AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Communication With Viewers Should Be Encrypted Using HTTPS
More Info:
The communication between your Amazon CloudFront CDN distribution and its viewers (end users) should be encrypted using HTTPS in order to secure the delivery of your web application content
Risk Level
Medium
Address
Security
Compliance Standards
SOC2, NIST, GDPR
Triage and Remediation
Remediation
To remediate this misconfiguration in AWS, you can follow the below steps:
-
Log in to your AWS console and navigate to the Amazon CloudFront service.
-
Click on the distribution ID for which you want to enable HTTPS.
-
In the distribution settings, click on the “Behaviors” tab.
-
Select the behavior for which you want to enable HTTPS and click on the “Edit” button.
-
In the “Edit Behavior” window, scroll down to the “Viewer Protocol Policy” section.
-
Select “Redirect HTTP to HTTPS” from the dropdown list.
-
Click on the “Yes, Edit” button to save the changes.
-
Wait for the changes to propagate. This may take a few minutes.
-
Once the changes are propagated, your CloudFront distribution will be configured to use HTTPS for all viewer communications.
By following these steps, you can remediate the misconfiguration “Communication With Viewers Should Be Encrypted Using HTTPS” in AWS using the AWS console.
To remediate the misconfiguration “Communication With Viewers Should Be Encrypted Using HTTPS” in AWS using AWS CLI, follow these steps:
- Open the AWS CLI on your local machine and run the following command to update the CloudFront distribution configuration:
aws cloudfront update-distribution --id <distribution-id> --distribution-config file://<path_to_config_file>
Note: Replace <distribution-id> with the ID of your CloudFront distribution and <path_to_config_file> with the path to your CloudFront distribution configuration file.
- In the CloudFront distribution configuration file, add the following JSON code to enable HTTPS encryption for viewer communication:
"ViewerCertificate": {
"CloudFrontDefaultCertificate": true,
"MinimumProtocolVersion": "TLSv1.2_2018",
"SSLSupportMethod": "sni-only"
}
-
Save the configuration file and run the update-distribution command again to apply the changes.
-
Wait for the CloudFront distribution to deploy the changes. This may take several minutes.
-
Verify that HTTPS encryption is enabled for viewer communication by accessing your CloudFront distribution using HTTPS. You can do this by visiting the domain name of your CloudFront distribution in a web browser and checking that the URL starts with “https://” and has a green padlock icon.
That’s it! You have now remediated the misconfiguration “Communication With Viewers Should Be Encrypted Using HTTPS” in AWS using AWS CLI.
To remediate the misconfiguration “Communication With Viewers Should Be Encrypted Using HTTPS” for AWS using python, you can follow the below steps:
- Open the AWS console and navigate to the CloudFront service.
- Select the distribution for which you want to enable HTTPS.
- Click on the “Behaviors” tab and select the behavior for which you want to enable HTTPS.
- Click on “Edit” and then select “Yes” for the “Redirect HTTP to HTTPS” option.
- Scroll down to the “Viewer Protocol Policy” option and select “Redirect HTTP to HTTPS”.
- Save the changes.
To automate this process using Python, you can use the AWS SDK boto3. Here’s a sample code:
import boto3
# Initialize the CloudFront client
cloudfront = boto3.client('cloudfront')
# Get the distribution ID for which you want to enable HTTPS
distribution_id = 'YOUR_DISTRIBUTION_ID'
# Get the current configuration for the distribution
response = cloudfront.get_distribution_config(Id=distribution_id)
# Enable HTTPS for the viewer
response['DistributionConfig']['ViewerCertificate']['MinimumProtocolVersion'] = 'TLSv1.2_2018'
# Save the updated configuration
cloudfront.update_distribution(DistributionConfig=response['DistributionConfig'], Id=distribution_id, IfMatch=response['ETag'])
Note: Replace YOUR_DISTRIBUTION_ID with the actual distribution ID for which you want to enable HTTPS.