Custom SSL Certificate Should Be Set For Amazon CloudFront Distributions

More Info:

This rule checks whether the certificate associated with an Amazon CloudFront distribution is the default SSL certificate. Using custom SSL certificates enhances security and trust for users accessing content through CloudFront distributions. The rule is marked as non-compliant if a CloudFront distribution uses the default SSL certificate.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of not having a custom SSL certificate set for an Amazon CloudFront distribution using AWS CLI, you can follow these step-by-step instructions:

Generate or Import an SSL Certificate:
- First, you need to have an SSL certificate ready. You can either import a certificate into AWS Certificate Manager (ACM) or use a certificate from a third-party Certificate Authority (CA).
Get the ARN of the SSL Certificate:
- Use the AWS CLI command to list the SSL certificates in ACM:
  aws acm list-certificates
- Note down the ARN of the SSL certificate you want to use for CloudFront.
Update the CloudFront Distribution:
- Use the AWS CLI command to update the CloudFront distribution with the custom SSL certificate:
  aws cloudfront update-distribution --id YOUR_DISTRIBUTION_ID --default-cache-behavior ViewerProtocolPolicy=https-only,SSLSupportMethod=sni-only,MinimumProtocolVersion=TLSv1.2_2021,ACMCertificateArn=YOUR_SSL_CERTIFICATE_ARN
  - Replace YOUR_DISTRIBUTION_ID with the ID of your CloudFront distribution.
  - Replace YOUR_SSL_CERTIFICATE_ARN with the ARN of the SSL certificate you noted down earlier.
Wait for the Distribution to Deploy:
- After updating the distribution, it may take some time for the changes to propagate. You can check the status of the distribution deployment using the following command:
  aws cloudfront get-distribution --id YOUR_DISTRIBUTION_ID --query 'Distribution.DistributionConfig.Enabled'
- Wait until the status changes to true.
Verify the SSL Certificate:
- Once the distribution is deployed, you can verify that the custom SSL certificate is set by accessing your CloudFront distribution using HTTPS and checking the SSL certificate details in the browser.

By following these steps, you can remediate the misconfiguration of not having a custom SSL certificate set for an Amazon CloudFront distribution using AWS CLI.

Using Python

To remediate the misconfiguration of not having a custom SSL certificate set for an Amazon CloudFront distribution using Python, you can follow these steps:

Import necessary libraries: Make sure you have the AWS SDK for Python (Boto3) installed. You can install it using pip:
```
pip install boto3
```
Configure AWS credentials: Ensure that your AWS credentials are properly configured on your system. You can set them up using the AWS CLI or by setting environment variables.

Write Python script: Here is a sample Python script to update the CloudFront distribution with a custom SSL certificate:

import boto3

# Initialize the CloudFront client
client = boto3.client('cloudfront')

# Specify the CloudFront distribution ID
distribution_id = 'YOUR_DISTRIBUTION_ID'

# Specify the ARN of the custom SSL certificate
certificate_arn = 'YOUR_CERTIFICATE_ARN'

# Update the CloudFront distribution with the custom SSL certificate
response = client.update_distribution(
    DistributionConfig={
        'CallerReference': 'YOUR_CALLER_REFERENCE',
        'Aliases': {
            'Quantity': 1,
            'Items': ['YOUR_DOMAIN_NAME']
        },
        'DefaultCacheBehavior': {
            'ViewerProtocolPolicy': 'redirect-to-https',
            'MinTTL': 0,
            'TargetOriginId': 'YOUR_ORIGIN_ID'
        },
        'ViewerCertificate': {
            'CloudFrontDefaultCertificate': False,
            'ACMCertificateArn': certificate_arn,
            'SSLSupportMethod': 'sni-only'
        },
        'Comment': 'YOUR_COMMENT',
        'Enabled': True,
        'DefaultRootObject': 'index.html',
        'Origins': {
            'Quantity': 1,
            'Items': [
                {
                    'Id': 'YOUR_ORIGIN_ID',
                    'DomainName': 'YOUR_ORIGIN_DOMAIN_NAME',
                    'CustomOriginConfig': {
                        'HTTPPort': 80,
                        'HTTPSPort': 443,
                        'OriginProtocolPolicy': 'https-only'
                    }
                }
            ]
        },
        'PriceClass': 'PriceClass_All',
        'DefaultRootObject': 'index.html'
    },
    Id=distribution_id,
    IfMatch='YOUR_DISTRIBUTION_ETAG'
)

print(response)

Replace placeholders:
- Replace YOUR_DISTRIBUTION_ID with the actual CloudFront distribution ID.
- Replace YOUR_CERTIFICATE_ARN with the ARN of your custom SSL certificate.
- Replace other placeholders like YOUR_DOMAIN_NAME, YOUR_ORIGIN_ID, YOUR_ORIGIN_DOMAIN_NAME, YOUR_CALLER_REFERENCE, YOUR_COMMENT, and YOUR_DISTRIBUTION_ETAG with actual values.
Run the script: Save the script to a file (e.g., update_cloudfront_ssl.py) and run it using Python:
```
python update_cloudfront_ssl.py
```

By following these steps, you can remediate the misconfiguration of not having a custom SSL certificate set for an Amazon CloudFront distribution using Python.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Custom SSL Certificate Should Be Set For Amazon CloudFront Distributions

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation