no. 1 – 6 to reconfigure the viewer protocol policy for other CloudFront CDN distributions available in your AWS account.

References

AWS Command Line Interface (CLI) Documentation
cloudfront
list-distributions
get-distribution
get-distribution-config
update-distribution

Publication date Apr 20, 2018

Unlock the Remediation Steps

Gain free unlimited access
to our full Knowledge Base

Over 750 rules & best practices
for and

You are auditing:

CloudFront Viewer Protocol Policy

Risk level: Medium

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related CloudFront rules