Description:

Amazon Cloud Front is a web service that speeds up the distribution of your static and dynamic web content, such as .html, .css, .php, image, and media files. When users request your content, CloudFront delivers it through a worldwide network of edge locations that provide low latency and high performance.

Field-level encryption allows you to enable your users to securely upload sensitive information to your web servers. In the Cloud Front distribution, public key is used to encrypt the set of fields in POST requests that you want to be encrypted. You can encrypt up to 10 data fields in a request.


Rationale:

Field-Level encryption adds an extra layer of security, this layer of security protects specific data throughout system processing so that only certain applications can see it.

Cloud Front field-level encryption uses asymmetric encryption, also known as public-key encryption. You provide a public key to Cloud Front, and all sensitive data that you specify is encrypted automatically. 


Impact:

Field-level encryption allows you to enable your users to securely upload sensitive information to your web servers. The sensitive information provided by your users is encrypted at the edge, close to the user, and remains encrypted throughout your entire application stack.


Default Value:

Field-level encryption is enabled by default. 


Audit:

Step 1: Sign in to the AWS Management Console and go to Cloud Front dashboard at https://console.aws.amazon.com/cloudfront/

Step 2: Choose Cloud Front Distribution which you want to audit.

Step 3: Click on the Distribution name link

Step 4: Go to the Behaviors tab

Step 5:  Select default ( * ) behavior for the distribution 

Step 6: For auditing click on the Edit button 

Step 7: In the Edit Behavior page, under Additional Settings, check Field-level Encryption Config, in this config, we check the dropdown list is empty or not if it is empty it means the selected Cloud Front distribution is not configured to use field-level encryption to protect private data.

Via CLI:

Step 1: To get a list of the Cloud Front distribution of your AWS account:

aws cloudfront list-distributions

Step 2: To get the information about your distribution which you want to audit:

aws cloudfront get-distribution --region < region> --id <give_the_distribution_id> \
--query 'Distribution.DistributionConfig.DefaultCacheBehavior.FieldLevelEncryptionId'


If the above command returns an empty string it means that the Field-level encryption is not configured.


Remediation:

Pre-Requisites:

If you want to  enable Field-Level encryption 

1.First You create an RSA Key Pair(Public Key and a Private Key) and then Add your Public Key to CloudFront then you Crate a Profile for Field-Level Encryption

2.The public key enables Cloud Front to encrypt data, and the private key enables components at your origin to decrypt the fields that have been encrypted


Implementation Plan:

Create an RSA Key Pair:

For creating a key pair you can use OpenSSL or another tool. The Key size must be 2048

Step 1: If you are using OpenSSL, you can use the following command to generate a key pair with a length of 2048 bits and save it in the file

OpenSSL genrsa -out private_key.pem 2048


Step 2: Using the above command we get both public and private key in the resulting file. To extract the public key from that file run the following command:

OpenSSL rsa -pubout -in private_key.pem -out public_key.pem


Add Your Public Key to Cloud Front:

Step 1: Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/

Step 2: In the left navigation pane, choose the Public key.

Step 3: Click on Add public key button 

Step 4: Fill all the details in Add public key:

key name type unique name for the key. The name cannot have spaces and can include only alphanumeric characters, underscores( _ ), and hyphen ( -). The maximum number of characters is 128. 

Key-value paste the encoded key value for your public key, including the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- lines.

Comment add an optional comment. e.g. you could include the expiration date for the public key.

Step 5: Click on Add button

To Create a Profile for Field-Level Encryption

Step 1: Sign in to the AWS Management Console and open the CloudFront console at https://console.aws.amazon.com/cloudfront/

Step 2: In the left navigation pane click on Field-level encryption in the Security

Step 3: Click on Create profile button

Step 4: Fill in the following fields:

Profile name: type a unique name for the profile. The name cannot have spaces and can include only alphanumeric characters, underscores( _ ), and hyphens ( - ). The maximum number of characters is 128.

Public key name: In the drop-down list, choose the name of a public key that you added to Cloud Front in the step Add Your Public Key to Cloud Front. 

Provider name: type a phrase to help identify the key, such as provider where you got the key pair. The provider name cannot have spaces and can include only alphanumeric characters, colons(:), underscores(_), and hyphens(-). the maximum number of characters is 128.

Field name pattern to match: Type the name of the data fields, or patterns that identify data field name in the request, that you want cloud Front to encrypt. choose the + option to add all the fields that you want to encrypt with this key.

Comment :(optional) Type a comment about this profile. The maximum number of characters that you can use is 128.

Step 5: Click on Create Profile button


Add a Configuration to a Cache Behavior

Step 1: Sign in to the AWS Management Console and go to Cloud Front dashboard at https://console.aws.amazon.com/cloudfront/

Step 2: Select Cloud Front Distribution in which you want to add Cache behavior.

Step 3: Click on the Distribution Settings button

Step 4: Go to the Behaviors tab

Step 5:  Select default ( * ) behavior for the distribution 

Step 6: Click on the Edit button 

Step 7: Click on the show/hidden button in the Field-level Encryption config and select the profile which you created


Via CLI:

First You create an RSA key pair  

To create a Cloud Front public key

aws cloudfront create-public-key \
 --public-key-config \ 
 <name of json file which contains public key e.g. file://pub-key-config.json>

To create a cloud Front field-level encryption profile

aws cloudfront create-field-level-encryption-profile \
  --field-level-encryption-profile-config < name of json file>


To create a Cloud Front field-level encryption configuration

aws cloudfront create-field-level-encryption-config \
--field-level-encryption-config <path of json file eg. file://file-config.json> 


Back out Plan:

1.If want revoke or disable then choose  Distribution settings  state, select Disabled and


2. Under  Distribution settings, select Distribution state  and choose disable 


References:

  1. Using field-level encryption to help protect sensitive data - Amazon CloudFront 

  2. What is Amazon CloudFront? - Amazon CloudFront 

  3. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-uploading-cloudfront-public-key-procedure