Skip to main content

πŸ“ AWS CloudFront Web Distribution does not encrypt traffic to Custom Origins 🟒

  • Contextual name: πŸ“ Web Distribution does not encrypt traffic to Custom Origins 🟒
  • ID: /ce/ca/aws/cloudfront/distribution-traffic-encryption-to-custom-origins
  • Located in: πŸ“ AWS CloudFront

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-3181f3591

Logic​

Description​

Open File

Description​

Ensure that AWS CloudFront Distributions communicating with custom origins enforce end‑to‑end encryption by using HTTPS.

Note: Distributions using Amazon S3 buckets as custom origins for static website hosting are excluded, as those endpoints do not support HTTPS.

Rationale​

Requiring HTTPS between CloudFront edge locations and your origin ensures that data in transit remains confidential and tamper‑proof, mitigating the risk of man‑in‑the‑middle attacks.

Audit​

This policy flags an AWS CloudFront Web Distribution as INCOMPLIANT if at least one custom AWS CloudFront Origin associated with the distribution (excluding S3 static websites as origin) meets one of the following conditions:

  • The Origin's Custom Origin Config Protocol Policy field is set to http-only
  • The Origin's Custom Origin Config Protocol Policy field is set to match-viewer , and at least one associated AWS CloudFront Cache Behavior has the Viewer Protocol Policy field set to allow-all.

If a Web Distribution has no Origins in the CMDB or a custom Origin's Config Protocol Policy is set to match-viewer but there are no related Cache Behaviors in the CMDB, the Distribution is marked as UNDETERMINED.

Remediation​

Open File

Remediation​

From Command Line​

  1. Retrieve the current distribution configuration and capture its ETag:

    aws cloudfront get-distribution-config \
        --id {{distribution-id}} \
        --query 'DistributionConfig' \
        > {{distribution-config}}.json

    ETAG=$(aws cloudfront get-distribution-config \
        --id {{distribution-id}} \
        --query 'ETag' \
        --output text)

  2. In the downloaded {{distribution-config}}.json, modify the origins (items in the Origins array) and set the OriginProtocolPolicy key in CustomOriginConfig to https-only.

  3. Apply the updated configuration to your distribution using the saved ETag:

    aws cloudfront update-distribution \
        --id {{distribution-id}} \
        --if-match $ETAG \
        --distribution-config file://{{distribution-config}}.json

  4. Install an SSL/TLS certificate on your custom origin.

    Important​

    If the origin server presents an expired, invalid, or self-signed certificate, supplies the certificate chain in an incorrect order, or omits any intermediate certificates, CloudFront will terminate the TCP connection immediately, return HTTP status code 502 (Bad Gateway) to the viewer, set the X-Cache header to Error from cloudfront.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).2122
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudFront.9] CloudFront distributions should encrypt traffic to custom origins11
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption42
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3764
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)23675
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2526
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)10845
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)1817
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)816
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1624
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-23 Session Authenticity (M)(H)713
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)64
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)30
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)117
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)16
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)24
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)64
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)160
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)739
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)117
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)16
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)24
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-23 Session Authenticity (M)(H)13
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.1 Policy on the use of cryptographic controls1819
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.14.1.3 Protecting application services transactions1014
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)1022
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-2: Data-in-transit is protected1631
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4766
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity2226
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-4: Communications and control networks are protected1022
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events134
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk22
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected114
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected94
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected108
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage66
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό CM-3 (6) CRYPTOGRAPHY MANAGEMENT11
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains3032
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.7-2 Uses Encryption Technologies or Secure Communication Channels to Protect Data68