CloudFront distribution origin should be set to S3 or origin protocol policy should be set to https-only

Description

CloudFront connections should be encrypted during transmission over networks that can be accessed by malicious individuals. If a CloudFront distribution uses a custom origin, CloudFront should only use HTTPS to communicate with it. This does not apply if the CloudFront distribution is configured to use S3 as origin.

Remediation Steps

AWS Console

  • Navigate to CloudFront.

  • Select the ID you want to update. Click the Behaviors tab.

  • Select the behavior and click Edit.

  • In Viewer Protocol policy, select HTTPS Only.

  • Click the Yes, Edit button.

AWS CLI

  • Get the ID of the CloudFront CDN distribution you want to remediate, either via the console or CLI:

    • aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id'

  • Save the distribution configuration to a file:

    • aws cloudfront get-distribution-config --id <distribution_id> > distribution-config.json

  • Modify the configuration file so the OriginProtocolPolicy attribute is changed from “http-only” to “https-only”.

  • Modify the configuration file to remove the following from the beginning of the file. Note the value for the “Etag” attribute before deleting because it is required for the next command.

{
    "ETag": "ETag_Value",
    "DistributionConfig":
  • Remove the last brace } at the very end of the configuration file.

  • Update the distribution configuration from the saved configuration file:

    • aws cloudfront update-distribution --id <distribution_id> --distribution-config file:///tmp/distribution-config.json --if-match <etag_attribute>

CloudFormation

JSON

  • Ensure that the AWS::CloudFront::Distribution includes origins with either:

    • A S3OriginConfig block to specify an AWS S3 bucket

    • A CustomOriginConfig block with a origin_protocol_policy field set to “https-only”

{
  "Properties": {
    "DistributionConfig": {
        "Origins": [{
            "DomainName": "mybucket.s3.amazonaws.com",
            "Id": "myS3Origin",
            "S3OriginConfig": {
                "OriginAccessIdentity": "origin-access-identity/cloudfront/E127EXAMPLE51Z"
        }
      }]
    }
  }
}
JSON Example Configuration
{
  "Type": "AWS::CloudFront::Distribution",
  "Properties": {
    "DistributionConfig": {
        "Origins": [{
            "DomainName": "mybucket.s3.amazonaws.com",
            "Id": "myS3Origin",
            "S3OriginConfig": {
                "OriginAccessIdentity": "origin-access-identity/cloudfront/E127EXAMPLE51Z"
          }
        }]
      }
    }
  # other required fields here
}

YAML

  • Ensure that the AWS::CloudFront::Distribution includes origins with either:

    • A S3OriginConfig block to specify an AWS S3 bucket

    • A CustomOriginConfig block with a origin_protocol_policy field set to “https-only”

Properties:
  DistributionConfig:
    Origins:
    - DomainName: mybucket.s3.amazonaws.com
      Id: myS3Origin
      S3OriginConfig:
        OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z
YAML Example Configuration
Type: AWS::CloudFront::Distribution
Properties:
  DistributionConfig:
    Origins:
    - DomainName: mybucket.s3.amazonaws.com
      Id: myS3Origin
      S3OriginConfig:
        OriginAccessIdentity: origin-access-identity/cloudfront/E127EXAMPLE51Z
# other required fields here

Terraform

  • Ensure that the aws_cloudfront_distribution includes an origin block with either:

    • A domain_name field that ends in “s3.amazonaws.com” or references an aws_s3_bucket resource

    • A custom_origin_config block with a origin_protocol_policy field set to “https-only”

Example Configuration

resource "aws_cloudfront_distribution" "example1" {
  origin {
    domain_name = aws_s3_bucket.bucket-1.bucket_regional_domain_name
  }
  # other required fields here
}
resource "aws_cloudfront_distribution" "example2" {
  origin {
    custom_origin_config {
      origin_protocol_policy = "http-only"
    }
  }
  # other required fields here
}