Rule: CloudFront distributions should have origin access identity enabled
This rule ensures origin access identity is enabled for CloudFront distributions.
Rule
CloudFront distributions should have origin access identity enabled
Framework
AWS Foundational Security Best Practices
Severity
✔
Medium
Rule Description:
The rule mandates that all CloudFront distributions should have the Origin Access Identity (OAI) enabled. The OAI allows CloudFront to access and serve content directly from an Amazon S3 bucket or an HTTP server, while keeping the bucket or server private.
Enabling the OAI adds an additional layer of security by restricting direct access to the origin resources. It ensures that only requests routed through CloudFront are granted access to the desired content, protecting the origin from unauthorized access.
Remediation Steps:
Follow these steps to enable the Origin Access Identity for a CloudFront distribution:
Step 1: Access CloudFront Console
Login to the AWS Management Console.
Navigate to the CloudFront service.
Step 2: Identify the Distribution
Locate the desired CloudFront distribution that needs to have the OAI enabled.
Step 3: Edit the Distribution
Select the distribution by clicking on its ID or description.
Click on the "Distribution Settings" tab.
Click on the "Edit" button to modify the distribution settings.
Step 4: Configure Origin Access Identity
Scroll down to the "Origins and Origin Groups" section.
Select the appropriate origin associated with the distribution.
Click on the "Edit" button for the selected origin.
Step 5: Enable Origin Access Identity
In the "Origin Access Identity" section, choose "Create a New Identity".
Customize the "Comment" field (optional) to provide a meaningful description.
Click on the "Yes, Edit" button to save the changes.
Step 6: Associate Identity with Bucket or Server
Once the Origin Access Identity is enabled, it needs to be associated with the corresponding Amazon S3 bucket or HTTP server that serves as the CloudFront distribution's origin.
Depending on the origin type, follow the below instructions:
Associating with an Amazon S3 Bucket
Access the Amazon S3 service in the AWS Management Console.
Locate the bucket associated with the CloudFront distribution.
Go to the bucket's properties.
Select the "Permissions" tab.
Click on the "Add Bucket Policy" button.
Configure a bucket policy that only allows requests from the Origin Access Identity (OAI).
Save the changes to apply the updated bucket policy.
Associating with an HTTP Server
Access the HTTP server's configuration or security settings.
Restrict access to the server by allowing requests only from the CloudFront distribution's Origin Access Identity (OAI).
Save the changes to apply the updated server configuration.
Troubleshooting Steps:
If the Origin Access Identity option is disabled or not visible, ensure that the CloudFront distribution is in an 'Enabled' state.
When associating the Origin Access Identity with an S3 bucket, double-check the bucket policy syntax for any errors.
Verify that the HTTP server's configuration allows requests from the Origin Access Identity, and there are no firewall or security group restrictions in place.
In case of any unexpected behavior or errors, consult the AWS documentation or contact AWS support for further assistance.
Code Example:
There is no specific code example for this rule, as it involves configuration steps using the AWS Management Console and associated services (Amazon S3, HTTP server).
Note: It is always recommended to familiarize yourself with the AWS documentation related to CloudFront and Origin Access Identity for a deeper understanding of the concepts and best practices.
Is your System Free of Underlying Vulnerabilities? Find Out Now