Web Applications Should Use CDNs

More Info:

Your web application should be using Amazon Cloudfront Content Distribution Network (CDN) to secure its content delivery to absorb and mitigate potential Distributed Denial of Service (DDoS) attacks and keep the application available for legitimate users.

Risk Level

Low

Address

Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

The misconfiguration is that the web application is not using a Content Delivery Network (CDN) which can lead to slower load times and higher latency for users. Here are the step-by-step instructions to remediate this issue for AWS using the AWS console:

Log in to the AWS Management Console.
Navigate to the Amazon CloudFront service.
Click on the “Create Distribution” button.
Select the “Web” option for the type of distribution.
In the “Origin Domain Name” field, enter the domain name of your web application.
In the “Origin Protocol Policy” field, select “HTTPS Only” to ensure that all traffic to your web application is encrypted.
In the “Viewer Protocol Policy” field, select “Redirect HTTP to HTTPS” to ensure that all traffic is encrypted.
In the “Allowed HTTP Methods” field, select “GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE” to allow all necessary HTTP methods.
In the “Price Class” field, select the appropriate price class for your needs.
In the “Alternate Domain Names (CNAMEs)” field, enter any alternate domain names that you want to use for your web application.
In the “Default Root Object” field, enter the name of the default file that should be served when a user accesses your web application.
Click on the “Create Distribution” button to create your CDN distribution.

Once you have completed these steps, your web application will be using a CDN which will improve load times and reduce latency for your users.

To remediate the misconfiguration “Web Applications Should Use CDNs” for AWS using AWS CLI, follow these steps:

Login to AWS CLI using your AWS account credentials.
Identify the web application that needs to be configured with CDN.
Create an S3 bucket that will store the static content of the web application. Use the following AWS CLI command to create an S3 bucket:

aws s3api create-bucket --bucket <bucket-name> --region <region>

Replace <bucket-name> with a unique name for your S3 bucket and <region> with the region where you want to create the bucket.

Upload the static content of the web application to the S3 bucket. Use the following AWS CLI command to upload the files:

aws s3 sync <local-path> s3://<bucket-name> --acl public-read

Replace <local-path> with the local path of the static files and <bucket-name> with the name of the S3 bucket you created in step 3.

Create a CloudFront distribution for the S3 bucket. Use the following AWS CLI command to create a CloudFront distribution:

aws cloudfront create-distribution --origin-domain-name <bucket-name>.s3.amazonaws.com --default-root-object index.html

Replace <bucket-name> with the name of the S3 bucket you created in step 3.

Update the DNS settings of the web application to point to the CloudFront distribution. Use the following AWS CLI command to get the CloudFront distribution domain name:

aws cloudfront get-distribution --id <distribution-id> --query "Distribution.DomainName" --output text

Replace <distribution-id> with the ID of the CloudFront distribution you created in step 5.

Update the DNS settings of the web application to point to the CloudFront distribution domain name obtained in step 6.

By following these steps, you have configured the web application with CDN on AWS.

To remediate the misconfiguration “Web Applications Should Use CDNs” for AWS using Python, you can follow these steps:

Create an AWS CloudFront distribution:

import boto3

cloudfront = boto3.client('cloudfront')

response = cloudfront.create_distribution(
    DistributionConfig={
        'CallerReference': 'unique-id', # unique identifier for the distribution
        'Aliases': {
            'Quantity': 1, # number of CNAMEs (aliases) for the distribution
            'Items': ['example.com'] # list of CNAMEs for the distribution
        },
        'DefaultRootObject': 'index.html', # default object to serve when no path is specified
        'Origins': {
            'Quantity': 1, # number of origins for the distribution
            'Items': [
                {
                    'Id': 'my-s3-bucket', # unique identifier for the origin
                    'DomainName': 'my-s3-bucket.s3.amazonaws.com', # domain name of the S3 bucket
                    'S3OriginConfig': {
                        'OriginAccessIdentity': '' # optional, use if you want to restrict access to the S3 bucket
                    }
                }
            ]
        },
        'DefaultCacheBehavior': {
            'TargetOriginId': 'my-s3-bucket', # unique identifier for the origin
            'ForwardedValues': {
                'QueryString': False, # whether to forward query strings to the origin
                'Cookies': {
                    'Forward': 'none' # whether to forward cookies to the origin
                }
            },
            'TrustedSigners': {
                'Enabled': False, # whether to require signed URLs or cookies
                'Quantity': 0 # number of trusted signers
            },
            'ViewerProtocolPolicy': 'redirect-to-https', # whether to redirect HTTP requests to HTTPS
            'MinTTL': 0 # minimum time-to-live for objects in the cache
        },
        'Comment': 'My CloudFront distribution', # optional comment for the distribution
        'Enabled': True # whether the distribution is enabled
    }
)

distribution_id = response['Distribution']['Id']

Update DNS records:

Once the CloudFront distribution is created, you need to update your DNS records to point to the CloudFront domain name. You can do this by creating a CNAME record in your DNS provider’s control panel that points to the CloudFront domain name.

Test the distribution:

Once the DNS records have propagated, you can test the CloudFront distribution by accessing your web application using the CloudFront domain name. If everything is working correctly, your web application should be served from the CloudFront edge locations, which will improve performance and reduce latency for your users.

Note: Remember to update your web application code to use the CloudFront domain name instead of the S3 bucket URL.

Additional Reading:

https://aws.amazon.com/cloudfront/

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Web Applications Should Use CDNs

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Remediation

Additional Reading:

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

​More Info:

​Risk Level

​Address

​Compliance Standards

​Triage and Remediation

Remediation

​Additional Reading:

More Info:

Risk Level

Address

Compliance Standards

Triage and Remediation

Additional Reading: