CloudFront viewer protocol policy should be set to https-only or redirect-to-https

Description

CloudFront connections should be encrypted during transmission over networks that can be accessed by malicious individuals. A CloudFront distribution should only use HTTPS or Redirect HTTP to HTTPS for communication between viewers and CloudFront.

Remediation Steps

AWS Console

• Navigate to CloudFront.

• Follow the steps documented here.

AWS CLI

• Get the ID of the CloudFront CDN distribution you want to remediate, either via the console or CLI:

  • aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id'

• Save the distribution configuration to a file:

  • aws cloudfront get-distribution-config --id <distribution_id> > distribution-config.json

• Modify the configuration file so the ViewerProtocolPolicy attribute is changed from “allow-all” to “https-only” or “redirect-to-https”.

• Modify the configuration file to remove the following from the beginning of the file. Note the value for the “Etag” attribute before deleting because it is required for the next command.

{
    "ETag": "ETag_Value",
    "DistributionConfig":

• Remove the last brace } at the very end of the configuration file.

• Update the distribution configuration from the saved configuration file:

  • aws cloudfront update-distribution --id <distribution_id> --distribution-config file://distribution-config.json --if-match <etag_attribute>

CloudFormation

JSON

• Ensure that the AWS::CloudFront::Distribution includes ViewerProtocolPolicy block set to “https-only” or “redirect-to-https”.

{
  "Properties": {
    "DistributionConfig": {
      "DefaultCacheBehavior": {
        "ViewerProtocolPolicy": "https-only"
      }
    }
  }
}

JSON Example Configuration

{
  "Type": "AWS::CloudFront::Distribution",
  "Properties": {
    "DistributionConfig": {
      "DefaultCacheBehavior": {
        "ViewerProtocolPolicy": "https-only"
        }
      }
    }
  # other required fields here
}

YAML

• Ensure that the AWS::CloudFront::Distribution includes ViewerProtocolPolicy block set to “https-only” or “redirect-to-https”.

Properties:
  DistributionConfig:
    DefaultCacheBehavior:
      ViewerProtocolPolicy: 'https-only'

YAML Example Configuration

Type: 'AWS::CloudFront::Distribution'
Properties:
  DistributionConfig:
    DefaultCacheBehavior:
      ViewerProtocolPolicy: 'https-only'
# other required fields here

Terraform

• Ensure that the aws_cloudfront_distribution default_cache_behavior block has a viewer_protocol_policy that is set to either “https-only” or “redirect-to-https”. If a ordered_cache_behavior block is specified, the corresponding viewer_protocol_policy should also be set to either “https-only” or “redirect-to-https”.

Example Configuration

resource "aws_cloudfront_distribution" "example" {
  default_cache_behavior {
    viewer_protocol_policy = "https-only"
    # other required fields here
  }
  # other required fields here
}

Documentation Links

Runtime

• Console: Requiring HTTPS for Communication Between Viewers and CloudFront

• CLI: Update a CloudFront Distribution

AWSCloudFormation

• AWS::CloudFront::Distribution

Terraform

• Resource: aws_cloudfront_distribution

  • Field: default_cache_behavior.viewer_protocol_policy