- Knowledge Base
- Amazon Web Services
- Amazon CloudFront
- Enable Origin Shield
Ensure that the Origin Shield performance optimization feature is enabled for all your Amazon CloudFront distributions in order to help reduce the load on your distribution's origin, improve its availability, and reduce its operating costs.
This rule can help you with the following compliance standards:
- HIPAA
- NIST4
For further details on compliance standards supported by Conformity, see here.
This rule can help you work with the AWS Well-Architected Framework.
Performanceefficiency
Costoptimisation
Origin Shield is an additional layer in the Amazon CloudFront caching infrastructure that helps increase your cache hit ratio in order to reduce the load on the distribution origin. Origin Shield also decreases the origin operating costs by collapsing requests across AWS regions so as few as one request goes to your origin per object. The feature can be beneficial for use cases where the website/web application has viewers that are spread across different geographical regions, for distribution origins that provide Just-in-Time (JIT) packaging for live streaming or on-the-fly image processing, or for on-premises origins with capacity or bandwidth constraints.
Audit
To determine if your Amazon CloudFront distributions are using the Origin Shield feature, perform the following operations:
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.
03 In the left navigation panel, under CloudFront, choose Distributions.
04 Click on the name (link) of the active CloudFront distribution that you want to examine. An active distribution has the Status set to Enabled.
05 Select the Origins tab to access the origins created for the selected distribution.
06 Select the distribution origin that you want to examine and choose Edit.
07 On the Edit origin page, check the Enable Origin Shield configuration setting to determine if the feature is enabled for the selected origin. If the Enable Origin Shield is set to No, the Origin Shield performance optimization feature is not enabled for the selected Amazon CloudFront distribution origin.
08 Repeat steps no. 6 and 7 for each origin defined for the selected Amazon CloudFront distribution.
09 Repeat steps no. 4 – 8 for each CloudFront distribution available within your AWS cloud account.
Using AWS CLI
01 Run list-distributions command (OSX/Linux/UNIX) with custom query filters to list the ID of each active Amazon CloudFront distribution created in your AWS account:
aws cloudfront list-distributions --output table --query 'DistributionList.Items[?(Enabled==`true`)].Id'
02 The command output should return a table with the requested distribution ID(s):
-------------------- |ListDistributions | +------------------+ | ABCDABCDABCDAB | | AABBCCDDAABBCC | +------------------+
03 Run get-distribution-config command (OSX/Linux/UNIX) using the ID of the active Amazon CloudFront distribution that you want to examine as the identifier parameter and custom query filters to describe the Origin Shield feature status for each origin associated with the selected distribution:
aws cloudfront get-distribution-config --id ABCDABCDABCDAB --query 'DistributionConfig.Origins.Items[*].OriginShield.Enabled'
04 The command output should return the requested status (true for enabled, false for disabled):
[ false ]
If the get-distribution-config command output returns false, the Origin Shield performance optimization feature is not enabled for the origin(s) associated with the selected Amazon CloudFront distribution.
