Profile Applicability:

 Level 2

Description

Amazon CloudFront distributions should be correctly configured to point to existing S3 origins with static website hosting enabled. Pointing to non-existent S3 origins or S3 buckets without static website hosting can result in errors and disruptions in delivering content to users.

Rationale

  • Error Prevention: Avoids configuration errors that result from pointing to non-existent or incorrectly configured S3 origins.

  • Seamless Content Delivery: Ensures that content is correctly delivered to users without disruptions.

  • Security: Prevents potential misconfigurations that could expose sensitive information or result in unauthorized access.

Impact

Pros:

  • Prevents errors and disruptions in content delivery.

  • Ensures that content is correctly and securely delivered to users.

  • Reduces the risk of misconfigurations and unauthorized access.

Cons:

  • May require additional configuration and verification.

  • Potential temporary disruption during the reconfiguration process.

Default Value

By default, CloudFront distributions do not check if the S3 origin exists or if static website hosting is enabled. This must be explicitly verified and configured.

Pre-Requisite

IAM Permissions:

  • cloudfront:GetDistribution

  • cloudfront:UpdateDistribution

  • s3:GetBucketWebsite

  • AWS CLI installed and configured.

Remediation

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudFront Dashboard.

  3. Click on the Distributions tab in the top left navigation menu.

  4. Select the Distribution you want to audit.

  5. Click on the Origins tab in the top menu.

  6. Verify that the S3 origin exists and has static website hosting enabled.

Using AWS CLI:

Check S3 Origin and Static Website Hosting Status:

aws s3api get-bucket-website --bucket <bucket-name>

Implementation Steps: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudFront Dashboard.

  3. Click on the Distributions tab in the top left navigation menu.

  4. Select the Distribution you want to modify.

  5. Click on the Origins tab in the top menu.

  6. Ensure that the S3 origin exists and has static website hosting enabled.

  7. Save the changes.

Using AWS CLI:

Enable Static Website Hosting for the S3 bucket:

aws s3 website s3://<bucket-name>/ --index-document index.html

Update the CloudFront distribution to use the correct S3 origin:

aws cloudfront update-distribution --id <distribution-id> --distribution-config file://distconfig-s3-origin.json

Backout Plan

Using AWS Console:

  1. Navigate to the CloudFront Dashboard.

  2. Select the Distribution.

  3. Click Edit Attributes.

  4. Revert to the previous S3 origin configuration.

  5. Click Save changes to save the changes.

Using AWS CLI:

aws cloudfront update-distribution --id <distribution-id> --distribution-config file://distconfig-s3-origin.json


References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.

v7

9.1

Limit Exposure to External Networks – Use techniques like connection draining to ensure reliable connections.