Cloud Defense Logo

Products

Solutions

Company

Book A Live Demo

Rule: CloudFront distributions should encrypt traffic to custom origins

This rule ensures encryption of traffic to custom origins in CloudFront distributions.

RuleCloudFront distributions should encrypt traffic to custom origins
FrameworkAWS Foundational Security Best Practices
Severity
Medium

CloudFront Distribution Encryption for Custom Origins

Description:

As per the AWS Foundational Security Best Practices, it is recommended to encrypt the traffic between CloudFront distributions and custom origins. This ensures the confidentiality and integrity of the data being transmitted, reducing the risk of unauthorized access or eavesdropping.

Troubleshooting Steps:

If you encounter any issues while encrypting the traffic to custom origins, consider the following troubleshooting steps:

  1. 1.

    Verify Custom Origin Configuration: Check if the custom origin is properly configured to support HTTPS connections. Ensure that the custom origin supports SSL/TLS certificates and can negotiate TLS handshakes.

  2. 2.

    SSL/TLS Certificate Validation: Validate the SSL/TLS certificate used by the custom origin. Ensure that the certificate is issued by a trusted certificate authority and is not expired or revoked.

  3. 3.

    Certificate Chain Validation: Check the certificate chain associated with the SSL/TLS certificate. Make sure all intermediate certificates are properly installed on the custom origin server.

  4. 4.

    Security Group Configuration: Confirm that the security group associated with the custom origin allows incoming connections on the required HTTPS port (usually port 443) from CloudFront.

  5. 5.

    Network Access Control List (ACL) Configuration: Review the network ACLs on the custom origin server. Ensure that the necessary inbound and outbound rules are in place to allow traffic from CloudFront.

  6. 6.

    Firewall or Proxy Configuration: If a firewall or proxy server is placed between CloudFront and the custom origin, verify that it is correctly configured to allow HTTPS traffic.

Necessary Codes:

The following code snippets demonstrate the necessary configurations for encrypting traffic to custom origins in CloudFront:

CloudFormation Example:

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  CloudFrontDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Origins:
          - Id: CustomOrigin
            DomainName: example.com
            CustomOriginConfig:
              HTTPPort: 80
              HTTPSPort: 443
              OriginProtocolPolicy: https-only
          
        DefaultCacheBehavior:
          ...
        ...

AWS CLI Example:

aws cloudfront create-distribution \
  --distribution-config file://distribution-config.json \
  --profile your-aws-profile

Ensure you replace

distribution-config.json
with the desired configuration file path, and
your-aws-profile
with your specific AWS profile name.

Remediation Steps:

To remediate the lack of encryption between CloudFront distributions and custom origins, follow these steps:

  1. 1.

    Identify the CloudFront distribution that requires encryption for custom origins using the AWS Management Console or AWS CLI.

  2. 2.

    Review the custom origin server's configuration to ensure it supports SSL/TLS connections.

  3. 3.

    Acquire and install an SSL/TLS certificate from a trusted certificate authority for the custom origin server. Alternatively, you can use AWS Certificate Manager (ACM) to provision a certificate.

  4. 4.

    Update the CloudFront distribution settings to enforce HTTPS communication with the custom origin. This can be done either through the AWS Management Console, API, or AWS CLI by setting the

    OriginProtocolPolicy
    property to
    https-only
    .

  5. 5.

    Test the encrypted communication between CloudFront and the custom origin to ensure proper functionality.

By following these steps, you will successfully encrypt the traffic between CloudFront distributions and custom origins, adhering to the AWS Foundational Security Best Practices.

Is your System Free of Underlying Vulnerabilities?
Find Out Now