More Info:

Field-level encryption should be enabled for your Amazon CloudFront web distributions in order to help protect sensitive data like credit card numbers or social security numbers, and to help protect your data across application services.

Risk Level

Medium

Address

Security

Compliance Standards

SOC2, GDPR, ISO27001, HIPAA, HITRUST, NISTCSF, PCIDSS

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “CloudFront Distributions Should Have Field-Level Encryption Enabled” in AWS using AWS console, follow the below steps:
  1. Login to AWS Management Console.
  2. Go to the CloudFront service.
  3. Select the CloudFront distribution for which you want to enable field-level encryption.
  4. Click on the “Edit” button in the top menu.
  5. Scroll down to the “Security and Privacy” section.
  6. In the “Field-level Encryption Config” section, click on the “Create Field-level Encryption Config” button.
  7. In the “Create Field-level Encryption Config” dialog box, enter a name for the configuration and click on the “Create” button.
  8. In the “Field-level Encryption Config” section, select the newly created configuration from the dropdown list.
  9. Click on the “Yes, Edit” button to save the changes.
  10. Finally, click on the “Save Changes” button to complete the remediation.
By following these steps, you have successfully enabled Field-level Encryption for the selected CloudFront distribution in AWS.

To remediate the misconfiguration of CloudFront distributions not having field-level encryption enabled in AWS using AWS CLI, follow these steps:
  1. Open the AWS CLI on your local machine and run the following command to enable field-level encryption for your CloudFront distribution:
aws cloudfront update-distribution --id DISTRIBUTION_ID --field-level-encryption-config Id=FIELD_LEVEL_ENCRYPTION_ID,ForwardWhenContentTypeIsUnknown=true
Replace DISTRIBUTION_ID with the ID of your CloudFront distribution and FIELD_LEVEL_ENCRYPTION_ID with the ID of the field-level encryption configuration that you want to use.
  1. Verify that field-level encryption is enabled for your CloudFront distribution by running the following command:
aws cloudfront get-distribution-config --id DISTRIBUTION_ID
This command will return the current configuration for your CloudFront distribution. Verify that the FieldLevelEncryptionId parameter is set to the ID of the field-level encryption configuration that you specified in step 1.
  1. Test your CloudFront distribution to ensure that field-level encryption is working as expected.
Congratulations! You have now successfully remediated the misconfiguration of CloudFront distributions not having field-level encryption enabled in AWS using AWS CLI.
To remediate the misconfiguration “CloudFront Distributions Should Have Field-Level Encryption Enabled” in AWS using Python, you can follow the below steps:
  1. Import the Boto3 library:
import boto3
  1. Create a CloudFront client object:
client = boto3.client('cloudfront')
  1. Get the list of CloudFront distributions:
response = client.list_distributions()
  1. Loop through each distribution and check if field-level encryption is enabled:
for distribution in response['DistributionList']['Items']:
    distribution_id = distribution['Id']
    response = client.get_distribution_config(Id=distribution_id)
    if 'FieldLevelEncryption' not in response['DistributionConfig']:
        # Field-level encryption is not enabled, remediate it
  1. If field-level encryption is not enabled, enable it by adding a field-level encryption configuration:
field_level_encryption_config = {
    'CallerReference': 'unique_reference_string',
    'FieldLevelEncryptionConfig': {
        'FieldLevelEncryptionProfileConfig': {
            'Name': 'profile_name',
            'CallerReference': 'unique_reference_string',
            'EncryptionEntities': {
                'Quantity': 1,
                'Items': [
                    {
                        'PublicKeyId': 'public_key_id',
                        'ProviderId': 'provider_id'
                    }
                ]
            }
        },
        'ContentTypeProfileConfig': {
            'ForwardWhenContentTypeIsUnknown': False,
            'ContentTypeProfiles': {
                'Quantity': 1,
                'Items': [
                    {
                        'Format': 'URLEncoded',
                        'ProfileId': 'profile_id',
                        'ContentType': 'content_type'
                    }
                ]
            }
        }
    }
}
response = client.update_distribution(
    DistributionConfig={
        'CallerReference': 'unique_reference_string',
        'Aliases': {
            'Quantity': 1,
            'Items': [
                'example.com'
            ]
        },
        'DefaultRootObject': 'index.html',
        'Origins': {
            'Quantity': 1,
            'Items': [
                {
                    'Id': 'unique_id',
                    'DomainName': 'example.com',
                    'OriginPath': '',
                    'CustomHeaders': {
                        'Quantity': 0
                    },
                    'S3OriginConfig': {
                        'OriginAccessIdentity': ''
                    },
                    'CustomOriginConfig': {
                        'HTTPPort': 80,
                        'HTTPSPort': 443,
                        'OriginProtocolPolicy': 'https-only',
                        'OriginSslProtocols': {
                            'Quantity': 3,
                            'Items': [
                                'TLSv1',
                                'TLSv1.1',
                                'TLSv1.2'
                            ]
                        }
                    }
                }
            ]
        },
        'DefaultCacheBehavior': {
            'TargetOriginId': 'unique_id',
            'ForwardedValues': {
                'QueryString': False,
                'Cookies': {
                    'Forward': 'none'
                },
                'Headers': {
                    'Quantity': 0
                },
                'QueryStringCacheKeys': {
                    'Quantity': 0
                }
            },
            'TrustedSigners': {
                'Enabled': False,
                'Quantity': 0
            },
            'ViewerProtocolPolicy': 'redirect-to-https',
            'MinTTL': 0,
            'AllowedMethods': {
                'Quantity': 2,
                'Items': [
                    'GET',
                    'HEAD'
                ],
                'CachedMethods': {
                    'Quantity': 2,
                    'Items': [
                        'GET',
                        'HEAD'
                    ]
                }
            },
            'SmoothStreaming': False,
            'DefaultTTL': 86400,
            'MaxTTL': 31536000,
            'Compress': False,
            'LambdaFunctionAssociations': {
                'Quantity': 0
            }
        },
        'CacheBehaviors': {
            'Quantity': 0
        },
        'CustomErrorResponses': {
            'Quantity': 0
        },
        'Comment': '',
        'Logging': {
            'Enabled': False,
            'IncludeCookies': False,
            'Bucket': '',
            'Prefix': ''
        },
        'PriceClass': 'PriceClass_All',
        'Enabled': True,
        'ViewerCertificate': {
            'CloudFrontDefaultCertificate': True,
            'MinimumProtocolVersion': 'TLSv1',
            'CertificateSource': 'cloudfront'
        },
        'Restrictions': {
            'GeoRestriction': {
                'RestrictionType': 'none',
                'Quantity': 0
            }
        },
        'WebACLId': '',
        'HttpVersion': 'http2',
        'IsIPV6Enabled': True,
        'FieldLevelEncryption': field_level_encryption_config
    },
    Id=distribution_id,
    IfMatch=response['ETag']
)
  1. Replace the unique_reference_string, profile_name, public_key_id, provider_id, profile_id, content_type, example.com, unique_id, and bucket_name with the appropriate values for your CloudFront distribution.
  2. Save the Python script and execute it to remediate the “CloudFront Distributions Should Have Field-Level Encryption Enabled” misconfiguration in AWS.

Additional Reading: