Rule: CloudFront Distributions Encryption in Transit
This rule ensures CloudFront distributions require encryption in transit.
| Rule | CloudFront distributions should require encryption in transit |
| Framework | HIPAA |
| Severity | ✔ High |
Rule Description:
This rule/policy ensures that all CloudFront distributions used for handling PHI (Protected Health Information) data in compliance with HIPAA regulations are configured to require encryption in transit. Encryption in transit ensures that data transmitted between the client and the CloudFront edge locations is securely encrypted, protecting it from unauthorized access or interception.
Troubleshooting Steps:
If the encryption in transit requirement is not met, you can follow these troubleshooting steps:
- 1.
Check the CloudFront distribution settings for encryption:
- Login to the AWS Management Console.
- Navigate to the Amazon CloudFront service.
- Select your CloudFront distribution associated with HIPAA data.
- Click on the "Behaviors" tab.
- Ensure that SSL/TLS encryption is configured.
- 2.
Verify that the SSL/TLS certificate used is valid and properly configured:
- Check the certificate's expiration date.
- Make sure the certificate is issued by a trusted certification authority (CA).
- Confirm that the certificate is correctly associated with the CloudFront distribution.
- 3.
Test the encryption in transit:
- Access the CloudFront distribution endpoint (URL) using a web browser over HTTPS.
- Verify that the connection is secure and that the browser displays a valid SSL/TLS certificate without any warning messages.
- 4.
Check the CloudFront distribution's Origin settings:
- Ensure that the origin server (e.g., S3 bucket or custom origin) has its own SSL/TLS encryption enabled.
- Confirm that the CloudFront distribution is properly configured to communicate with the origin server securely.
Necessary Codes:
There are no specific codes required for this rule. However, you might need to modify or update your CloudFront distribution settings.
Step-by-Step Guide for Remediation:
Follow these steps to ensure that the CloudFront distribution requires encryption in transit for HIPAA compliance:
- 1.
Login to the AWS Management Console.
- 2.
Navigate to the Amazon CloudFront service.
- 3.
Select your CloudFront distribution associated with HIPAA data.
- 4.
Click on the "Behaviors" tab.
- 5.
Review the existing settings and ensure that the following options are configured correctly:
Security Policy: Verify that the security policy selected supports encryption in transit according to HIPAA requirements. It is recommended to choose the latest available security policy.
Viewer Protocol Policy: Set it to "Redirect HTTP to HTTPS" to enforce HTTPS communication between clients and CloudFront.
Allowed HTTP Methods: Only allow secure HTTP methods such as GET and HEAD.
Query String Forwarding and Caching: Configure as per your specific application requirements.
HTTPS Only: Enable this option to enforce HTTPS connections only.
- 6.
Review the Origin settings:
- Ensure that the origin server (S3 bucket or custom origin) has SSL/TLS encryption enabled.
- 7.
Save the changes to update the CloudFront distribution configuration.
- 8.
Test the configuration:
- Access your CloudFront distribution using a web browser over HTTPS.
- Verify that the connection is secure and that the browser displays a valid SSL/TLS certificate without any warning messages.
By following these steps, you will ensure that your CloudFront distribution is configured to require encryption in transit for HIPAA compliance.