CloudFront Distributions Should Have Field-Level Encryption Enabled

More Info:

Field-level encryption should be enabled for your Amazon CloudFront web distributions in order to help protect sensitive data like credit card numbers or social security numbers, and to help protect your data across application services.

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, GDPR, ISO27001, HIPAA, HITRUST, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate the misconfiguration of CloudFront distributions not having field-level encryption enabled in AWS using AWS CLI, follow these steps:

Open the AWS CLI on your local machine and run the following command to enable field-level encryption for your CloudFront distribution:

aws cloudfront update-distribution --id DISTRIBUTION_ID --field-level-encryption-config Id=FIELD_LEVEL_ENCRYPTION_ID,ForwardWhenContentTypeIsUnknown=true

Replace DISTRIBUTION_ID with the ID of your CloudFront distribution and FIELD_LEVEL_ENCRYPTION_ID with the ID of the field-level encryption configuration that you want to use.

Verify that field-level encryption is enabled for your CloudFront distribution by running the following command:

aws cloudfront get-distribution-config --id DISTRIBUTION_ID

This command will return the current configuration for your CloudFront distribution. Verify that the FieldLevelEncryptionId parameter is set to the ID of the field-level encryption configuration that you specified in step 1.

Test your CloudFront distribution to ensure that field-level encryption is working as expected.

Congratulations! You have now successfully remediated the misconfiguration of CloudFront distributions not having field-level encryption enabled in AWS using AWS CLI.

Using Python

To remediate the misconfiguration “CloudFront Distributions Should Have Field-Level Encryption Enabled” in AWS using Python, you can follow the below steps:

Import the Boto3 library:

import boto3

Create a CloudFront client object:

client = boto3.client('cloudfront')

Get the list of CloudFront distributions:

response = client.list_distributions()

Loop through each distribution and check if field-level encryption is enabled:

for distribution in response['DistributionList']['Items']:
    distribution_id = distribution['Id']
    response = client.get_distribution_config(Id=distribution_id)
    if 'FieldLevelEncryption' not in response['DistributionConfig']:
        # Field-level encryption is not enabled, remediate it

If field-level encryption is not enabled, enable it by adding a field-level encryption configuration:

field_level_encryption_config = {
    'CallerReference': 'unique_reference_string',
    'FieldLevelEncryptionConfig': {
        'FieldLevelEncryptionProfileConfig': {
            'Name': 'profile_name',
            'CallerReference': 'unique_reference_string',
            'EncryptionEntities': {
                'Quantity': 1,
                'Items': [
                    {
                        'PublicKeyId': 'public_key_id',
                        'ProviderId': 'provider_id'
                    }
                ]
            }
        },
        'ContentTypeProfileConfig': {
            'ForwardWhenContentTypeIsUnknown': False,
            'ContentTypeProfiles': {
                'Quantity': 1,
                'Items': [
                    {
                        'Format': 'URLEncoded',
                        'ProfileId': 'profile_id',
                        'ContentType': 'content_type'
                    }
                ]
            }
        }
    }
}
response = client.update_distribution(
    DistributionConfig={
        'CallerReference': 'unique_reference_string',
        'Aliases': {
            'Quantity': 1,
            'Items': [
                'example.com'
            ]
        },
        'DefaultRootObject': 'index.html',
        'Origins': {
            'Quantity': 1,
            'Items': [
                {
                    'Id': 'unique_id',
                    'DomainName': 'example.com',
                    'OriginPath': '',
                    'CustomHeaders': {
                        'Quantity': 0
                    },
                    'S3OriginConfig': {
                        'OriginAccessIdentity': ''
                    },
                    'CustomOriginConfig': {
                        'HTTPPort': 80,
                        'HTTPSPort': 443,
                        'OriginProtocolPolicy': 'https-only',
                        'OriginSslProtocols': {
                            'Quantity': 3,
                            'Items': [
                                'TLSv1',
                                'TLSv1.1',
                                'TLSv1.2'
                            ]
                        }
                    }
                }
            ]
        },
        'DefaultCacheBehavior': {
            'TargetOriginId': 'unique_id',
            'ForwardedValues': {
                'QueryString': False,
                'Cookies': {
                    'Forward': 'none'
                },
                'Headers': {
                    'Quantity': 0
                },
                'QueryStringCacheKeys': {
                    'Quantity': 0
                }
            },
            'TrustedSigners': {
                'Enabled': False,
                'Quantity': 0
            },
            'ViewerProtocolPolicy': 'redirect-to-https',
            'MinTTL': 0,
            'AllowedMethods': {
                'Quantity': 2,
                'Items': [
                    'GET',
                    'HEAD'
                ],
                'CachedMethods': {
                    'Quantity': 2,
                    'Items': [
                        'GET',
                        'HEAD'
                    ]
                }
            },
            'SmoothStreaming': False,
            'DefaultTTL': 86400,
            'MaxTTL': 31536000,
            'Compress': False,
            'LambdaFunctionAssociations': {
                'Quantity': 0
            }
        },
        'CacheBehaviors': {
            'Quantity': 0
        },
        'CustomErrorResponses': {
            'Quantity': 0
        },
        'Comment': '',
        'Logging': {
            'Enabled': False,
            'IncludeCookies': False,
            'Bucket': '',
            'Prefix': ''
        },
        'PriceClass': 'PriceClass_All',
        'Enabled': True,
        'ViewerCertificate': {
            'CloudFrontDefaultCertificate': True,
            'MinimumProtocolVersion': 'TLSv1',
            'CertificateSource': 'cloudfront'
        },
        'Restrictions': {
            'GeoRestriction': {
                'RestrictionType': 'none',
                'Quantity': 0
            }
        },
        'WebACLId': '',
        'HttpVersion': 'http2',
        'IsIPV6Enabled': True,
        'FieldLevelEncryption': field_level_encryption_config
    },
    Id=distribution_id,
    IfMatch=response['ETag']
)

Replace the unique_reference_string, profile_name, public_key_id, provider_id, profile_id, content_type, example.com, unique_id, and bucket_name with the appropriate values for your CloudFront distribution.
Save the Python script and execute it to remediate the “CloudFront Distributions Should Have Field-Level Encryption Enabled” misconfiguration in AWS.

Additional Reading:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

CloudFront Distributions Should Have Field-Level Encryption Enabled

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: