Description: 

CloudFront speeds up distribution of your static and dynamic web content, such as .html, .css, .php, image, and media files. When users request your content, CloudFront delivers it through a worldwide network of edge locations that provide low latency and high performance. 


Rationale: 

By enabling CloudFront logging, configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows.


Audit:  

Monitoring is an important part of maintaining the availability and performance of CloudFront and your AWS solutions. You should collect monitoring data from all of the parts of your AWS solution so that you can more easily debug a multi-point failure if one occurs. AWS provides several tools for monitoring your CloudFront resources and activity, and responding to potential incidents:


  • Amazon CloudWatch Alarms
    • Using CloudWatch alarms, you watch a single metric over a time period that you specify. If the metric exceeds a given threshold, a notification is sent to an Amazon SNS topic or AWS Auto Scaling policy. CloudWatch alarms do not invoke actions when a metric is in a particular state. Rather the state must have changed and been maintained for a specified number of periods. For more information, see Monitoring CloudFront with Amazon CloudWatch.
  • AWS CloudTrail Logs
    • CloudTrail provides a record of actions taken by a user, role, or an AWS service in CloudFront. Using the information collected by CloudTrail, you can determine the request that was made to CloudFront, the IP address from which the request was made, who made the request, when it was made, and additional details. For more information, see Using AWS CloudTrail to Capture Requests Sent to the CloudFront API.
  • CloudFront Access Logs
    • Server access logs provide detailed records about requests that are made to a distribution. Server access logs are useful for many applications. For example, access log information can be useful in security and access audits. For more information, see Configuring and Using Access Logs.
  • CloudFront Console Reports
    • The CloudFront console includes a variety of reports, including the cache statistics report, the popular objects report, and the top referrers report. Most CloudFront console reports are based on the data in CloudFront access logs, which contain detailed information about every user request that CloudFront receives. However, you don't need to enable access logs to view the reports. For more information, see CloudFront Reports in the Console.

Remediation:

  1. Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/
  2. In the top pane of the CloudFront console, choose the ID for the distribution that you want to update.
  3. On the Origins tab, choose the origin that you want to update, and then choose Edit.
  4. Update the following settings:


Origin Protocol Policy


Change the Origin Protocol Policy for the applicable origins in your distribution:


HTTPS Only – CloudFront uses only HTTPS to communicate with your custom origin.

Match Viewer – CloudFront communicates with your custom origin using HTTP or HTTPS, depending on the protocol of the viewer request. For example, if you choose Match Viewer for Origin Protocol Policy and the viewer uses HTTPS to request an object from CloudFront, CloudFront also uses HTTPS to forward the request to your origin.


        Choose Match Viewer only if you specify Redirect HTTP to HTTPS or HTTPS Only for Viewer Protocol Policy.

        CloudFront caches the object only once even if viewers make requests using both HTTP and HTTPS protocols.


Origin SSL Protocols

Choose the Origin SSL Protocols for the applicable origins in your distribution. The SSLv3 protocol is less secure, so we recommend that you choose SSLv3 only if your origin doesn’t support TLSv1 or later. The TLSv1 handshake is both backwards and forwards compatible with SSLv3, but TLSv1.1 and TLSv1.2 are not. When you choose SSLv3, CloudFront only sends SSLv3 handshake requests.

5. Choose Yes, Edit.

6. Repeat steps 3 through 5 for each additional origin that you want to require HTTPS for between CloudFront and your custom origin.

7. Confirm the following before you use the updated configuration in a production environment:

  • The path pattern in each cache behavior applies only to the requests that you want viewers to use HTTPS for.
  • The cache behaviors are listed in the order that you want CloudFront to evaluate them in. For more information, see     Path Pattern.The cache behaviors are routing requests to the origins that you changed the Origin Protocol Policy for.                   

Resources: 

https://docs.aws.amazon.com/cloudfront/?id=docs_gateway

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/AccessLogs.html