Use the Conformity Knowledge Base AI to help improve your Cloud Posture

CloudFront Security Policy

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)
Rule ID: CF-006

Ensure that your Amazon CloudFront distributions are using a security policy with minimum TLSv1.2 or TLSv1.3 and appropriate security ciphers for HTTPS viewer connections. A CloudFront security policy determines two settings: the SSL/TLS protocol that Amazon CloudFront uses to communicate with the viewers and the cipher that CloudFront uses to encrypt the content that it returns to viewers. Trend Cloud One™ – Conformity recommends that you use TLSv1.2 (ideally TLSv1.3) as the minimum protocol version for your CloudFront security policies, unless your users are using browsers or devices that do not support TLSv1.2 or later.

Latest recommended policy:

  • TLSv1.2_2021

This rule can help you with the following compliance standards:

  • PCI
  • HIPAA
  • MAS
  • NIST4

For further details on compliance standards supported by Conformity, see here.

This rule can help you work with the AWS Well-Architected Framework.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

Using a predefined security policy that enforces TLS version 1.2 or 1.3 as the minimum protocol version for CloudFront distributions can further improve the security of the websites/web applications that utilize your CDN distributions. For example, if you select a security policy that enforces TLS version 1.1, weak ciphers such as RC4 and 3DES will be automatically excluded.

Note: You can implement improved security policies (with TLSv1.2 and TLSv1.3) only for Amazon CloudFront distributions that use custom SSL certificates to serve HTTPS requests using SNI.


Audit

To determine if your Amazon CloudFront distributions are using improved security policies, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.

03 In the left navigation panel, under CloudFront, choose Distributions.

04 Click on the name (link) of the CloudFront distribution that you want to examine.

05 Select the General tab to access the general configuration settings available for the selected distribution and choose Edit.

06 On the Edit settings page, check the Security policy configuration setting to determine the TLS protocol and the specific ciphers that CloudFront uses for HTTPS connections with viewers. If the Security policy is set to a deprecated version such as TLSv1, TLSv1_2016 or TLSv1.1_2016, or a superseded version such as TLSv1.2_2018 or TLSv1.2_2019, the selected Amazon CloudFront distribution is not using an improved (updated) security policy that enforces TLS version 1.2 or 1.3 as the minimum protocol version, therefore the distribution configuration is vulnerable to exploits.

07 Repeat steps no. 4 – 6 for each Amazon CloudFront distribution available within your AWS cloud account.

Using AWS CLI

01 Run list-distributions command (OSX/Linux/UNIX) with custom query filters to list the ID of each Amazon CloudFront distribution created in your AWS account:

aws cloudfront list-distributions
  --output table
  --query 'DistributionList.Items[*].Id'

02 The command output should return a table with the requested distribution ID(s):

--------------------
|ListDistributions |
+------------------+
|  ABCDABCDABCDAB  |
|  AABBCCDDAABBCC  |
|  AAAABBBBCCCCDD  |
+------------------+

03 Run get-distribution command (OSX/Linux/UNIX) using the ID of the Amazon CloudFront distribution that you want to examine as the identifier parameter and custom query filters to describe the version of the TLS protocol used by the security policy configured for the selected distribution:

aws cloudfront get-distribution
  --id ABCDABCDABCDAB
  --query 'Distribution.DistributionConfig.ViewerCertificate.MinimumProtocolVersion'

04 The command output should return the requested TLS version actions:

"TLSv1"

If the get-distribution command output returns a deprecated version such as TLSv1, TLSv1_2016 or TLSv1.1_2016, or a superseded version such as TLSv1.2_2018 or TLSv1.2_2019, the selected Amazon Cloudfront distribution is not using an improved security policy that enforces TLS version 1.2 or 1.3 as the minimum protocol version, therefore the distribution configuration is vulnerable to exploits.

05 Repeat steps no. 3 and 4 for each CloudFront distribution deployed in your AWS cloud account.

Remediation / Resolution

To apply security policies that enforce TLS version 1.2 or 1.3 as the minimum protocol version for your Amazon CloudFront distributions, perform the following:

