Profile Applicability:
- Level 1
Description:
This control ensures that Amazon CloudFront distributions have Field-Level Encryption (FLE) enabled to protect sensitive data in transit between clients and origin servers. Field-Level Encryption allows you to encrypt specific data fields (such as credit card numbers, email addresses, or personal identifiers) at the application layer using asymmetric encryption keys before the data reaches your backend systems. This ensures that sensitive information remains protected even from intermediate systems.
Rationale:
Enabling Field-Level Encryption enhances the security of sensitive data by applying encryption at the application layer, in addition to HTTPS/TLS transport encryption. This means even if data is intercepted between CloudFront and the origin server, encrypted fields remain protected. FLE also ensures compliance with data privacy regulations like GDPR, HIPAA, PCI DSS, SOC 2, and ISO 27001, which require encryption for sensitive or personally identifiable information (PII).
Impact:
- Positive Impact:Provides an additional layer of encryption for sensitive data fields.Protects data even if intermediate systems are compromised.Supports compliance with data protection and privacy standards.
- Negative Impact:Requires configuration of public/private key pairs in AWS KMS or CloudFront.Slight increase in processing overhead and latency due to encryption/decryption operations.
Default Value:
By default, Field-Level Encryption is disabled for CloudFront distributions. It must be manually configured for each distribution and requires defining an encryption profile and policy.
Pre-Requisite:
IAM permissions required:
cloudfront:CreateFieldLevelEncryptionConfigcloudfront:CreateFieldLevelEncryptionProfilecloudfront:UpdateDistributionkms:CreateKeyandkms:GetPublicKey(if using AWS KMS).
A CloudFront public key must be created or imported for encryption.
HTTPS must be enabled for the CloudFront distribution.
Remediation
Test Plan
Using AWS Console:
Sign in to the AWS Management Console.
Navigate to Amazon CloudFront → Distributions.
Select a distribution and go to the Behaviors tab.
Select a behavior and click Edit.
Under the Field-Level Encryption section, check if:
A Field-Level Encryption Config is associated with the behavior.
The encryption profile includes the expected sensitive fields (e.g.,
email,creditCardNumber,ssn).
If no Field-Level Encryption Config is assigned, the distribution is non-compliant.
Implementation Plan
Using AWS Console:
Create a Public Key for Encryption:
Navigate to CloudFront → Public keys → Create public key.
Upload or paste your PEM-encoded public key.
Provide a descriptive name (e.g.,
FieldLevelEncryptionKey).Save the configuration.
Create a Field-Level Encryption Profile:
Navigate to CloudFront → Field-level encryption profiles → Create profile.
Select the public key you created.
Define encryption settings for specific data fields (e.g., JSON or form fields like
card_number,email,password).Save the profile.
Create a Field-Level Encryption Configuration:
Go to CloudFront → Field-level encryption configurations → Create configuration.
Define the field patterns and associated profile IDs.
Save the configuration.
Associate the Configuration with a Distribution Behavior:
Navigate to CloudFront → Distributions.
Select the target distribution and go to the Behaviors tab.
Choose Edit behavior.
Under Field-level encryption, select the configuration created earlier.
Save changes.
Verify Encryption:
Test form submissions or API requests containing sensitive data.
Confirm that specified fields are encrypted before transmission to the origin.
Backout Plan:
Using AWS Console:
If enabling Field-Level Encryption causes application compatibility issues, disassociate the Field-Level Encryption Config:
Navigate to CloudFront → Distributions → Behaviors → Edit behavior.
Set Field-level encryption to None.
Disable or delete unnecessary encryption profiles or keys if no longer in use.
Document exceptions and review compliance impact before long-term disabling.
