AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
CloudFront Web Distributions Should Automatically Compress Web Content
More Info:
Amazon Cloudfront Content Delivery Network (CDN) distributions should be configured to automatically compress content for web requests in order to increase your web applications performance and reduce bandwidth costs.
Risk Level
Low
Address
Cost Optimization, Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of CloudFront web distributions not automatically compressing web content in AWS using the AWS console, please follow the below steps:
-
Open the AWS Management Console and navigate to the CloudFront service.
-
Select the distribution that needs to be remediated.
-
Click on the “Behaviors” tab.
-
Click on the “Create Behavior” button.
-
In the “Create Behavior” dialog box, set the following values:
- Path Pattern: *
- Viewer Protocol Policy: Redirect HTTP to HTTPS
- Allowed HTTP Methods: GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE
- Compress Objects Automatically: Yes
- Cache Based on Selected Request Headers: None
-
Click on the “Create” button to create the new behavior.
-
Wait for the distribution to update and propagate the changes.
After following these steps, CloudFront web distributions will automatically compress web content.
To remediate the misconfiguration “CloudFront Web Distributions Should Automatically Compress Web Content” for AWS using AWS CLI, follow the below steps:
-
Open the AWS CLI on your local machine.
-
Run the following command to get the ID of the distribution for which you want to enable automatic compression:
aws cloudfront list-distributions --query "DistributionList.Items[].{Id:Id,DomainName:DomainName}"This will return a list of all your CloudFront distributions along with their IDs and domain names.
-
Once you have the distribution ID, run the following command to update the distribution configuration to enable automatic compression:
aws cloudfront update-distribution --id <distribution-id> --distribution-config '{"Enabled":true,"Compress":true,"DefaultCacheBehavior":{"Compress":true}}'Replace
<distribution-id>with the ID of the distribution you want to update. -
After running the above command, the distribution configuration will be updated to enable automatic compression for web content.
-
Verify the changes by running the following command:
aws cloudfront get-distribution --id <distribution-id> --query "Distribution.DistributionConfig.DefaultCacheBehavior"This will return the configuration of the default cache behavior for the distribution, which should now have the “Compress” property set to true.
By following the above steps, you can remediate the misconfiguration “CloudFront Web Distributions Should Automatically Compress Web Content” for AWS using AWS CLI.
To remediate the misconfiguration of CloudFront web distributions not automatically compressing web content in AWS using Python, you can follow these steps:
- Import the required AWS SDK modules using the following code:
import boto3
from botocore.exceptions import ClientError
- Create a boto3 client for CloudFront using the following code:
client = boto3.client('cloudfront')
- Get a list of all CloudFront distributions using the following code:
try:
response = client.list_distributions()
distributions = response['DistributionList']['Items']
except ClientError as e:
print(e)
- Iterate through each distribution and check if it has a default cache behavior with a gzip compression enabled using the following code:
for distribution in distributions:
try:
response = client.get_distribution_config(Id=distribution['Id'])
config = response['DistributionConfig']
if config['DefaultCacheBehavior']['Compress']:
print(f"Gzip compression is already enabled for {distribution['Id']}")
else:
config['DefaultCacheBehavior']['Compress'] = True
response = client.update_distribution(
DistributionConfig=config,
Id=distribution['Id'],
IfMatch=response['ETag']
)
print(f"Gzip compression enabled for {distribution['Id']}")
except ClientError as e:
print(e)
- Save the Python script and run it to remediate the misconfiguration.
This script will enable gzip compression for all CloudFront distributions that do not have it enabled by updating the default cache behavior of each distribution.