05 Repeat steps no. 3 and 4 for each CloudFront distribution deployed in your AWS cloud account.
Remediation / Resolution
To enable and configure the Origin Shield feature for your Amazon CloudFront CDN distributions, perform the following operations:
Using AWS CloudFormation
01 CloudFormation template (JSON):
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"CloudFrontDistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"Enabled": true,
"Comment": "CloudFront CDN Web Distribution",
"Origins": [
{
"Id": "cc-cdn-origin",
"DomainName": "domain.com",
"OriginShield": {
"Enabled": true,
"OriginShieldRegion": "us-west-2"
}
}
],
"DefaultRootObject": "index.html",
"DefaultCacheBehavior": {
"Compress": true,
"AllowedMethods": [
"HEAD",
"GET"
],
"DefaultTTL": 0,
"ForwardedValues": {
"Cookies": {
"Forward": "none"
},
"QueryString": false
},
"ViewerProtocolPolicy": "redirect-to-https"
},
"HttpVersion": "http2",
"ViewerCertificate": {
"CloudFrontDefaultCertificate": true
},
"PriceClass": "PriceClass_All"
}
}
}
}
}
02 CloudFormation template (YAML):
AWSTemplateFormatVersion: '2010-09-09' Resources: CloudFrontDistribution: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: Enabled: true Comment: CloudFront CDN Web Distribution Origins: - Id: cc-cdn-origin DomainName: domain.com OriginShield: Enabled: true OriginShieldRegion: us-west-2 DefaultRootObject: index.html DefaultCacheBehavior: Compress: true AllowedMethods: - HEAD - GET DefaultTTL: 0 ForwardedValues: Cookies: Forward: none QueryString: false ViewerProtocolPolicy: redirect-to-https HttpVersion: http2 ViewerCertificate: CloudFrontDefaultCertificate: true PriceClass: PriceClass_All
Using Terraform (AWS Provider)
01 Terraform configuration file (.tf):
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 4.0"
}
}
required_version = ">= 0.14.9"
}
provider "aws" {
profile = "default"
region = "us-east-1"
}
resource "aws_cloudfront_distribution" "cloudfront-distribution" {
enabled = true
default_root_object = "index.html"
comment = "CloudFront CDN Web Distribution"
origin {
domain_name = "domain.com"
origin_id = "cc-cdn-origin"
}
default_cache_behavior {
compress = true
target_origin_id = "cc-domain-origin"
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
viewer_protocol_policy = "redirect-to-https"
}
viewer_certificate {
cloudfront_default_certificate = true
}
price_class = "PriceClass_All"
origin_shield {
enabled = true
origin_shield_region = "us-west-2"
}
}
Using AWS Console
01 Sign in to the AWS Management Console.
02 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.
03 In the left navigation panel, under CloudFront, choose Distributions.
04 Click on the name of the active CloudFront distribution that you want to reconfigure.
05 Select the Origins tab to access the origins created for the selected distribution.
06 Select the distribution origin that you want to reconfigure and choose Edit.
07 On the Edit origin page, perform the following actions:
- Select Yes under Enable Origin Shield to enable the Origin Shield performance optimization feature for the selected distribution origin.
- Select the AWS region that has the lowest latency to your origin from the Origin Shield region dropdown list. All Origin Shield regions are built using a highly-available architecture that spans several Availability Zones (AZ) and includes automatic failover to secondary Origin Shield regions. For example, if your origin is in US West (N. California – us-west-1) region, enable Origin Shield in US West (Oregon – us-west-2) region.
- Choose Save changes to apply the configuration changes. Once the feature is enabled, Amazon CloudFront will route all origin fetches through Origin Shield, and only make a request to your origin if the content is not already stored in Origin Shield's cache.
08 Repeat step no. 6 and 7 to enable Origin Shield for each origin associated with the selected Amazon CloudFront distribution.
09 Repeat steps no. 4 – 8 for each active CloudFront distribution available within your AWS cloud account.
