Rule: CloudFront Distributions Encryption in Transit
Ensure CloudFront distributions require encryption for data in transit.
| Rule | CloudFront distributions should require encryption in transit |
| Framework | General Data Protection Regulation (GDPR) |
| Severity | ✔ High |
Rule Description:
This rule states that all CloudFront distributions must require encryption in transit to comply with the General Data Protection Regulation (GDPR).
The GDPR is a legal framework that governs the protection and privacy of personal data for individuals within the European Union (EU). Encryption in transit ensures that data transmitted between the CloudFront distribution and end-users remains secure and protected from unauthorized access or interception.
Troubleshooting Steps:
- 1.
Verify the CloudFront distribution settings:
- Check if the CloudFront distribution is configured to require encryption in transit.
- Make sure the SSL/TLS certificate is properly configured for the distribution.
- 2.
Check the SSL/TLS certificate:
- Ensure that the SSL/TLS certificate is valid and issued by a trusted certificate authority.
- Verify that the certificate is correctly associated with the CloudFront distribution.
- 3.
Test encryption in transit:
- Access the CloudFront distribution using a browser or a testing tool.
- Monitor the network traffic to ensure that the data is being transmitted securely via HTTPS.
- 4.
Review CloudFront access logs:
- Inspect the CloudFront access logs to check for any unusual patterns or potential security breaches.
- Look for any requests that are not encrypted and investigate the cause.
- 5.
Review AWS WAF (Web Application Firewall) settings:
- Check if AWS WAF is deployed in conjunction with CloudFront.
- Review the AWS WAF rules and settings to ensure they align with the GDPR requirements.
Necessary Codes:
There are no specific codes required for this rule. However, the configuration of CloudFront distributions can be achieved through the AWS Management Console, AWS Command Line Interface (CLI), or AWS CloudFormation templates.
Step-by-Step Remediation Guide:
To ensure that CloudFront distributions require encryption in transit for GDPR compliance, follow the steps below:
- 1.
Sign in to the AWS Management Console.
- 2.
Open the CloudFront service.
- 3.
Select the desired CloudFront distribution that needs to be configured.
- 4.
Click on the "Behaviors" or "Origins and Origin Groups" tab, depending on the CloudFront version.
- 5.
Inside the behavior settings, ensure that the "Viewer Protocol Policy" is set to "Redirect HTTP to HTTPS" or "HTTPS Only."
- 6.
Configure the CloudFront distribution to use an SSL/TLS certificate by doing the following:
- If you already have a certificate, select "Custom SSL Certificate" and choose the appropriate certificate.
- If you don't have a certificate, select "Request or Import a Certificate with ACM" to generate a new one.
- 7.
Save the changes made to the CloudFront distribution.
- 8.
Test the CloudFront distribution by accessing it using a browser or testing tool, ensuring that the connection is using HTTPS.
- 9.
Monitor the CloudFront access logs regularly to detect any potential issues or security breaches.
- 10.
If you have AWS WAF deployed, review and adjust the rules and settings to align with GDPR requirements.
By following these steps, you will ensure that your CloudFront distribution requires encryption in transit, complying with the GDPR regulations for data protection and privacy.