Aqua CSPM

CloudFront HTTPS Only

Quick Info

Plugin TitleCloudFront HTTPS Only
CloudAWS
CategoryCloudFront
DescriptionEnsures CloudFront distributions are configured to redirect non-HTTPS traffic to HTTPS.
More InfoFor maximum security, CloudFront distributions can be configured to only accept HTTPS connections or to redirect HTTP connections to HTTPS.
AWS Linkhttp://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/CloudFront.html
Recommended ActionRemove HTTP-only listeners from distributions.

Detailed Remediation Steps

  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for CloudFront.
  3. Select the “CloudFront Distribution” that needs to be verified.
  4. Click the “Distribution Settings” button from menu to get into the “CloudFront Distribution” configuration page.
  5. Click the “Behaviors” button from the top menu to get into the “Behaviors” configuration page and select the “Behavior” which needs to be verified.
  6. Click the “Edit” button from the “Behaviors” tab on the menu.
  7. On the Default Cache Behavior Settings, verify the “Viewer Protocol Policy” and if “HTTP and HTTPS” is selected than CloudFront allows viewers to access your web content using either HTTP or HTTPS.
  8. On the “Viewer Protocol Policy” choose “Redirect HTTP to HTTPS” to redirect all HTTP requests to HTTPS.
  9. On the “Viewer Protocol Policy” choose “HTTPS Only” so CloudFront allows viewers to access your content only if they’re using HTTPS.
  10. Repeat the steps number 5 , 6 and 7 to verify if any other CloudFront Distribution is using HTTP-only listeners.