Using AWS CLI
01 Run get-distribution-config command (OSX/Linux/UNIX) to extract all the configuration information from the Amazon CloudFront distribution that you want to reconfigure:
aws cloudfront get-distribution-config --id ABCDABCDABCDAB --query 'DistributionConfig'
02 The command output should return the requested configuration information:
{
"CallerReference": "abcd1234-abcd-1234-abcd-1234abcd1234",
"Aliases": {
"Quantity": 0
},
"DefaultRootObject": "",
"Origins": {
"Quantity": 1,
"Items": [
{
"Id": "cloudconformity.com",
"DomainName": "cloudconformity.com",
"OriginPath": "",
"CustomHeaders": {
"Quantity": 0
},
"CustomOriginConfig": {
"HTTPPort": 80,
"HTTPSPort": 443,
"OriginProtocolPolicy": "http-only",
"OriginSslProtocols": {
"Quantity": 3,
"Items": [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
]
},
"OriginReadTimeout": 30,
"OriginKeepaliveTimeout": 5
},
"ConnectionAttempts": 3,
"ConnectionTimeout": 10,
"OriginShield": {
"Enabled": false
}
}
]
},
"OriginGroups": {
"Quantity": 0
},
"DefaultCacheBehavior": {
"TargetOriginId": "cloudconformity.com",
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"TrustedKeyGroups": {
"Enabled": false,
"Quantity": 0
},
"ViewerProtocolPolicy": "allow-all",
"AllowedMethods": {
"Quantity": 2,
"Items": [
"HEAD",
"GET"
],
"CachedMethods": {
"Quantity": 2,
"Items": [
"HEAD",
"GET"
]
}
},
"SmoothStreaming": false,
"Compress": true,
"LambdaFunctionAssociations": {
"Quantity": 0
},
"FunctionAssociations": {
"Quantity": 0
},
"FieldLevelEncryptionId": "",
"ForwardedValues": {
"QueryString": false,
"Cookies": {
"Forward": "none"
},
"Headers": {
"Quantity": 0
},
"QueryStringCacheKeys": {
"Quantity": 0
}
},
"MinTTL": 0,
"DefaultTTL": 86400,
"MaxTTL": 31536000
},
"CacheBehaviors": {
"Quantity": 1,
"Items": [
{
"PathPattern": "/images",
"TargetOriginId": "cloudconformity.com",
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"TrustedKeyGroups": {
"Enabled": false,
"Quantity": 0
},
"ViewerProtocolPolicy": "allow-all",
"AllowedMethods": {
"Quantity": 2,
"Items": [
"HEAD",
"GET"
],
"CachedMethods": {
"Quantity": 2,
"Items": [
"HEAD",
"GET"
]
}
},
"SmoothStreaming": false,
"Compress": true,
"LambdaFunctionAssociations": {
"Quantity": 0
},
"FunctionAssociations": {
"Quantity": 0
},
"FieldLevelEncryptionId": "",
"ForwardedValues": {
"QueryString": false,
"Cookies": {
"Forward": "none"
},
"Headers": {
"Quantity": 0
},
"QueryStringCacheKeys": {
"Quantity": 0
}
},
"MinTTL": 0,
"DefaultTTL": 86400,
"MaxTTL": 31536000
}
]
},
"CustomErrorResponses": {
"Quantity": 0
},
"Comment": "",
"Logging": {
"Enabled": false,
"IncludeCookies": false,
"Bucket": "",
"Prefix": ""
},
"PriceClass": "PriceClass_100",
"Enabled": true,
"ViewerCertificate": {
"CloudFrontDefaultCertificate": true,
"MinimumProtocolVersion": "TLSv1",
"CertificateSource": "cloudfront"
},
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none",
"Quantity": 0
}
},
"WebACLId": "",
"HttpVersion": "http1.1",
"IsIPV6Enabled": false
}
03 Run get-distribution-config command (OSX/Linux/UNIX) to describe the current version of the configuration available for the selected distribution (i.e. eTag):
aws cloudfront get-distribution-config --id ABCDABCDABCDAB --query 'ETag'
04 The command output should return the requested information:
"AAAABBBBCCCCD"
05 Modify the configuration document returned at step no. 2 to enable and configure the Origin Shield feature by adding the "OriginShield"configuration property to the "Origins" object, i.e. "OriginShield": { "Enabled": true, "OriginShieldRegion": "<origin-shield-region>" }, where <origin-shield-region> represents the AWS cloud region that has the lowest latency to your origin (as highlighted in the example below). For example, if your origin is in us-east-1 (US East, N. Virginia) region, set <origin-shield-region>to us-east-2 (US East, Ohio) region. Save the document with the modified distribution configuration (highlighted) to a JSON file named enable-origin-shield.json:
