This rule ensures that CloudFront distributions have origin failover configured for improved reliability.
Rule | CloudFront distributions should have origin failover configured |
Framework | AWS Foundational Security Best Practices |
Severity | ✔ Low |
Rule Description:
The AWS Foundational Security Best Practices recommend configuring the origin failover feature for CloudFront distributions. This rule ensures high availability and fault tolerance for your applications by allowing CloudFront to automatically switch to an alternate origin server if the primary server becomes unavailable.
Troubleshooting Steps (if applicable):
If you encounter issues with the origin failover feature, you can follow these troubleshooting steps:
Verify Origin Server Health: Check the health status of your origin servers. Ensure that the primary origin server is reachable and functioning properly. You can do this by pinging the origin server or accessing it directly using its endpoint.
Check DNS Configuration: Validate the DNS configuration of your origin servers. Ensure that the DNS records are correctly configured and pointing to the appropriate IP addresses.
Review Security Groups and Network ACLs: Confirm that the security groups and network ACLs associated with the origin servers allow incoming traffic from CloudFront. Make sure there are no restrictive rules blocking the communication.
Analyze CloudFront Logs: Enable CloudFront access logs and analyze them to identify any errors or unusual patterns. The logs can provide insights into failed requests or connection issues.
Monitor CloudWatch Alarms: Monitor CloudWatch alarms related to CloudFront metrics. Configure alarms to notify you when there are spikes in error rates, latency, or any other relevant metric.
Necessary Code (if applicable):
If you need to implement or modify the origin failover configuration, you can use the AWS Command Line Interface (CLI) with the following code snippet:
aws cloudfront update-distribution --id DISTRIBUTION_ID --origins Quantity=2,Items=[{Id="PrimaryOrigin", DomainName="PRIMARY_ORIGIN_DOMAIN_NAME"},{Id="BackupOrigin", DomainName="BACKUP_ORIGIN_DOMAIN_NAME"}] --default-root-object DEFAULT_ROOT_OBJECT
Replace
DISTRIBUTION_ID
with the ID of your CloudFront distribution. Set PRIMARY_ORIGIN_DOMAIN_NAME
with the primary origin server's domain name, and BACKUP_ORIGIN_DOMAIN_NAME
with the backup origin server's domain name. Also, specify the DEFAULT_ROOT_OBJECT
for your distribution.Step by Step Guide for Remediation:
To configure origin failover for your CloudFront distribution, follow these steps:
Identify Distribution: Identify the CloudFront distribution you want to configure origin failover for. Make a note of its ID for use in later steps.
Prepare Origin Servers: Ensure that you have at least two origin servers configured, one as the primary and the other as the backup. Both origin servers should contain the same content to serve as failover targets.
Open AWS Management Console: Open the AWS Management Console and navigate to the CloudFront service.
Select Distribution: Locate and select the desired distribution from the list of available distributions.
Go to Origins and Origin Groups: In the distribution details page, click on the "Origins and Origin Groups" tab.
Edit Origin Failover Settings: In the "Behaviors" section, click on the "Create" or "Edit" button, depending on whether an existing behavior exists or not.
Configure Origin Failover: Under the "Origin Failover" section, enable the option and enter the details for the primary and backup origin servers. Specify the domain names for each origin server.
Set Default Root Object: Optionally, set the default root object for your distribution if desired.
Save Changes: Click on the "Create" or "Save" button to apply the changes to your CloudFront distribution.
Verify Configuration: After saving the changes, verify that the origin failover configuration is active by accessing your CloudFront distribution and confirming that the failover behavior is as expected.
Conclusion:
By following the AWS Foundational Security Best Practices and configuring origin failover for your CloudFront distributions, you ensure high availability and fault tolerance, enhancing the reliability of your applications. Regular monitoring and troubleshooting, if needed, will help you maintain a robust setup.