More Info:
Field-level encryption should be enabled for your Amazon CloudFront web distributions in order to help protect sensitive data like credit card numbers or social security numbers, and to help protect your data across application services.Risk Level
MediumAddress
SecurityCompliance Standards
SOC2, GDPR, ISO27001, HIPAA, HITRUST, NISTCSF, PCIDSSTriage and Remediation
Remediation
Using Console
Using Console
To remediate the misconfiguration “CloudFront Distributions Should Have Field-Level Encryption Enabled” in AWS using AWS console, follow the below steps:
- Login to AWS Management Console.
- Go to the CloudFront service.
- Select the CloudFront distribution for which you want to enable field-level encryption.
- Click on the “Edit” button in the top menu.
- Scroll down to the “Security and Privacy” section.
- In the “Field-level Encryption Config” section, click on the “Create Field-level Encryption Config” button.
- In the “Create Field-level Encryption Config” dialog box, enter a name for the configuration and click on the “Create” button.
- In the “Field-level Encryption Config” section, select the newly created configuration from the dropdown list.
- Click on the “Yes, Edit” button to save the changes.
- Finally, click on the “Save Changes” button to complete the remediation.
Using CLI
Using CLI
To remediate the misconfiguration of CloudFront distributions not having field-level encryption enabled in AWS using AWS CLI, follow these steps:Replace This command will return the current configuration for your CloudFront distribution. Verify that the
- Open the AWS CLI on your local machine and run the following command to enable field-level encryption for your CloudFront distribution:
DISTRIBUTION_ID
with the ID of your CloudFront distribution and FIELD_LEVEL_ENCRYPTION_ID
with the ID of the field-level encryption configuration that you want to use.- Verify that field-level encryption is enabled for your CloudFront distribution by running the following command:
FieldLevelEncryptionId
parameter is set to the ID of the field-level encryption configuration that you specified in step 1.- Test your CloudFront distribution to ensure that field-level encryption is working as expected.
Using Python
Using Python
To remediate the misconfiguration “CloudFront Distributions Should Have Field-Level Encryption Enabled” in AWS using Python, you can follow the below steps:
- Import the Boto3 library:
- Create a CloudFront client object:
- Get the list of CloudFront distributions:
- Loop through each distribution and check if field-level encryption is enabled:
- If field-level encryption is not enabled, enable it by adding a field-level encryption configuration:
-
Replace the
unique_reference_string
,profile_name
,public_key_id
,provider_id
,profile_id
,content_type
,example.com
,unique_id
, andbucket_name
with the appropriate values for your CloudFront distribution. - Save the Python script and execute it to remediate the “CloudFront Distributions Should Have Field-Level Encryption Enabled” misconfiguration in AWS.