Description:
Amazon Cloud Front is a web service that speeds up the distribution of your static and dynamic web content, such as .html, .css, .php, image, and media files. When users request your content, CloudFront delivers it through a worldwide network of edge locations that provide low latency and high performance.
Field-level encryption allows you to enable your users to securely upload sensitive information to your web servers. In the Cloud Front distribution, the public key is used to encrypt the set of fields in POST requests that you want to be encrypted. You can encrypt up to 10 data fields in a request.
Rationale:
Field-Level encryption adds an extra layer of security, this layer of security protects specific data throughout system processing so that only certain applications can see it.
Cloud Front field-level encryption uses asymmetric encryption, also known as public-key encryption. You provide a public key to Cloud Front, and all sensitive data that you specify is encrypted automatically.
Impact:
Field-level encryption allows you to enable your users to securely upload sensitive information to your web servers. The sensitive information provided by your users is encrypted at the edge, close to the user, and remains encrypted throughout your entire application stack.
Default Value:
Field-level encryption is enabled by default.
Pre-Requisites:
If you want to enable Field-Level encryption
1. First You create an RSA Key Pair(Public Key and a Private Key) and then Add your Public Key to CloudFront then you Crate a Profile for Field-Level Encryption
2. The public key enables Cloud Front to encrypt data, and the private key enables components at your origin to decrypt the fields that have been encrypted
Remediation:
Test Plan:
Step 1: Sign in to the AWS Management Console and go to the Cloud Front dashboard at https://console.aws.amazon.com/cloudfront/
Step 2: Choose Cloud Front Distribution which you want to audit.
Step 3: Click on the Distribution name link
Step 4: Go to the Behaviors tab
Step 5: Select default ( * ) behavior for the distribution 
Step 6: For auditing click on the Edit button
Step 7: In the Edit Behavior page, under Additional Settings, check Field-level Encryption Config, in this config, we check whether the dropdown list is empty or not if it is empty, it means the selected Cloud Front distribution is not configured to use field-level encryption to protect private data.
Step 8: To audit for other Amazon Cloud Front distributions follow the above steps 2-7 .
Using AWS CLI:
\Step 1: To get a list of the Cloud Front distribution of your AWS account:
aws cloudfront list-distributionsStep 2: To get the information about your distribution which you want to audit:
aws cloudfront get-distribution --region < region> --id <give_the_distribution_id> \
--query 'Distribution.DistributionConfig.DefaultCacheBehavior.FieldLevelEncryptionId'
If the above command returns an empty string it means that the Field-level encryption is not configured.
Implementation Plan:
Create an RSA Key Pair:
For creating a key pair you can use OpenSSL or another tool. The Key size must be 2048
Step 1: If you are using OpenSSL, you can use the following command to generate a key pair with a length of 2048 bits and save it in the file
OpenSSL genrsa -out private_key.pem 2048
Step 2: Using the above command we get both public and private keys in the resulting file. To extract the public key from that file run the following command:
OpenSSL rsa -pubout -in private_key.pem -out public_key.pemAdd Your Public Key to Cloud Front:
Step 1: Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/
Step 2: In the left navigation pane, choose the Public key.
Step 3: Click on Add public key button 
Step 4: Fill in all the details in Add public key:
key name type unique name for the key. The name cannot have spaces and can include only alphanumeric characters, underscores( _ ), and hyphen ( -). The maximum number of characters is 128.
Key-value pastes the encoded key value for your public key, including the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines.
Comment add an optional comment. e.g. you could include the expiration date for the public key.
Step 5: Click on Add button
To Create a Profile for Field-Level Encryption
Step 1: Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/
Step 2: In the left navigation pane click on Field-level encryption in the Security
Step 3: Click on Create profile button
Step 4: Fill in the following fields:
Profile name: type a unique name for the profile. The name cannot have spaces and can include only alphanumeric characters, underscores( _ ), and hyphens ( - ). The maximum number of characters is 128.
Public key name: In the drop-down list, choose the name of a public key that you added to Cloud Front in the step Add Your Public Key to Cloud Front.
Provider name: type a phrase to help identify the key, such as the provider where you got the key pair. The provider name cannot have spaces and can include only alphanumeric characters, colons(:), underscores(_), and hyphens(-). the maximum number of characters is 128.
Field name pattern to match: Type the name of the data fields, or patterns that identify the data field name in the request, that you want cloud Front to encrypt. choose the + option to add all the fields that you want to encrypt with this key.
Comment :(optional) Type a comment about this profile. The maximum number of characters that you can use is 128.
Step 5: Click on Create Profile button
Add a Configuration to a Cache Behavior
Step 1: Sign into the AWS Management Console and go to the Cloud Front dashboard at https://console.aws.amazon.com/cloudfront/
Step 2: Select Cloud Front Distribution in which you want to add Cache behavior.
Step 4: fill in the details of creating configuration
Profile ID
In the drop-down list, choose the profile that you want to associate with the value that you typed for Query argument.
Content type (can’t be changed)
The content type is set to application/x-www-form-urlencoded and can’t be changed.
Content format (can’t be changed)
The content format is set to URLencoded and can’t be changed.
Step 5: Click on create a configuration
step 6: Select Cloud Front Distribution which you want to add field-level encryption.
step 7: Go to the Behaviors tab.
Step 5: Select default ( * ) behavior for the distribution.
Step 6: Click on the Edit button
Step 7: Click on the Additional settings button
Step 8: Click on Field-level Encryption config and select the profile which you created.
Step 9: Click on Save changes.
Using AWS CLI:
First You create an RSA key pair
To create a Cloud Front public key
aws cloudfront create-public-key \
--public-key-config \
<name of json file which contains public key e.g. file://pub-key-config.json>To create a cloud Front field-level encryption profile
aws cloudfront create-field-level-encryption-profile \
--field-level-encryption-profile-config < name of json file>
To create a Cloud Front field-level encryption configuration
aws cloudfront create-field-level-encryption-config \
--field-level-encryption-config <path of json file eg. file://file-config.json> Back out Plan:
Go to the field level Encryption
select the Field Level Encryption which you to Delete
select the Field Level Encryption profile
Click on delete
5. Click on field level Configuration
6. select the Field level Configuration which you want to delete
7. Click on Delete
