iCompaas Support

 Profile Applicability:

Level 1

Description:

Amazon CloudFront is a content delivery network (CDN) that can distribute content from multiple types of origins, including custom origins (e.g., custom HTTP servers or S3 buckets). To ensure the security of data in transit, it is important to verify that traffic to custom origins is encrypted using SSL/TLS. This ensures that the communication between CloudFront and the custom origin is protected against man-in-the-middle attacks and eavesdropping.

When CloudFront is configured to interact with custom origins, it can be set to either use HTTP or HTTPS. To enforce encryption, CloudFront must be configured to communicate with custom origins over HTTPS with a valid SSL/TLS certificate.

Rationale:

Encrypting traffic to custom origins ensures the confidentiality and integrity of the data transmitted between CloudFront and the origin. This protects against unauthorized interception, tampering, or leakage of sensitive information. Additionally, encryption of traffic between CloudFront and custom origins is a security best practice and often required for compliance with data protection regulations.

Impact:

Pros:

• Enhances security by encrypting communication between CloudFront and the custom origin.

• Prevents eavesdropping, tampering, and man-in-the-middle attacks.

• Ensures compliance with data security and privacy regulations.

Cons:

• May incur additional costs for managing SSL certificates (if not already implemented).

• Requires proper SSL/TLS certificate management for custom origins.

Default Value:

By default, CloudFront distributions with custom origins may not enforce HTTPS for communication. The origin can be configured to use either HTTP or HTTPS, and CloudFront needs to be explicitly set to use HTTPS for encrypted traffic.

Pre-requisite:

AWS IAM permissions:

• cloudfront:DescribeDistributions

• cloudfront:UpdateDistribution

• AWS CLI installed and configured.

• Understanding of CloudFront distributions and SSL/TLS configurations for custom origins.

Remediation

Test Plan:

Using AWS Console:

1. Sign in to the AWS Management Console.

2. Navigate to CloudFront under Services.

3. In the left-hand navigation panel, select Distributions.

4. Choose the CloudFront distribution that uses a custom origin.

5. Under the Origins tab, select the custom origin to review its settings.

6. In the Origin Settings section, check if Origin Protocol Policy is set to HTTPS Only.

   • If HTTPS Only is selected, it ensures that CloudFront only communicates with the custom origin over encrypted HTTPS traffic.

   • If HTTP and HTTPS is selected, CloudFront may communicate with the custom origin over unencrypted HTTP, which is insecure.

7. If HTTPS Only is not selected, you can edit the settings to change the Origin Protocol Policy to HTTPS Only.

Using AWS CLI:

To describe the CloudFront distribution and check its origin settings, run the following command:
 aws cloudfront get-distribution-config --id <distribution-id> --query 'DistributionConfig.Origins.Items[*].{DomainName:DomainName,ProtocolPolicy:OriginProtocolPolicy}' --output table

• The expected output should show the OriginProtocolPolicy as https-only for custom origins that encrypt traffic.

If the OriginProtocolPolicy is set to http-only or match-viewer, run the following command to update the distribution to use HTTPS Only:
 aws cloudfront update-distribution --id <distribution-id> --distribution-config file://updated-distribution-config.json

 The updated-distribution-config.json should include the updated configuration:
 {

  "CallerReference": "unique-reference-id",

  "Comment": "Updated Distribution Config to enforce HTTPS",

  "Origins": {

    "Quantity": 1,

    "Items": [

      {

        "Id": "custom-origin-id",

        "DomainName": "example.com",

        "OriginProtocolPolicy": "https-only"

      }

    ]

  }

}

Implementation Steps:

Using AWS Console:

1. Open the AWS Management Console and navigate to CloudFront.

2. Select the CloudFront distribution associated with the custom origin.

3. Go to the Origins tab, and select the origin.

4. Click Edit under Origin Settings.

5. Set the Origin Protocol Policy to HTTPS Only to ensure that traffic to the custom origin is encrypted.

6. Save the changes and deploy the updated configuration.

Using AWS CLI:

Update the CloudFront distribution to enable HTTPS Only for the custom origin:

 aws cloudfront update-distribution --id <distribution-id> --distribution-config file://updated-distribution-config.json

Ensure that the custom origin is now set to HTTPS Only by describing the distribution again:

 aws cloudfront get-distribution-config --id <distribution-id> --query 'DistributionConfig.Origins.Items[*].{DomainName:DomainName,ProtocolPolicy:OriginProtocolPolicy}' --output table

Backout Plan:

Using AWS Management Console:

1. Sign in to the AWS Management Console.

2. Navigate to Amazon CloudFront > Distributions.

3. Select the distribution where encryption was configured.

4. Under the Origins tab, locate the custom origin.

5. Edit the origin settings and change the Origin Protocol Policy back to HTTP Only (if previously set to HTTPS Only).

6. Save the changes to revert the configuration.

Using AWS CLI:

Retrieve the current configuration of the CloudFront distribution:
aws cloudfront get-distribution-config --id <distribution-id>

Modify the configuration to change the OriginProtocolPolicy back to http-only:
aws cloudfront update-distribution \

--id <distribution-id> \

--if-match <ETag> \

--distribution-config file://updated-config.json

1. Verify the updated configuration:
   aws cloudfront get-distribution-config --id <distribution-id>

References:

• CloudFront: Enforce HTTPS with Custom Origins

• AWS CLI: update-distribution

• AWS CLI: get-distribution-config

CIS Controls Mapping: