CRITICAL
Source
Trivy/CSPM
CSPM ID
cloudfront-https-only
ID
AVD-AWS-0012

CloudFront distribution allows unencrypted (HTTP) communications.

Plain HTTP is unencrypted and human-readable. This means that if a malicious actor was to eavesdrop on your connection, they would be able to see all of your data flowing back and forth.

You should use HTTPS, which is HTTP over an encrypted (TLS) connection, meaning eavesdroppers cannot read your traffic.

Impact

CloudFront is available through an unencrypted connection

Follow the appropriate remediation steps below to resolve the issue.

Only allow HTTPS for CloudFront distribution communication

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
---
AWSTemplateFormatVersion: "2010-09-09"
Description: A sample template
Resources:
  GoodExample:
    Properties:
      DistributionConfig:
        DefaultCacheBehavior:
          TargetOriginId: target
          ViewerProtocolPolicy: https-only
        Enabled: true
        Logging:
          Bucket: logging-bucket
        Origins:
          - DomainName: https://some.domain
            Id: somedomain1
        WebACLId: waf_id
    Type: AWS::CloudFront::Distribution
  1. Log into the AWS Management Console.
  2. Select the “Services” option and search for CloudFront. Step
  3. Select the “CloudFront Distribution” that needs to be verified.Step
  4. Click the “Distribution Settings” button from menu to get into the “CloudFront Distribution” configuration page. Step
  5. Click the “Behaviors” button from the top menu to get into the “Behaviors” configuration page and select the “Behavior” which needs to be verified.Step
  6. Click the “Edit” button from the “Behaviors” tab on the menu.Step
  7. On the Default Cache Behavior Settings, verify the “Viewer Protocol Policy” and if “HTTP and HTTPS” is selected than CloudFront allows viewers to access your web content using either HTTP or HTTPS. Step
  8. On the “Viewer Protocol Policy” choose “Redirect HTTP to HTTPS” to redirect all HTTP requests to HTTPS.Step
  9. On the “Viewer Protocol Policy” choose “HTTPS Only” so CloudFront allows viewers to access your content only if they’re using HTTPS.Step
  10. Repeat the steps number 5 , 6 and 7 to verify if any other CloudFront Distribution is using HTTP-only listeners.

Only allow HTTPS for CloudFront distribution communication

1
2
3
4
5
resource "aws_cloudfront_distribution" "good_example" {
  default_cache_behavior {
    viewer_protocol_policy = "redirect-to-https"
  }
}