AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
CloudFront Distributions Should Use HTTPS For Secure Delivery of Web Content
More Info:
The communication between your AWS CloudFront distributions and their custom origins should be encrypted using HTTPS in order to secure the delivery of your web content.
Risk Level
Medium
Address
Security
Compliance Standards
HIPAA, GDPR, AWSWAF
Triage and Remediation
Remediation
Sure, here are the step-by-step instructions to remediate the misconfiguration “CloudFront Distributions Should Use HTTPS For Secure Delivery of Web Content” in AWS using the AWS Console:
- Login to the AWS Management Console.
- Navigate to the CloudFront console.
- Select the distribution(s) that you want to modify.
- Click on the “Edit” button at the top of the page.
- In the “General” tab, under the “Viewer Protocol Policy” section, select “Redirect HTTP to HTTPS”.
- Click on the “Yes, Edit” button to save the changes.
- Wait for the changes to propagate.
Once the changes have propagated, your CloudFront distribution(s) will only allow HTTPS connections for secure delivery of web content.
To remediate the misconfiguration “CloudFront Distributions Should Use HTTPS For Secure Delivery of Web Content” for AWS using AWS CLI, follow the below steps:
-
Login to your AWS account using AWS CLI.
-
Identify the CloudFront distributions that are not using HTTPS for secure delivery of web content. You can use the following command to list all the CloudFront distributions in your account:
aws cloudfront list-distributions -
Once you have identified the CloudFront distribution that is not using HTTPS, you can update it to use HTTPS by using the following command:
aws cloudfront update-distribution --id <distribution_id> --distribution-config file://config.jsonReplace
<distribution_id>with the ID of the CloudFront distribution that you want to update. -
Create a JSON file named
config.jsonand add the following code to it:{ "Comment": "Update CloudFront distribution to use HTTPS", "Enabled": true, "ViewerCertificate": { "ACMCertificateArn": "<ACM_certificate_ARN>", "MinimumProtocolVersion": "TLSv1.2_2018", "SSLSupportMethod": "sni-only" }, "Origins": { "Quantity": 1, "Items": [ { "Id": "<origin_id>", "DomainName": "<origin_domain_name>", "OriginPath": "", "CustomHeaders": { "Quantity": 0 }, "CustomOriginConfig": { "HTTPPort": 80, "HTTPSPort": 443, "OriginProtocolPolicy": "https-only", "OriginSslProtocols": { "Quantity": 3, "Items": [ "TLSv1", "TLSv1.1", "TLSv1.2" ] } } } ] }, "DefaultCacheBehavior": { "TargetOriginId": "<origin_id>", "ViewerProtocolPolicy": "redirect-to-https", "MinTTL": 0, "AllowedMethods": { "Quantity": 7, "Items": [ "HEAD", "DELETE", "POST", "GET", "OPTIONS", "PUT", "PATCH" ], "CachedMethods": { "Quantity": 2, "Items": [ "GET", "HEAD" ] } }, "SmoothStreaming": false, "Compress": true, "LambdaFunctionAssociations": { "Quantity": 0 } }, "PriceClass": "PriceClass_All", "Enabled": true }Replace
<ACM_certificate_ARN>with the ARN of the ACM certificate that you want to use for HTTPS. Replace<origin_id>with the ID of the CloudFront origin that you want to use for HTTPS. Replace<origin_domain_name>with the domain name of the CloudFront origin that you want to use for HTTPS. -
Save the
config.jsonfile and run theaws cloudfront update-distributioncommand to update the CloudFront distribution to use HTTPS. -
Verify that the CloudFront distribution is now using HTTPS by accessing the distribution’s URL in a web browser. The URL should start with
https://.
To remediate the misconfiguration of CloudFront distributions not using HTTPS for secure delivery of web content, you can use the following Python script:
- First, import the necessary AWS SDK for Python (Boto3) libraries:
import boto3
- Next, create a Boto3 client for CloudFront:
cloudfront = boto3.client('cloudfront')
- Then, use the
list_distributions()method to get a list of all CloudFront distributions:
response = cloudfront.list_distributions()
- Loop through the distributions and check if they are using HTTPS:
for distribution in response['DistributionList']['Items']:
if distribution['ViewerCertificate']['CertificateSource'] != 'cloudfront':
print("Distribution {} is not using a CloudFront SSL certificate".format(distribution['Id']))
elif distribution['ViewerCertificate']['MinimumProtocolVersion'] != 'TLSv1.2_2018':
print("Distribution {} is not using TLSv1.2_2018".format(distribution['Id']))
elif distribution['ViewerCertificate']['SSLSupportMethod'] != 'sni-only':
print("Distribution {} is not using SNI-only SSL".format(distribution['Id']))
else:
print("Distribution {} is using HTTPS".format(distribution['Id']))
- If a distribution is not using HTTPS, update its configuration using the
update_distribution()method:
distribution_id = 'YOUR_DISTRIBUTION_ID'
response = cloudfront.get_distribution_config(Id=distribution_id)
config = response['DistributionConfig']
config['ViewerCertificate']['CloudFrontDefaultCertificate'] = True
config['ViewerCertificate']['MinimumProtocolVersion'] = 'TLSv1.2_2018'
config['ViewerCertificate']['SSLSupportMethod'] = 'sni-only'
response = cloudfront.update_distribution(DistributionConfig=config, Id=distribution_id, IfMatch=response['ETag'])
print("Distribution {} has been updated to use HTTPS".format(distribution_id))
Note: Replace YOUR_DISTRIBUTION_ID with the ID of the distribution you want to update.
By following these steps, you can remediate the misconfiguration of CloudFront distributions not using HTTPS for secure delivery of web content in AWS using Python.