{
"CallerReference": "abcd1234-abcd-1234-abcd-1234abcd1234",
"Aliases": {
"Quantity": 0
},
"DefaultRootObject": "",
"Origins": {
"Quantity": 1,
"Items": [
{
"Id": "cloudconformity.com",
"DomainName": "cloudconformity.com",
"OriginPath": "",
"CustomHeaders": {
"Quantity": 0
},
"CustomOriginConfig": {
"HTTPPort": 80,
"HTTPSPort": 443,
"OriginProtocolPolicy": "http-only",
"OriginSslProtocols": {
"Quantity": 3,
"Items": [
"TLSv1",
"TLSv1.1",
"TLSv1.2"
]
},
"OriginReadTimeout": 30,
"OriginKeepaliveTimeout": 5
},
"ConnectionAttempts": 3,
"ConnectionTimeout": 10,
"OriginShield": {
"Enabled": true,
"OriginShieldRegion": ""
}
}
]
},
"OriginGroups": {
"Quantity": 0
},
"DefaultCacheBehavior": {
"TargetOriginId": "cloudconformity.com",
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"TrustedKeyGroups": {
"Enabled": false,
"Quantity": 0
},
"ViewerProtocolPolicy": "allow-all",
"AllowedMethods": {
"Quantity": 2,
"Items": [
"HEAD",
"GET"
],
"CachedMethods": {
"Quantity": 2,
"Items": [
"HEAD",
"GET"
]
}
},
"SmoothStreaming": false,
"Compress": true,
"LambdaFunctionAssociations": {
"Quantity": 0
},
"FunctionAssociations": {
"Quantity": 0
},
"FieldLevelEncryptionId": "",
"ForwardedValues": {
"QueryString": false,
"Cookies": {
"Forward": "none"
},
"Headers": {
"Quantity": 0
},
"QueryStringCacheKeys": {
"Quantity": 0
}
},
"MinTTL": 0,
"DefaultTTL": 86400,
"MaxTTL": 31536000
},
"CacheBehaviors": {
"Quantity": 1,
"Items": [
{
"PathPattern": "/images",
"TargetOriginId": "cloudconformity.com",
"TrustedSigners": {
"Enabled": false,
"Quantity": 0
},
"TrustedKeyGroups": {
"Enabled": false,
"Quantity": 0
},
"ViewerProtocolPolicy": "allow-all",
"AllowedMethods": {
"Quantity": 2,
"Items": [
"HEAD",
"GET"
],
"CachedMethods": {
"Quantity": 2,
"Items": [
"HEAD",
"GET"
]
}
},
"SmoothStreaming": false,
"Compress": true,
"LambdaFunctionAssociations": {
"Quantity": 0
},
"FunctionAssociations": {
"Quantity": 0
},
"FieldLevelEncryptionId": "",
"ForwardedValues": {
"QueryString": false,
"Cookies": {
"Forward": "none"
},
"Headers": {
"Quantity": 0
},
"QueryStringCacheKeys": {
"Quantity": 0
}
},
"MinTTL": 0,
"DefaultTTL": 86400,
"MaxTTL": 31536000
}
]
},
"CustomErrorResponses": {
"Quantity": 0
},
"Comment": "",
"Logging": {
"Enabled": false,
"IncludeCookies": false,
"Bucket": "",
"Prefix": ""
},
"PriceClass": "PriceClass_100",
"Enabled": true,
"ViewerCertificate": {
"CloudFrontDefaultCertificate": true,
"MinimumProtocolVersion": "TLSv1",
"CertificateSource": "cloudfront"
},
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none",
"Quantity": 0
}
},
"WebACLId": "",
"HttpVersion": "http1.1",
"IsIPV6Enabled": false
}
06 Run update-distribution command (OSX/Linux/UNIX) using the document modified at the previous step (i.e. enable-origin-shield.json) as the distribution configuration document, to reconfigure the selected Amazon CloudFront distribution in order to enable the Origin Shield feature.. --if-match parameter represents the current version of the configuration, returned at step no. 4:
aws cloudfront update-distribution --id ABCDABCDABCDAB --if-match AAAABBBBCCCCD --distribution-config file://enable-access-logging.json --query 'Distribution.Status'
07 The command output should return the status of the modified CloudFront distribution:
"InProgress"
08 Repeat step no. 5 – 7 to enable Origin Shield for each origin associated with the selected Amazon CloudFront distribution.
09 Repeat steps no. 1 – 8 for each active CloudFront distribution deployed in your AWS cloud account.
References
- AWS Documentation
- Amazon CloudFront FAQs
- Overview of distributions
- Using Amazon CloudFront Origin Shield
- AWS Command Line Interface (CLI) Documentation
- cloudfront
- list-distributions
- get-distribution-config
- update-distribution
Related CloudFront rules
Unlock the Remediation Steps
Free 30-day Trial
Automatically audit your configurations with Conformity
and gain access to our cloud security platform.
You are auditing:
Enable Origin Shield
Risk Level: Medium