Skip to main content

Remediation

From Command Line

Retrieve the current distribution configuration and capture its ETag:

aws cloudfront get-distribution-config \
    --id {{distribution-id}} \
    --query 'DistributionConfig' \
    > {{distribution-config}}.json

ETAG=$(aws cloudfront get-distribution-config \
    --id {{distribution-id}} \
    --query 'ETag' \
    --output text)

In the downloaded {{distribution-config}}.json, modify the origins (items in the Origins array) and set the OriginProtocolPolicy key in CustomOriginConfig to https-only.

Apply the updated configuration to your distribution using the saved ETag:

aws cloudfront update-distribution \
    --id {{distribution-id}} \
    --if-match $ETAG \
    --distribution-config file://{{distribution-config}}.json 

Install an SSL/TLS certificate on your custom origin.

Important

If the origin server presents an expired, invalid, or self-signed certificate, supplies the certificate chain in an incorrect order, or omits any intermediate certificates, CloudFront will terminate the TCP connection immediately, return HTTP status code 502 (Bad Gateway) to the viewer, set the X-Cache header to Error from cloudfront.

From Command Line
- Important