Origin Access Identity Should Be Enabled For CloudFront Distributions

More Info:

The origin access identity feature should be enabled for all your AWS Cloudfront CDN distributions that utilize an S3 bucket as an origin in order to restrict any direct access to your objects through Amazon S3 URLs.

Risk Level

Medium

Address

Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

Using CLI

To remediate this misconfiguration in AWS using AWS CLI, you can follow the below steps:

Open the AWS CLI on your local machine.
Run the following command to list all the CloudFront distributions in your AWS account:

aws cloudfront list-distributions

Identify the distribution for which the Origin Access Identity should be enabled.
Run the following command to update the distribution configuration and enable Origin Access Identity:

aws cloudfront update-distribution --id <distribution-id> --distribution-config '{"Comment":"", "Origins": {"Quantity":1,"Items":[{"Id":"<origin-id>","DomainName":"<origin-domain-name>","OriginPath":"","CustomHeaders":{"Quantity":0},"S3OriginConfig":{"OriginAccessIdentity":"<origin-access-identity>"},"CustomOriginConfig":{"HTTPPort":80,"HTTPSPort":443,"OriginProtocolPolicy":"http-only","OriginSslProtocols":{"Quantity":3,"Items":["TLSv1","TLSv1.1","TLSv1.2"]},"OriginReadTimeout":30,"OriginKeepaliveTimeout":5}}]},"Enabled":true,"PriceClass":"PriceClass_All","ViewerCertificate":{"CloudFrontDefaultCertificate":true,"MinimumProtocolVersion":"TLSv1","CertificateSource":"cloudfront"},"DefaultRootObject":"","Logging":{"Enabled":false,"IncludeCookies":false,"Bucket":"","Prefix":""},"WebACLId":"","HttpVersion":"http2","IsIPV6Enabled":true}'

Replace the following placeholders with actual values:

<distribution-id>: The ID of the CloudFront distribution.
<origin-id>: The ID of the origin for which Origin Access Identity should be enabled.
<origin-domain-name>: The domain name of the origin for which Origin Access Identity should be enabled.
<origin-access-identity>: The ARN of the Origin Access Identity that should be associated with the origin.

After running the command, the CloudFront distribution configuration will be updated, and Origin Access Identity will be enabled for the specified origin.

Note: Make sure you have the necessary permissions to update the CloudFront distribution configuration.

Using Python

To remediate the misconfiguration “Origin Access Identity should be enabled for CloudFront distributions” in AWS using Python, follow the below steps:

Import the required libraries:

import boto3

Create a CloudFront client:

client = boto3.client('cloudfront')

Get the list of all distributions:

response = client.list_distributions()

Loop through the distributions and check if Origin Access Identity is enabled:

for distribution in response['DistributionList']['Items']:
    if distribution['Enabled'] and not distribution['Origins']['Items'][0]['S3OriginConfig']['OriginAccessIdentity']:
        print(f"Disabling distribution {distribution['Id']}...")
        client.update_distribution(
            DistributionConfig={
                'Id': distribution['Id'],
                'CallerReference': distribution['CallerReference'],
                'Comment': distribution['Comment'],
                'DefaultCacheBehavior': distribution['DefaultCacheBehavior'],
                'Origins': {
                    'Quantity': len(distribution['Origins']['Items']),
                    'Items': [
                        {
                            'Id': distribution['Origins']['Items'][0]['Id'],
                            'DomainName': distribution['Origins']['Items'][0]['DomainName'],
                            'S3OriginConfig': {
                                'OriginAccessIdentity': 'origin-access-identity/cloudfront/XXXXXXXXXXXX'
                            }
                        }
                    ]
                },
                'Enabled': True
            },
            IfMatch=distribution['ETag']
        )

Replace 'origin-access-identity/cloudfront/XXXXXXXXXXXX' with the actual Origin Access Identity that you want to use.
Run the Python script to remediate the misconfiguration.

With these steps, you can remediate the misconfiguration “Origin Access Identity should be enabled for CloudFront distributions” in AWS using Python.

Additional Reading:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Origin Access Identity Should Be Enabled For CloudFront Distributions

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

​Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading: