Description: 

CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. CloudFront is a web service that speeds up the distribution of your static and dynamic web content, such as .html, .css, .js, and image files to your users. Through a worldwide network of data centres, It delivers your content. This network of data centres called edge locations.

CloudFront speeds up distribution of your static and dynamic web content, such as .html, .css, .php, image, and media files. When users request your content, CloudFront delivers it through a worldwide network of edge locations that provide low latency and high performance. 


Rationale: 

At the end-users, they can view as encrypted from using HTTPS in the CloudFront distribution, this configuration will help to deliver web application content securely. Web distribution viewer protocol policy redirects HTTP requests to HTTPS requests.


Impact:

Enabling the HTTPS in CloudFront distribution encrypt secure the communications between your CloudFront distribution and end-users.


Audit: 

  • Sign in to the AWS Management Console

  • Open the CloudFront console at https://console.aws.amazon.com/cloudfront/

  • Select the ID in the Distribution section for examining

  • In the selected distribution go to the Behaviors tab, there you can see the viewer protocol policy


Via CLI:

To get the list of distribution

aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id'


To get a CloudFront distribution configuration

aws cloudfront get-distribution-config --id EDFDVBD6EXAMPLE


Remediation:

Pre-requisite:

  • You must have Distribution in the CloudFront.

  • You must have a domain for the viewers to see through a web application.


Implementation Steps:

  • Sign in to the AWS Management Console

  • Open the CloudFront console at https://console.aws.amazon.com/cloudfront/

  • Select the ID in the Distribution section to edit the behavior

  • In the selected distribution go to the Behaviors tab and choose the behaviour and click on the Edit button


  • In Behavior Settings choose the viewer protocol policy to HTTPS only 

  • Click on  Yes, Edit button


Backout Plan:

To reconfigure previous behaviour follow the above implementation steps and select the previous options as per audit and then click on the yes, edit button to save the configuration.


References:

  1. https://docs.aws.amazon.com/cloudfront/?id=docs_gateway

  2. Configuring and using standard logs (access logs) - Amazon CloudFront