lacework-global-125

CloudFront Origin Protocol Policy should should explicitly set https-only or reflect the viewer policy configuration

Description

Best practices recommend configuring your AWS CloudFront Content Delivery Network (CDN) distributions to use HTTPS for encrypting data while in transit between your origin server and CloudFront.

It is possible to configure origin policies to reflect the viewer policy configuration using the Match Viewer setting. Alternatively they can explicitly set their own configuration to https-only and not inherit the configuration from the viewer policy.

With Match Viewer set, the policy evaluates the Viewer Policy to determine whether the inherited configuration is compliant (policy set to https-only or redirect-to-https).

Note that if the origin is an Amazon S3 bucket that supports HTTPS communication then the default setting is Match Viewer. It is not possible to change this default setting, meaning explicitly setting HTTPS Only is not possible.

CloudFront CDN distributions are non-compliant if they do not encrypt data using HTTPS.

Note that the configuration of the viewer policy is explicitly covered by lacework-global-129.

Remediation

Set the Distribution Origin Protocol Policy to Match-Viewer and set the Viewer Policy to HTTPS only or Redirect HTTP to HTTPS to inherit this setting. Alternatively, explicitly configure the Origin Protocol Policy to HTTPS Only.

1. Log in to the AWS Management Console.

2. Select Services.

3. Select CloudFront.

4. Select the Distribution to edit.

5. Select the Origins tab.

6. Select the Origin to edit and select Edit.

7. Under Protocol, select Match Viewer or HTTPS Only.

8. Select Save changes.

References

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-s3-origin.html