Skip to main content

πŸ“ AWS CloudFront Web Distribution Cache Behaviors allow unencrypted traffic 🟒

  • Contextual name: πŸ“ Web Distribution Cache Behaviors allow unencrypted traffic 🟒
  • ID: /ce/ca/aws/cloudfront/distribution-unencrypted-cache-behaviors
  • Located in: πŸ“ AWS CloudFront

Flags​

Our Metadata​

  • Policy Type: COMPLIANCE_POLICY
  • Policy Category:
    • SECURITY

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-791dab131

Logic​

Description​

Open File

Description​

This policy checks that all cache behaviors for an AWS CloudFront Web Distribution are configured to enforce encrypted communications by prohibiting the Viewer Protocol Policy from being set to allow-all, which permits unencrypted HTTP traffic.

You can enforce HTTPS-only communications by configuring the Viewer Protocol Policy to one of the following:

  • Redirect HTTP to HTTPS CloudFront listens on both HTTP and HTTPS. Incoming GET and HEAD requests over HTTP receive an HTTPΒ 301 (Moved Permanently) response code with the corresponding HTTPS URL. The viewer then resubmits the request to CloudFront using the HTTPS URL.
  • HTTPS only CloudFront accepts only HTTPS requests. If a client sends an HTTP request, CloudFront responds with HTTPΒ 403 (Forbidden) and does not forward the request to the origin.

Rationale​

Enforcing HTTPS for all communication between viewers and CloudFront protects data in transit from eavesdropping and man-in-the‑middle attacks. Allowing unencrypted HTTP traffic exposes sensitive payloads (e.g., authentication tokens, user credentials, and personal information) to interception and replay.

... see more

Remediation​

Open File

Remediation​

From Command Line​

  1. Retrieve the current distribution configuration and capture its ETag:

    aws cloudfront get-distribution-config \
        --id {{distribution-id}} \
        --query 'DistributionConfig' \
        > {{distribution-config}}.json

    ETAG=$(aws cloudfront get-distribution-config \
        --id {{distribution-id}} \
        --query 'ETag' \
        --output text)

  2. In the downloaded {{distribution-config}}.json, modify the cache behaviors (DefaultCacheBehavior and an item in the CacheBehaviors.Items array) and set the ViewerProtocolPolicy key to either redirect-to-https or https-only.

  3. Apply the updated configuration to your distribution using the saved ETag:

    aws cloudfront update-distribution \
        --id {{distribution-id}} \
        --if-match $ETAG \
        --distribution-config file://{{distribution-config}}.json

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlags
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 54 Cryptographic techniques can be used to control access to sensitive data, both in storage and in transit. The strength of the cryptographic techniques deployed would be commensurate with the sensitivity and criticality of the data as well as other supplementary or compensating controls (refer to Attachment E for further guidance).2021
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudFront.3] CloudFront distributions should require encryption in transit11
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Encryption36
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)3763
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)23471
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(4) Flow Control of Encrypted Information (H)2324
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)17
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)18
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)10840
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)22
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)1816
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)815
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)1621
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό SC-23 Session Authenticity (M)(H)712
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)63
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)8
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)28
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)116
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)15
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)21
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-3 Access Enforcement (L)(M)(H)63
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4 Information Flow Enforcement (M)(H)157
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-17(2) Protection of Confidentiality and Integrity Using Encryption (M)(H)17
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό IA-5(1) Password-based Authentication (L)(M)(H)8
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7 Boundary Protection (L)(M)(H)736
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-7(4) External Telecommunications Services (M)(H)22
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity (L)(M)(H)116
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-8(1) Cryptographic Protection (L)(M)(H)15
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-13 Cryptographic Protection (L)(M)(H)21
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό SC-23 Session Authenticity (M)(H)12
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.10.1.1 Policy on the use of cryptographic controls1718
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.14.1.3 Protecting application services transactions913
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed1115
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.AM-3: Organizational communication and data flows are mapped47
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.AC-5: Network integrity is protected (e.g., network segregation, network segmentation)921
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-2: Data-in-transit is protected1630
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-5: Protections against data leaks are implemented4464
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity2024
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)225
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities2130
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-4: Communications and control networks are protected921
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events129
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-03: Representations of the organization's authorized network communication and internal and external network data flows are maintained43
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.AA-06: Physical access to assets is managed, monitored, and enforced commensurate with risk21
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected107
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-02: The confidentiality, integrity, and availability of data-in-transit are protected89
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-10: The confidentiality, integrity, and availability of data-in-use are protected102
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.IR-01: Networks and environments are protected from unauthorized logical access and usage63
πŸ’Ό NIST SP 800-53 Revision 4 β†’ πŸ’Ό CM-7 LEAST FUNCTIONALITY567
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4 Information Flow Enforcement326480
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(2) Information Flow Enforcement _ Processing Domains2830
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-17(2) Remote Access _ Protection of Confidentiality and Integrity Using Encryption1217
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό IA-5(1) Authenticator Management _ Password-based Authentication8
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-7(4) Boundary Protection _ External Telecommunications Services22
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8 Transmission Confidentiality and Integrity5815
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8(1) Transmission Confidentiality and Integrity _ Cryptographic Protection814
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-8(2) Transmission Confidentiality and Integrity _ Pre- and Post-transmission Handling6
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-12(3) Cryptographic Key Establishment and Management _ Asymmetric Keys6
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-13 Cryptographic Protection410
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-23 Session Authenticity56
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SC-23(3) Session Authenticity _ Unique System-generated Session Identifiers5
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(6) Software, Firmware, and Information Integrity _ Cryptographic Protection10
πŸ’Ό PCI DSS v3.2.1 β†’ πŸ’Ό 4.1 Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.1814
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.214
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 4.2.1 Strong cryptography and security protocols are implemented to safeguard PAN during transmission over open, public networks.214
πŸ’Ό SOC 2 β†’ πŸ’Ό CC6.7-2 Uses Encryption Technologies or Secure Communication Channels to Protect Data68