Using AWS CloudFormation

01 CloudFormation template (JSON):

{
	"AWSTemplateFormatVersion": "2010-09-09",
	"Resources": {
		"CloudFrontDistribution": {
			"Type": "AWS::CloudFront::Distribution",
			"Properties": {
				"DistributionConfig": {
					"Enabled": true,
					"Comment": "CloudFront CDN Web Distribution",
					"Origins": [
						{
							"Id": "cc-cdn-origin",
							"DomainName": "domain.com"
						}
					],
					"DefaultRootObject": "index.html",
					"DefaultCacheBehavior": {
						"Compress": true,
						"AllowedMethods": [
							"HEAD",
							"GET"
						],
						"DefaultTTL": 0,
						"ForwardedValues": {
							"Cookies": {
								"Forward": "none"
							},
							"QueryString": false
						},
						"ViewerProtocolPolicy": "redirect-to-https"
					},
					"HttpVersion": "http2",
					"PriceClass": "PriceClass_All",
					"ViewerCertificate": {
						"AcmCertificateArn": "arn:aws:acm:us-east-1:123412341234:certificate/abcd1234-abcd-1234-abcd-1234abcd1234",
						"SslSupportMethod": "sni-only",
						"MinimumProtocolVersion": "TLSv1.2_2021"
					}
				}
			}
		}
	}
}

02 CloudFormation template (YAML):

AWSTemplateFormatVersion: '2010-09-09'
	Resources:
	CloudFrontDistribution:
		Type: AWS::CloudFront::Distribution
		Properties:
		DistributionConfig:
			Enabled: true
			Comment: CloudFront CDN Web Distribution
			Origins:
			- Id: cc-cdn-origin
				DomainName: domain.com
			DefaultRootObject: index.html
			DefaultCacheBehavior:
			Compress: true
			AllowedMethods:
				- HEAD
				- GET
			DefaultTTL: 0
			ForwardedValues:
				Cookies:
				Forward: none
				QueryString: false
			ViewerProtocolPolicy: redirect-to-https
			HttpVersion: http2
			PriceClass: PriceClass_All
			ViewerCertificate:
			AcmCertificateArn: arn:aws:acm:us-east-1:123412341234:certificate/abcd1234-abcd-1234-abcd-1234abcd1234
			SslSupportMethod: sni-only
			MinimumProtocolVersion: TLSv1.2_2021

Using Terraform (AWS Provider)

01 Terraform configuration file (.tf):

terraform {
	required_providers {
		aws = {
			source  = "hashicorp/aws"
			version = "~> 4.0"
		}
	}

	required_version = ">= 0.14.9"
}

provider "aws" {
	profile = "default"
	region  = "us-east-1"
}

resource "aws_cloudfront_distribution" "cloudfront-distribution" {

	enabled             = true
	default_root_object = "index.html"
	comment             = "CloudFront CDN Web Distribution"

	origin {
		domain_name = "domain.com"
		origin_id   = "cc-cdn-origin"
	}

	default_cache_behavior {
		compress         = true
		target_origin_id = "cc-domain-origin"
		allowed_methods  = ["GET", "HEAD"]
		cached_methods   = ["GET", "HEAD"]
		forwarded_values {
			query_string = false
			cookies {
				forward = "none"
			}
		}
		min_ttl                = 0
		default_ttl            = 3600
		max_ttl                = 86400
		viewer_protocol_policy = "redirect-to-https"
	}

	price_class = "PriceClass_All"

	viewer_certificate {
		acm_certificate_arn            = "arn:aws:acm:us-east-1:123412341234:certificate/abcd1234-abcd-1234-abcd-1234abcd1234"
		ssl_support_method             = "sni-only"
		minimum_protocol_version       = "TLSv1.2_2021"
	}

}

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/v3/.

03 In the left navigation panel, under CloudFront, choose Distributions.

04 Click on the name of the Amazon CloudFront distribution that you want to reconfigure.

05 Select the General tab to access the general configuration settings available for the selected distribution and choose Edit.

06 On the Edit settings page, under Security policy, select TLSv1.2_2021 (recommended) from the list of TLS protocol versions supported by Amazon CloudFront. Choose Save changes to apply the changes.

07 If required, repeat steps no. 4 – 6 to change the security policy for each Amazon CloudFront distribution available within your AWS cloud account.

Using AWS CLI

01 Run get-distribution-config command (OSX/Linux/UNIX) to extract all the configuration information from the Amazon CloudFront distribution that you want to reconfigure:

aws cloudfront get-distribution-config
  --id ABCDABCDABCDAB
  --query 'DistributionConfig'

