Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: CloudFront distributions should require encryption in transit

This rule ensures that CloudFront distributions enforce encryption for data transfer.

RuleCloudFront distributions should require encryption in transit
FrameworkAWS Foundational Security Best Practices
Severity
Medium

Rule Description

The CloudFront distribution should require encryption in transit for AWS Foundational Security Best Practices. This rule ensures that data transferred between end-users and CloudFront is securely encrypted to protect against unauthorized access or interception.

Troubleshooting Steps

  1. 1.

    Verify SSL/TLS Certificate: First, ensure that you have a valid SSL/TLS certificate available for your CloudFront distribution. Check that the certificate is not expired and covers the domain names you plan to use with CloudFront.

  2. 2.

    Enable HTTPS Only: Make sure that you have enabled the HTTPS-only configuration for your CloudFront distribution. This ensures that all incoming requests are redirected to their HTTPS counterparts.

  3. 3.

    Verify Viewer Policy: Check the Viewer Policy settings of your CloudFront distribution. Ensure that the policy is set to "Redirect HTTP to HTTPS" to force all requests to use HTTPS.

  4. 4.

    Verify Origin Protocol Policy: Confirm that the Origin Protocol Policy is set to "HTTPS Only." This ensures that CloudFront always communicates with your origin server over HTTPS.

  5. 5.

    Review Caching Behavior: When configuring caching behavior for your CloudFront distribution, ensure that the Minimum Origin SSL Protocol is set to TLSv1.2 or higher.

Necessary Codes

There are no specific codes required for this rule. However, make sure to configure the following settings properly for your CloudFront distribution:

  • SSL/TLS Certificate: Obtain a valid SSL/TLS certificate from a trusted certificate authority (CA) and upload it to AWS Certificate Manager (ACM) or IAM.

  • HTTPS Only: Enable the HTTPS-only configuration for your CloudFront distribution. This can be done through the AWS Management Console or using the AWS CLI.

  • Viewer Policy: Set the Viewer Policy to "Redirect HTTP to HTTPS" to ensure all incoming requests are redirected to their HTTPS counterparts.

  • Origin Protocol Policy: Set the Origin Protocol Policy to "HTTPS Only" to ensure that CloudFront always communicates with your origin server over HTTPS.

  • Minimum Origin SSL Protocol: Set the Minimum Origin SSL Protocol to TLSv1.2 or higher when configuring caching behavior for your CloudFront distribution.

Remediation Steps

Follow these steps to remediate the issue and enforce encryption in transit for your CloudFront distribution:

  1. 1.

    Login to the AWS Management Console.

  2. 2.

    Go to the CloudFront service.

  3. 3.

    Select the CloudFront distribution that requires encryption in transit.

  4. 4.

    Click on the "Distribution Settings" tab.

  5. 5.

    Under the "General" section, click on "Edit" next to the "Viewer Protocol Policy."

  6. 6.

    Choose the "Redirect HTTP to HTTPS" policy from the drop-down menu.

  7. 7.

    Click on "Yes, Edit" to save the changes.

  8. 8.

    Under the "Origin Settings" section, click on "Edit" next to the "Origin Protocol Policy."

  9. 9.

    Select "HTTPS Only" from the drop-down menu.

  10. 10.

    Click on "Yes, Edit" to save the changes.

  11. 11.

    Under the "Cache Behavior Settings" section, click on "Edit" next to the respective cache behavior.

  12. 12.

    Set the "Minimum Origin SSL Protocol" to TLSv1.2 or higher.

  13. 13.

    Click on "Yes, Edit" to save the changes.

  14. 14.

    Repeat steps 11-13 for each cache behavior if you have multiple.

After completing these steps, your CloudFront distribution will require encryption in transit, ensuring a higher level of security for data transfers. Always monitor your CloudFront distribution to ensure encryption settings remain intact and up to date with security best practices.

Is your System Free of Underlying Vulnerabilities?
Find Out Now