Vulnerabilities
Misconfiguration
Runtime Security
Compliance
AWS > Cloudfront >

Enforce Https

CRITICAL
Source
Trivy/CSPM
CSPM ID
cloudfront-https-only
ID
AVD-AWS-0012
cloudformation management_console terraform

CloudFront distribution allows unencrypted (HTTP) communications.

Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth. You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.

Impact

Follow the appropriate remediation steps below to resolve the issue.

Only allow HTTPS for CloudFront distribution communication

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

Resources:
  GoodExample:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        DefaultCacheBehavior:
          TargetOriginId: target
          ViewerProtocolPolicy: https-only
        Enabled: true
        Logging:
          Bucket: logging-bucket
        Origins:
          - DomainName: https://some.domain
            Id: somedomain1
        WebACLId: waf_id

  1. Log in to the AWS Management Console.

  2. Select the “Services” option and search for CloudFront. Step

  3. Select the “CloudFront Distribution” that needs to be verified and click on it to open its configuration settings.Step

  4. Click the “Behaviors” tab, select the “Behavior” which needs to be verified and click “Edit” Step

  5. On the Edit Behavior page scroll down to “Viewer” Settings, verify the “Viewer Protocol Policy” and if “HTTP and HTTPS” is selected than CloudFront allows viewers to access your web content using either HTTP or HTTPS. Step

  6. To redirect all HTTP traffic to HTTPS under the “Viewer Protocol Policy” choose “Redirect HTTP to HTTPS” to redirect all HTTP requests to HTTPS.Step

  7. If you want to drop all HTTP traffic then under the “Viewer Protocol Policy” choose “HTTPS Only” so CloudFront allows viewers to access your content only if they’re using HTTPS.Step

  8. Repeat steps number 3 to 7 for all other CloudFront Distributions using HTTP-only listeners.

Only allow HTTPS for CloudFront distribution communication

1
2
3
4
5

resource "aws_cloudfront_distribution" "good_example" {
  default_cache_behavior {
    viewer_protocol_policy = "redirect-to-https"
  }
}
Aqua Security is the largest pure-play cloud native security company, providing customers the freedom to innovate and run their businesses with minimal friction. The Aqua Cloud Native Security Platform provides prevention, detection, and response automation across the entire application lifecycle to secure the build, secure cloud infrastructure and secure running workloads wherever they are deployed.
Copyright © 2024 Aqua Security Software Ltd.   Privacy Policy | Terms of Use