Skip to main content

lacework-global-387

CloudFront distributions should not point to non-existent Amazon S3 origins (Automated)

Description

When you configure a CloudFront distribution in your account to point to a non-existent bucket, a malicious third party can create the referenced bucket and serve their own content through your distribution.

You should confirm all origins exist, regardless of routing behavior, to ensure that your distributions are pointing to appropriate origins.

Remediation

From the AWS Console:

  1. Log in to the AWS Management Console.
  2. Click Services.
  3. Select Storage > S3.
  4. Click Create bucket, and create a new bucket for use with the CloudFront distribution.
  5. Once complete, click Services, and select Networking & Content Delivery > CloudFront.
  6. Click Distributions and click the ID of the distribution to update.
  7. Click the Origins tab.
  8. Choose the origin to update and click Edit.
  9. Under Origin domain, select the newly created S3 bucket.
  10. Configure the remaining settings as required and click Save changes.

From CLI:

Create a new S3 bucket:

aws s3api create-bucket --region <region> --bucket <bucket_name> --acl private

Get the current distribution details:

aws cloudfront get-distribution-config --id <distribution_id> --query 'DistributionConfig'

Save the returned contents to a file, modify it to include the new S3 bucket for the origin and update the distribution:

aws cloudfront update-distribution --id <distribution_id> --distribution-config <updated_config_file>

References

https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-12
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/HowToUpdateDistribution.html
https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html

Last updated on