AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
HTTPS Should Be Enabled on CloudFront Distributions
More Info:
CloudFront distributions should be enabled with HTTPS
Risk Level
Medium
Address
Security
Compliance Standards
HITRUST, SOC2, NISTCSF, PCIDSS
Triage and Remediation
Remediation
Sure, I can help you with that. Here are the steps to remediate the HTTPS misconfiguration on CloudFront Distributions in AWS using the AWS console:
- Log in to the AWS Management Console.
- Navigate to the CloudFront service.
- Click on the ID of the distribution you want to remediate.
- Click on the “Behaviors” tab.
- Select the behavior that requires HTTPS.
- Click on the “Edit” button.
- In the “Viewer Protocol Policy” section, select “Redirect HTTP to HTTPS”.
- Click on the “Yes, Edit” button to save the changes.
Once the above steps are completed, HTTPS will be enabled on the CloudFront distribution. If you have multiple distributions, you will need to repeat these steps for each of them.
To remediate this misconfiguration for AWS using AWS CLI, you can follow the below steps:
-
Open the AWS CLI on your local machine or on an EC2 instance.
-
Run the following command to enable HTTPS on your CloudFront distributions:
aws cloudfront update-distribution --id <distribution-id> --default-root-object index.html --viewer-protocol-policy redirect-to-https --no-include-cookies --no-forward-query-string --no-smooth-streaming --no-logging
Note: Replace <distribution-id> with the ID of your CloudFront distribution.
-
Wait for the distribution to update. This might take a few minutes.
-
Run the following command to verify that HTTPS is enabled:
aws cloudfront get-distribution --id <distribution-id> --query 'Distribution.DistributionConfig.ViewerCertificate.CloudFrontDefaultCertificate' --output text
Note: This command should return “true” to indicate that HTTPS is enabled.
- Repeat the above steps for all of your CloudFront distributions.
By following these steps, you will have successfully enabled HTTPS on your CloudFront distributions.
To remediate the HTTPS should be enabled on CloudFront Distributions misconfiguration in AWS using Python, follow these steps:
- Import the required modules:
import boto3
- Create a boto3 client for CloudFront:
client = boto3.client('cloudfront')
- Get a list of all CloudFront distributions:
response = client.list_distributions()
- Loop through the distributions and check if HTTPS is enabled:
for distribution in response['DistributionList']['Items']:
if distribution['ViewerCertificate']['CertificateSource'] == 'cloudfront':
print('HTTPS is already enabled for distribution:', distribution['Id'])
else:
print('HTTPS is not enabled for distribution:', distribution['Id'])
- If HTTPS is not enabled, update the distribution to enable HTTPS:
client.update_distribution(
DistributionConfig={
'Enabled': True,
'ViewerCertificate': {
'CloudFrontDefaultCertificate': True,
},
},
Id=distribution['Id'],
IfMatch=distribution['ETag']
)
This will enable HTTPS on the CloudFront distribution.