Profile Applicability: Level 2

Description

Using custom SSL/TLS certificates for Amazon CloudFront distributions enhances security by ensuring that your users connect securely to your content. Custom certificates provide a way to secure communications with your own branded domain name, rather than using the default CloudFront domain.

Rationale

  • Enhanced Security: Custom certificates ensure secure communication between users and CloudFront distributions.

  • Brand Trust: Using custom certificates for your domain increases trust and credibility with your users.

  • Compliance: Ensures adherence to security best practices and regulatory requirements.

Impact

Pros:

  • Enhances security by ensuring encrypted communication.

  • Increases trust and credibility with custom domain names.

  • Ensures compliance with security standards.

Cons:

  • Requires additional configuration and management of SSL/TLS certificates.

  • Potential temporary disruption during the setup process.

Default Value

By default, CloudFront distributions use default CloudFront SSL/TLS certificates. Custom certificates must be explicitly configured and associated with the distribution.

Pre-Requisite

IAM Permissions:

  • cloudfront:GetDistribution

  • cloudfront:UpdateDistribution

  • acm:ListCertificates

  • AWS CLI installed and configured.

Remediation

Test Plan:

 Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudFront Dashboard.

  3. Click on the Distributions tab in the top left navigation menu.

  4. Select the Distribution you want to audit.

  5. Click on the General tab in the top menu.

  6. Check if a custom SSL/TLS certificate is associated with the distribution.

Using AWS CLI:

Check SSL/TLS Certificate Status:

aws cloudfront get-distribution --id <distribution-id> --query 'Distribution.DistributionConfig.ViewerCertificate'

Implementation Steps:

 Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudFront Dashboard.

  3. Click on the Distributions tab in the top left navigation menu.

  4. Select the Distribution you want to modify.

  5. Click on the General tab in the top menu.

  6. Click Edit to modify the distribution settings.

  7. Select the Custom SSL Certificate option.

  8. Choose the custom SSL/TLS certificate from the ACM (AWS Certificate Manager) list.

  9. Click Save changes to save the changes.

Using AWS CLI:

Associate a custom SSL/TLS certificate:

aws cloudfront update-distribution --id <distribution-id> --distribution-config file://distconfig-ssl.json

Backout Plan

If associating custom SSL/TLS certificates causes issues: Using AWS Console:

  1. Navigate to the CloudFront Dashboard.

  2. Select the Distribution.

  3. Click Edit Attributes.

  4. Revert to using the default CloudFront SSL/TLS certificate.

  5. Click Save changes to save the changes.

Using AWS CLI:

aws cloudfront update-distribution --id <distribution-id> --distribution-config file://distconfig-original.json


References

CIS Controls


Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.

v7

9.1

Limit Exposure to External Networks – Use techniques like connection draining to ensure reliable connections.