02 The command output should return the requested configuration information:

{
	"CallerReference": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"Aliases": {
		"Quantity": 0
	},
	"DefaultRootObject": "",
	"Origins": {
		"Quantity": 1,
		"Items": [
			{
				"Id": "cloudconformity.com",
				"DomainName": "cloudconformity.com",
				"OriginPath": "",
				"CustomHeaders": {
					"Quantity": 0
				},
				"CustomOriginConfig": {
					"HTTPPort": 80,
					"HTTPSPort": 443,
					"OriginProtocolPolicy": "https-only",
					"OriginSslProtocols": {
						"Quantity": 1,
						"Items": [
							"TLSv1.2"
						]
					},
					"OriginReadTimeout": 30,
					"OriginKeepaliveTimeout": 5
				},
				"ConnectionAttempts": 3,
				"ConnectionTimeout": 10,
				"OriginShield": {
					"Enabled": false
				}
			}
		]
	},
	"OriginGroups": {
		"Quantity": 0
	},
	"DefaultCacheBehavior": {
		"TargetOriginId": "cloudconformity.com",
		"TrustedSigners": {
			"Enabled": false,
			"Quantity": 0
		},
		"TrustedKeyGroups": {
			"Enabled": false,
			"Quantity": 0
		},
		"ViewerProtocolPolicy": "allow-all",
		"AllowedMethods": {
			"Quantity": 2,
			"Items": [
				"HEAD",
				"GET"
			],
			"CachedMethods": {
				"Quantity": 2,
				"Items": [
					"HEAD",
					"GET"
				]
			}
		},
		"SmoothStreaming": false,
		"Compress": true,
		"LambdaFunctionAssociations": {
			"Quantity": 0
		},
		"FunctionAssociations": {
			"Quantity": 0
		},
		"FieldLevelEncryptionId": "",
		"ForwardedValues": {
			"QueryString": false,
			"Cookies": {
				"Forward": "none"
			},
			"Headers": {
				"Quantity": 0
			},
			"QueryStringCacheKeys": {
				"Quantity": 0
			}
		},
		"MinTTL": 0,
		"DefaultTTL": 86400,
		"MaxTTL": 31536000
	},
	"CacheBehaviors": {
		"Quantity": 1,
		"Items": [
			{
				"PathPattern": "/images",
				"TargetOriginId": "cloudconformity.com",
				"TrustedSigners": {
					"Enabled": false,
					"Quantity": 0
				},
				"TrustedKeyGroups": {
					"Enabled": false,
					"Quantity": 0
				},
				"ViewerProtocolPolicy": "allow-all",
				"AllowedMethods": {
					"Quantity": 2,
					"Items": [
						"HEAD",
						"GET"
					],
					"CachedMethods": {
						"Quantity": 2,
						"Items": [
							"HEAD",
							"GET"
						]
					}
				},
				"SmoothStreaming": false,
				"Compress": true,
				"LambdaFunctionAssociations": {
					"Quantity": 0
				},
				"FunctionAssociations": {
					"Quantity": 0
				},
				"FieldLevelEncryptionId": "",
				"ForwardedValues": {
					"QueryString": false,
					"Cookies": {
						"Forward": "none"
					},
					"Headers": {
						"Quantity": 0
					},
					"QueryStringCacheKeys": {
						"Quantity": 0
					}
				},
				"MinTTL": 0,
				"DefaultTTL": 86400,
				"MaxTTL": 31536000
			}
		]
	},
	"CustomErrorResponses": {
		"Quantity": 0
	},
	"Comment": "",
	"Logging": {
		"Enabled": false,
		"IncludeCookies": false,
		"Bucket": "",
		"Prefix": ""
	},
	"PriceClass": "PriceClass_100",
	"Enabled": true,
	"ViewerCertificate": {
		"ACMCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234",
		"SSLSupportMethod": "sni-only",
		"MinimumProtocolVersion": "TLSv1",
		"Certificate": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234",
		"CertificateSource": "acm"
	},
	"Restrictions": {
		"GeoRestriction": {
			"RestrictionType": "none",
			"Quantity": 0
		}
	},
	"WebACLId": "",
	"HttpVersion": "http1.1",
	"IsIPV6Enabled": false
}

03 Run get-distribution-config command (OSX/Linux/UNIX) to describe the current version of the configuration available for the selected distribution (i.e. eTag):

aws cloudfront get-distribution-config
  --id ABCDABCDABCDAB
  --query 'ETag'

04 The command output should return the requested information:

"AAAABBBBCCCCD"

05 Modify the configuration document returned at step no. 2 to change the security policy implemented for the selected CloudFront distribution. Set "MinimumProtocolVersion" to "TLSv1.2_2021" in order to use the latest TLS version supported by Amazon CloudFront. Save the document with the modified distribution configuration (highlighted) to a JSON file named compliant-security-policy.json:

