Profile Applicability:

  • Level 1

Description:

Amazon CloudFront is a content delivery network (CDN) service that distributes content globally, improving latency and availability. AWS Shield Advanced is a managed DDoS (Distributed Denial of Service) protection service that provides enhanced security to AWS resources, including CloudFront distributions. This SOP ensures that CloudFront distributions are protected by AWS Shield Advanced, helping safeguard them from DDoS attacks and ensuring high availability of services.

Rationale:

  • Security: AWS Shield Advanced provides comprehensive DDoS protection for your CloudFront distributions, including always-on detection and automatic mitigation against attacks. Without Shield Advanced, CloudFront distributions are vulnerable to large-scale DDoS attacks that can overwhelm the service and cause outages.

  • Compliance: Many compliance frameworks, such as PCI-DSS and SOC 2, require the protection of critical resources like CloudFront distributions with DDoS protection. Shield Advanced helps meet these requirements.

  • Best Practices: Enabling Shield Advanced ensures a proactive approach to DDoS mitigation and aligns with AWS best practices for securing CloudFront distributions.

Impact:

Pros:

  • Enhanced Security: Shield Advanced automatically mitigates large-scale attacks and protects CloudFront distributions from DDoS threats.

  • Better Availability: DDoS mitigation ensures that the service remains available even under attack, improving overall service uptime and user experience.

  • Compliance: Helps meet security and availability requirements for regulatory compliance.

Cons:

  • Cost: AWS Shield Advanced incurs additional costs compared to the basic AWS Shield service, which may increase operational expenses.

  • Configuration Overhead: It requires activation and configuration to ensure CloudFront distributions are protected by Shield Advanced.

Default Value:

By default, CloudFront distributions are not protected by AWS Shield Advanced. You need to explicitly enable Shield Advanced for CloudFront distributions.

Pre-requisite:

  • AWS IAM Permissions:

    • cloudfront:DescribeDistribution

    • shield:DescribeProtection

    • shield:CreateProtection

  • AWS CLI installed and configured.

  • AWS Shield Advanced subscription is active.

Test Plan:

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to CloudFront under Services.

  3. In the CloudFront Console, select the CloudFront distribution you want to check.

  4. Under the General section, verify if AWS Shield Advanced protection is enabled.

    • Check for a Shield Advanced Protection label under Security or DDoS Protection.

    • If it is not enabled, proceed with enabling it as outlined in the Implementation Steps below.

Using AWS CLI:

  1. To describe the CloudFront distribution and check if it has AWS Shield Advanced protection enabled, run:

    aws cloudfront list-distributions --query 'DistributionList.Items[*].{ID:Id,ShieldAdvancedProtection:WebACLId}'

  2. If Shield Advanced Protection is not enabled (the WebACLId is absent or not tied to Shield Advanced), proceed to enable it.

Implementation Steps:

Using AWS Console:

  1. Sign in to the AWS Management Console and navigate to CloudFront.

  2. In the CloudFront Console, select the CloudFront distribution you want to protect.

  3. In the General tab, click on Edit under the Web Application Firewall (WAF) section.

  4. Under Protection, ensure that AWS Shield Advanced is enabled for the distribution.

    • If it’s not enabled, enable Shield Advanced protection by associating the CloudFront distribution with a WAF Web ACL that is linked with Shield Advanced.

  5. Save the changes to activate AWS Shield Advanced protection for the distribution.

Using AWS CLI:

  1. To enable AWS Shield Advanced protection for a CloudFront distribution, run:

    aws shield create-protection --name <protection-name> --resource-arn <distribution-arn>

  2. To check the status of Shield Advanced protection, run:

    aws shield describe-protection --protection-id <protection-id>

  3. Verify that the CloudFront distribution is protected by Shield Advanced.

Backout Plan:

Using AWS Console:

  1. If enabling Shield Advanced protection causes issues, sign in to the AWS Management Console.

  2. Navigate to AWS Shield, select the Protection you want to disable, and click Delete Protection.

  3. Confirm the deletion and verify that the CloudFront distribution is no longer protected by AWS Shield Advanced.

Using AWS CLI:

  1. To remove Shield Advanced protection from the CloudFront distribution, run:

    aws shield delete-protection --protection-id <PROTECTION_ID>

  2. Verify that the CloudFront distribution is no longer protected:

    aws shield describe-protection --protection-id <PROTECTION_ID>

References:

CIS Controls Mapping:

Version

Control ID

Control Description

IG1

IG2

IG3

v8

3.4

Encrypt Data on End-User Devices – Ensure data encryption during file system access.

v8

6.7

Implement Application Layer Filtering and Content Control – Ensure appropriate content filtering is applied to sensitive files.

v8

6.8

Define and Maintain Role-Based Access Control – Implement and manage role-based access for file systems.

v8

14.6

Protect Information Through Access Control Lists – Apply strict access control to file systems.