Profile Applicability: Level 2

Description

Amazon CloudFront origin failover ensures high availability by automatically switching to a secondary origin if the primary origin is unavailable or returns specific HTTP response status codes that indicate a failure. This feature is crucial for maintaining uninterrupted service and improving the reliability of your web applications.

Rationale

  • High Availability: Ensures continuous service by automatically switching to a secondary origin when the primary origin fails.

  • Improved Reliability: Reduces the risk of downtime and service interruptions.

  • Enhanced User Experience: Provides a seamless experience for users by preventing service disruptions.

Impact

Pros:

  • Ensures high availability and continuous service.

  • Reduces the risk of downtime and service interruptions.

  • Enhances user experience by preventing disruptions.

Cons:

  • May require additional configuration and testing.

  • Potential temporary disruption during the setup process.

Default Value

By default, origin failover is not enabled for CloudFront distributions. It must be explicitly configured with a primary and secondary origin.

Pre-Requisite

IAM Permissions:

  • cloudfront:GetDistribution

  • cloudfront:UpdateDistribution

  • AWS CLI installed and configured.

Remediation

Test Plan: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudFront Dashboard.

  3. Click on the Distributions tab in the top left navigation menu.

  4. Select the Distribution you want to audit.

  5. Click on the Origins tab in the top menu.

  6. Check if an origin group is configured with a primary and secondary origin.

Using AWS CLI:

Check Origin Failover Status:

aws cloudfront get-distribution --id <distribution-id> --query 'Distribution.DistributionConfig.Origins.Items[*].OriginGroup'

Implementation Steps: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudFront Dashboard.

  3. Click on the Distributions tab in the top left navigation menu.

  4. Select the Distribution you want to modify.

  5. Click on the Origins tab in the top menu.

  6. Create an origin group with a primary and secondary origin.

  7. Configure the cache behavior to use the origin group.

  8. Save the changes.

Using AWS CLI:

  1. Save the JSON file document named distconfig-origin-failover.json.

Update the distribution:

aws cloudfront update-distribution --id <distribution-id> --distribution-config file://distconfig-origin-failover.json


Backout Plan

Using AWS Console:

  1. Navigate to the CloudFront Dashboard.

  2. Select the Distribution.

  3. Click Edit Attributes.

  4. Remove the origin group configuration.

  5. Click Save changes to save the changes.

Using AWS CLI:

aws cloudfront update-distribution --id <distribution-id> --distribution-config file://distconfig-original.json


References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.

v7

9.1

Limit Exposure to External Networks – Use techniques like connection draining to ensure reliable connections.