Description: 

CloudFront speeds up distribution of your static and dynamic web content, such as .html, .css, .php, image, and media files. When users request your content, CloudFront delivers it through a worldwide network of edge locations that provide low latency and high performance. 


Rationale: 

By enabling CloudFront logging, configuring logs to be placed in a separate bucket allows access to log information which can be useful in security and incident response workflows. Field-Level Encryption on Amazon CloudFront.


Audit:  

Field-level encryption allows you to enable your users to securely upload sensitive information to your web servers. The sensitive information provided by your users is encrypted at the edge, close to the user, and remains encrypted throughout your entire application stack. This encryption ensures that only applications that need the data—and have the credentials to decrypt it—are able to do so.


To use field-level encryption, when you configure your CloudFront distribution, specify the set of fields in POST requests that you want to be encrypted, and the public key to use to encrypt them. You can encrypt up to 10 data fields in a request. (You can’t encrypt all of the data in a request with field-level encryption; you must specify individual fields to encrypt.)


When the HTTPS request with field-level encryption is forwarded to the origin, and the request is routed throughout your origin application or subsystem, the sensitive data is still encrypted, reducing the risk of a data breach or accidental data loss of the sensitive data. Components that need access to the sensitive data for business reasons, such as a payment processing system needing access to a credit number, can use the appropriate private key to decrypt and access the data. 


Remediation:

Setting Up Field-Level Encryption, Follow these steps to get started using field-level encryption. To learn about quotas (formerly known as limits) on field-level encryption, see Quotas.

    Step 1: Create an RSA Key Pair

    Step 2: Add Your Public Key to CloudFront

    Step 3: Create a Profile for Field-Level Encryption

    Step 4: Create a Configuration

    Step 5: Add a Configuration to a Cache Behavior


Resources: 

https://docs.aws.amazon.com/cloudfront/?id=docs_gateway

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html