{
	"CallerReference": "abcd1234-abcd-1234-abcd-1234abcd1234",
	"Aliases": {
		"Quantity": 0
	},
	"DefaultRootObject": "",
	"Origins": {
		"Quantity": 1,
		"Items": [
			{
				"Id": "cloudconformity.com",
				"DomainName": "cloudconformity.com",
				"OriginPath": "",
				"CustomHeaders": {
					"Quantity": 0
				},
				"CustomOriginConfig": {
					"HTTPPort": 80,
					"HTTPSPort": 443,
					"OriginProtocolPolicy": "https-only",
					"OriginSslProtocols": {
						"Quantity": 1,
						"Items": [
							"TLSv1.2"
						]
					},
					"OriginReadTimeout": 30,
					"OriginKeepaliveTimeout": 5
				},
				"ConnectionAttempts": 3,
				"ConnectionTimeout": 10,
				"OriginShield": {
					"Enabled": false
				}
			}
		]
	},
	"OriginGroups": {
		"Quantity": 0
	},
	"DefaultCacheBehavior": {
		"TargetOriginId": "cloudconformity.com",
		"TrustedSigners": {
			"Enabled": false,
			"Quantity": 0
		},
		"TrustedKeyGroups": {
			"Enabled": false,
			"Quantity": 0
		},
		"ViewerProtocolPolicy": "allow-all",
		"AllowedMethods": {
			"Quantity": 2,
			"Items": [
				"HEAD",
				"GET"
			],
			"CachedMethods": {
				"Quantity": 2,
				"Items": [
					"HEAD",
					"GET"
				]
			}
		},
		"SmoothStreaming": false,
		"Compress": true,
		"LambdaFunctionAssociations": {
			"Quantity": 0
		},
		"FunctionAssociations": {
			"Quantity": 0
		},
		"FieldLevelEncryptionId": "",
		"ForwardedValues": {
			"QueryString": false,
			"Cookies": {
				"Forward": "none"
			},
			"Headers": {
				"Quantity": 0
			},
			"QueryStringCacheKeys": {
				"Quantity": 0
			}
		},
		"MinTTL": 0,
		"DefaultTTL": 86400,
		"MaxTTL": 31536000
	},
	"CacheBehaviors": {
		"Quantity": 1,
		"Items": [
			{
				"PathPattern": "/images",
				"TargetOriginId": "cloudconformity.com",
				"TrustedSigners": {
					"Enabled": false,
					"Quantity": 0
				},
				"TrustedKeyGroups": {
					"Enabled": false,
					"Quantity": 0
				},
				"ViewerProtocolPolicy": "allow-all",
				"AllowedMethods": {
					"Quantity": 2,
					"Items": [
						"HEAD",
						"GET"
					],
					"CachedMethods": {
						"Quantity": 2,
						"Items": [
							"HEAD",
							"GET"
						]
					}
				},
				"SmoothStreaming": false,
				"Compress": true,
				"LambdaFunctionAssociations": {
					"Quantity": 0
				},
				"FunctionAssociations": {
					"Quantity": 0
				},
				"FieldLevelEncryptionId": "",
				"ForwardedValues": {
					"QueryString": false,
					"Cookies": {
						"Forward": "none"
					},
					"Headers": {
						"Quantity": 0
					},
					"QueryStringCacheKeys": {
						"Quantity": 0
					}
				},
				"MinTTL": 0,
				"DefaultTTL": 86400,
				"MaxTTL": 31536000
			}
		]
	},
	"CustomErrorResponses": {
		"Quantity": 0
	},
	"Comment": "",
	"Logging": {
		"Enabled": false,
		"IncludeCookies": false,
		"Bucket": "",
		"Prefix": ""
	},
	"PriceClass": "PriceClass_100",
	"Enabled": true,
	"ViewerCertificate": {
		"ACMCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234",
		"SSLSupportMethod": "sni-only",
		"MinimumProtocolVersion": "TLSv1.2_2021",
		"Certificate": "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-abcd-1234-abcd-1234abcd1234",
		"CertificateSource": "acm"
	},
	"Restrictions": {
		"GeoRestriction": {
			"RestrictionType": "none",
			"Quantity": 0
		}
	},
	"WebACLId": "",
	"HttpVersion": "http1.1",
	"IsIPV6Enabled": false
}

06 Run update-distribution command (OSX/Linux/UNIX) using the document modified at the previous step (i.e. improved-security-policy.json) as the distribution configuration document, to reconfigure the selected Amazon CloudFront distribution in order to upgrade the security group associated with the distribution. --if-match parameter represents the current version of the configuration, returned at step no. 4:

aws cloudfront update-distribution
  --id ABCDABCDABCDAB
  --if-match AAAABBBBCCCCD
  --distribution-config file://improved-security-policy.json
  --query 'Distribution.Status'

07 The command output should return the status of the modified CloudFront distribution:

"InProgress"

08 If required, repeat steps no. 1 – 7 to change the security policy for each Amazon CloudFront distribution deployed in your AWS cloud account.

References

Publication date Oct 14, 2016