Rule: CloudFront distributions should encrypt traffic to custom origins
This rule ensures encryption of traffic to custom origins in CloudFront distributions.
| Rule | CloudFront distributions should encrypt traffic to custom origins |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
CloudFront Distribution Encryption for Custom Origins
Description:
As per the AWS Foundational Security Best Practices, it is recommended to encrypt the traffic between CloudFront distributions and custom origins. This ensures the confidentiality and integrity of the data being transmitted, reducing the risk of unauthorized access or eavesdropping.
Troubleshooting Steps:
If you encounter any issues while encrypting the traffic to custom origins, consider the following troubleshooting steps:
- 1.
Verify Custom Origin Configuration: Check if the custom origin is properly configured to support HTTPS connections. Ensure that the custom origin supports SSL/TLS certificates and can negotiate TLS handshakes.
- 2.
SSL/TLS Certificate Validation: Validate the SSL/TLS certificate used by the custom origin. Ensure that the certificate is issued by a trusted certificate authority and is not expired or revoked.
- 3.
Certificate Chain Validation: Check the certificate chain associated with the SSL/TLS certificate. Make sure all intermediate certificates are properly installed on the custom origin server.
- 4.
Security Group Configuration: Confirm that the security group associated with the custom origin allows incoming connections on the required HTTPS port (usually port 443) from CloudFront.
- 5.
Network Access Control List (ACL) Configuration: Review the network ACLs on the custom origin server. Ensure that the necessary inbound and outbound rules are in place to allow traffic from CloudFront.
- 6.
Firewall or Proxy Configuration: If a firewall or proxy server is placed between CloudFront and the custom origin, verify that it is correctly configured to allow HTTPS traffic.
Necessary Codes:
The following code snippets demonstrate the necessary configurations for encrypting traffic to custom origins in CloudFront:
CloudFormation Example:
AWSTemplateFormatVersion: '2010-09-09'
Resources:
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- Id: CustomOrigin
DomainName: example.com
CustomOriginConfig:
HTTPPort: 80
HTTPSPort: 443
OriginProtocolPolicy: https-only
DefaultCacheBehavior:
...
...
AWS CLI Example:
aws cloudfront create-distribution \ --distribution-config file://distribution-config.json \ --profile your-aws-profile
Ensure you replace
distribution-config.jsonyour-aws-profileRemediation Steps:
To remediate the lack of encryption between CloudFront distributions and custom origins, follow these steps:
- 1.
Identify the CloudFront distribution that requires encryption for custom origins using the AWS Management Console or AWS CLI.
- 2.
Review the custom origin server's configuration to ensure it supports SSL/TLS connections.
- 3.
Acquire and install an SSL/TLS certificate from a trusted certificate authority for the custom origin server. Alternatively, you can use AWS Certificate Manager (ACM) to provision a certificate.
- 4.
Update the CloudFront distribution settings to enforce HTTPS communication with the custom origin. This can be done either through the AWS Management Console, API, or AWS CLI by setting the
property toOriginProtocolPolicy
.https-only - 5.
Test the encrypted communication between CloudFront and the custom origin to ensure proper functionality.
By following these steps, you will successfully encrypt the traffic between CloudFront distributions and custom origins, adhering to the AWS Foundational Security Best Practices.