Profile Applicability:

  • Level 1

Description:

This control ensures that Amazon CloudFront distributions are configured to use HTTPS (SSL/TLS) for secure communication between viewers and CloudFront. Using HTTPS ensures that all data transmitted between clients (end-users) and the CloudFront edge locations is encrypted in transit, protecting against eavesdropping, data tampering, and man-in-the-middle attacks.

Rationale:

Enforcing HTTPS for CloudFront distributions enhances security by ensuring that sensitive data (such as credentials, PII, or financial information) is encrypted while being transmitted over the internet. It prevents attackers from intercepting or modifying data in transit. HTTPS also establishes trust with end-users by validating that content is being delivered securely. Using TLS aligns with compliance requirements in frameworks such as CIS, SOC 2, ISO 27001, HIPAA, and PCI DSS.

Impact:

  • Positive Impact:Protects data integrity and confidentiality during transmission.Helps maintain compliance with data security and privacy standards.Improves user trust by using secure HTTPS connections.

  • Negative Impact:Requires management of SSL/TLS certificates (renewal and configuration).Slightly increases CPU utilization due to encryption overhead.


Default Value:

By default, CloudFront distributions support both HTTP and HTTPS. However, HTTPS must be explicitly enforced to ensure all traffic uses encrypted connections.


Pre-Requisite:

  • IAM permissions required: cloudfront:GetDistributionConfigcloudfront:UpdateDistribution.

  • A valid SSL/TLS certificate issued by AWS Certificate Manager (ACM) or uploaded to the CloudFront Certificate Store.


Remediation:

Test Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon CloudFront → Distributions.

  3. Select a distribution and go to the Behaviors tab.

  4. Select a behavior and click Edit.

  5. In the Viewer protocol policy section, verify that one of the following is set:

    • Redirect HTTP to HTTPS 

    • HTTPS 

  6. If the setting is HTTP and HTTPS, the distribution is non-compliant.

Implementation Plan 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to Amazon CloudFront → Distributions.

  3. Select the target distribution.

  4. Go to the Behaviors tab.

  5. Select the desired behavior and click Edit.

  6. Under Viewer protocol policy, choose one of the following:

    • Redirect HTTP to HTTPS – Automatically redirects all HTTP requests to HTTPS. (Recommended for user experience.)

    • HTTPS only – Blocks all HTTP requests, serving content only over HTTPS. (Recommended for strict security environments.)

  7. In the SSL certificate section:

    • Select Custom SSL certificate (example.com) if using a domain-specific certificate from ACM.

    • Ensure Minimum Origin SSL Protocol is set to TLSv1.2 or higher.

  8. Click Save changes.

  9. Allow several minutes for CloudFront to propagate configuration updates globally.

Backout Plan:

Using AWS Console:

  1. If applications or APIs experience connectivity issues due to HTTPS enforcement:

    • Temporarily switch back to HTTP and HTTPS in the Viewer protocol policy to restore access.

  2. Troubleshoot client configurations and certificate trust issues.

  3. Reapply HTTPS enforcement once compatibility is verified.


References:

  • Amazon CloudFront Using HTTPS Documentation

  • AWS Certificate Manager Documentation

  • AWS Security Best Practices Whitepaper