AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Custom SSL Certificate Should Be Set For Amazon CloudFront Distributions
More Info:
This rule checks whether the certificate associated with an Amazon CloudFront distribution is the default SSL certificate. Using custom SSL certificates enhances security and trust for users accessing content through CloudFront distributions. The rule is marked as non-compliant if a CloudFront distribution uses the default SSL certificate.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration of not having a custom SSL certificate set for an Amazon CloudFront distribution in AWS, you can follow these steps using the AWS Management Console:
-
Sign in to the AWS Management Console:
- Go to https://aws.amazon.com/ and sign in to the AWS Management Console using your credentials.
-
Navigate to Amazon CloudFront service:
- In the AWS Management Console, search for “CloudFront” in the search bar or go to the “Networking & Content Delivery” section and click on “CloudFront”.
-
Select the CloudFront distribution:
- From the list of CloudFront distributions, select the distribution for which you want to set a custom SSL certificate.
-
Edit the distribution settings:
- Click on the distribution ID or domain name to open the distribution settings.
-
Go to the “General” tab:
- In the distribution settings, navigate to the “General” tab where you can view the basic information about the distribution.
-
Edit the SSL certificate settings:
- Scroll down to the “SSL Certificate” section and click on the “Edit” button next to the “Alternate Domain Names (CNAMEs)” field.
-
Choose a custom SSL certificate:
- In the “Custom SSL Certificate” section, select “Custom SSL Certificate” from the drop-down menu.
-
Select or import a custom SSL certificate:
- If you have already uploaded your SSL certificate to AWS Certificate Manager (ACM), select the appropriate certificate from the list.
- If you haven’t uploaded the certificate to ACM, you can click on the “Request or Import a Certificate with ACM” link to upload a new SSL certificate.
-
Save the changes:
- After selecting the custom SSL certificate, click on the “Yes, Edit” button to save the changes.
-
Wait for the distribution to deploy the changes:
- It may take some time for the CloudFront distribution to deploy the changes and propagate them across the edge locations.
By following these steps, you can successfully remediate the misconfiguration of not having a custom SSL certificate set for an Amazon CloudFront distribution in AWS.
To remediate the misconfiguration of not having a custom SSL certificate set for an Amazon CloudFront distribution using AWS CLI, you can follow these step-by-step instructions:
-
Generate or Import an SSL Certificate:
- First, you need to have an SSL certificate ready. You can either import a certificate into AWS Certificate Manager (ACM) or use a certificate from a third-party Certificate Authority (CA).
-
Get the ARN of the SSL Certificate:
- Use the AWS CLI command to list the SSL certificates in ACM:
aws acm list-certificates - Note down the ARN of the SSL certificate you want to use for CloudFront.
- Use the AWS CLI command to list the SSL certificates in ACM:
-
Update the CloudFront Distribution:
- Use the AWS CLI command to update the CloudFront distribution with the custom SSL certificate:
aws cloudfront update-distribution --id YOUR_DISTRIBUTION_ID --default-cache-behavior ViewerProtocolPolicy=https-only,SSLSupportMethod=sni-only,MinimumProtocolVersion=TLSv1.2_2021,ACMCertificateArn=YOUR_SSL_CERTIFICATE_ARN- Replace
YOUR_DISTRIBUTION_IDwith the ID of your CloudFront distribution. - Replace
YOUR_SSL_CERTIFICATE_ARNwith the ARN of the SSL certificate you noted down earlier.
- Replace
- Use the AWS CLI command to update the CloudFront distribution with the custom SSL certificate:
-
Wait for the Distribution to Deploy:
- After updating the distribution, it may take some time for the changes to propagate. You can check the status of the distribution deployment using the following command:
aws cloudfront get-distribution --id YOUR_DISTRIBUTION_ID --query 'Distribution.DistributionConfig.Enabled' - Wait until the status changes to
true.
- After updating the distribution, it may take some time for the changes to propagate. You can check the status of the distribution deployment using the following command:
-
Verify the SSL Certificate:
- Once the distribution is deployed, you can verify that the custom SSL certificate is set by accessing your CloudFront distribution using HTTPS and checking the SSL certificate details in the browser.
By following these steps, you can remediate the misconfiguration of not having a custom SSL certificate set for an Amazon CloudFront distribution using AWS CLI.
To remediate the misconfiguration of not having a custom SSL certificate set for an Amazon CloudFront distribution using Python, you can follow these steps:
-
Import necessary libraries: Make sure you have the AWS SDK for Python (Boto3) installed. You can install it using pip:
pip install boto3 -
Configure AWS credentials: Ensure that your AWS credentials are properly configured on your system. You can set them up using the AWS CLI or by setting environment variables.
-
Write Python script: Here is a sample Python script to update the CloudFront distribution with a custom SSL certificate:
import boto3 # Initialize the CloudFront client client = boto3.client('cloudfront') # Specify the CloudFront distribution ID distribution_id = 'YOUR_DISTRIBUTION_ID' # Specify the ARN of the custom SSL certificate certificate_arn = 'YOUR_CERTIFICATE_ARN' # Update the CloudFront distribution with the custom SSL certificate response = client.update_distribution( DistributionConfig={ 'CallerReference': 'YOUR_CALLER_REFERENCE', 'Aliases': { 'Quantity': 1, 'Items': ['YOUR_DOMAIN_NAME'] }, 'DefaultCacheBehavior': { 'ViewerProtocolPolicy': 'redirect-to-https', 'MinTTL': 0, 'TargetOriginId': 'YOUR_ORIGIN_ID' }, 'ViewerCertificate': { 'CloudFrontDefaultCertificate': False, 'ACMCertificateArn': certificate_arn, 'SSLSupportMethod': 'sni-only' }, 'Comment': 'YOUR_COMMENT', 'Enabled': True, 'DefaultRootObject': 'index.html', 'Origins': { 'Quantity': 1, 'Items': [ { 'Id': 'YOUR_ORIGIN_ID', 'DomainName': 'YOUR_ORIGIN_DOMAIN_NAME', 'CustomOriginConfig': { 'HTTPPort': 80, 'HTTPSPort': 443, 'OriginProtocolPolicy': 'https-only' } } ] }, 'PriceClass': 'PriceClass_All', 'DefaultRootObject': 'index.html' }, Id=distribution_id, IfMatch='YOUR_DISTRIBUTION_ETAG' ) print(response) -
Replace placeholders:
- Replace
YOUR_DISTRIBUTION_IDwith the actual CloudFront distribution ID. - Replace
YOUR_CERTIFICATE_ARNwith the ARN of your custom SSL certificate. - Replace other placeholders like
YOUR_DOMAIN_NAME,YOUR_ORIGIN_ID,YOUR_ORIGIN_DOMAIN_NAME,YOUR_CALLER_REFERENCE,YOUR_COMMENT, andYOUR_DISTRIBUTION_ETAGwith actual values.
- Replace
-
Run the script: Save the script to a file (e.g.,
update_cloudfront_ssl.py) and run it using Python:python update_cloudfront_ssl.py
By following these steps, you can remediate the misconfiguration of not having a custom SSL certificate set for an Amazon CloudFront distribution using Python.