AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Origin Access Identity Should Be Enabled For CloudFront Distributions
More Info:
The origin access identity feature should be enabled for all your AWS Cloudfront CDN distributions that utilize an S3 bucket as an origin in order to restrict any direct access to your objects through Amazon S3 URLs.
Risk Level
Medium
Address
Security
Compliance Standards
CBP
Triage and Remediation
Remediation
Sure, here are the steps to remediate the misconfiguration “Origin Access Identity should be enabled for CloudFront distributions” in AWS using AWS console:
- Log in to the AWS Management Console.
- Navigate to the CloudFront service.
- Select the distribution for which you want to enable Origin Access Identity.
- Click on the “Behaviors” tab.
- Select the behavior for which you want to enable Origin Access Identity.
- Click on the “Edit” button.
- In the “Origin Settings” section, select “Yes” for “Restrict Bucket Access”.
- Select “Create a New Identity” under “Origin Access Identity”.
- Provide a name for the new identity and click on the “Create” button.
- Click on the “Yes, Edit” button to save the changes.
By following these steps, you have successfully enabled Origin Access Identity for the CloudFront distribution and remediated the misconfiguration.
To remediate this misconfiguration in AWS using AWS CLI, you can follow the below steps:
-
Open the AWS CLI on your local machine.
-
Run the following command to list all the CloudFront distributions in your AWS account:
aws cloudfront list-distributions
-
Identify the distribution for which the Origin Access Identity should be enabled.
-
Run the following command to update the distribution configuration and enable Origin Access Identity:
aws cloudfront update-distribution --id <distribution-id> --distribution-config '{"Comment":"", "Origins": {"Quantity":1,"Items":[{"Id":"<origin-id>","DomainName":"<origin-domain-name>","OriginPath":"","CustomHeaders":{"Quantity":0},"S3OriginConfig":{"OriginAccessIdentity":"<origin-access-identity>"},"CustomOriginConfig":{"HTTPPort":80,"HTTPSPort":443,"OriginProtocolPolicy":"http-only","OriginSslProtocols":{"Quantity":3,"Items":["TLSv1","TLSv1.1","TLSv1.2"]},"OriginReadTimeout":30,"OriginKeepaliveTimeout":5}}]},"Enabled":true,"PriceClass":"PriceClass_All","ViewerCertificate":{"CloudFrontDefaultCertificate":true,"MinimumProtocolVersion":"TLSv1","CertificateSource":"cloudfront"},"DefaultRootObject":"","Logging":{"Enabled":false,"IncludeCookies":false,"Bucket":"","Prefix":""},"WebACLId":"","HttpVersion":"http2","IsIPV6Enabled":true}'
Replace the following placeholders with actual values:
<distribution-id>: The ID of the CloudFront distribution.<origin-id>: The ID of the origin for which Origin Access Identity should be enabled.<origin-domain-name>: The domain name of the origin for which Origin Access Identity should be enabled.<origin-access-identity>: The ARN of the Origin Access Identity that should be associated with the origin.
- After running the command, the CloudFront distribution configuration will be updated, and Origin Access Identity will be enabled for the specified origin.
Note: Make sure you have the necessary permissions to update the CloudFront distribution configuration.
To remediate the misconfiguration “Origin Access Identity should be enabled for CloudFront distributions” in AWS using Python, follow the below steps:
- Import the required libraries:
import boto3
- Create a CloudFront client:
client = boto3.client('cloudfront')
- Get the list of all distributions:
response = client.list_distributions()
- Loop through the distributions and check if Origin Access Identity is enabled:
for distribution in response['DistributionList']['Items']:
if distribution['Enabled'] and not distribution['Origins']['Items'][0]['S3OriginConfig']['OriginAccessIdentity']:
print(f"Disabling distribution {distribution['Id']}...")
client.update_distribution(
DistributionConfig={
'Id': distribution['Id'],
'CallerReference': distribution['CallerReference'],
'Comment': distribution['Comment'],
'DefaultCacheBehavior': distribution['DefaultCacheBehavior'],
'Origins': {
'Quantity': len(distribution['Origins']['Items']),
'Items': [
{
'Id': distribution['Origins']['Items'][0]['Id'],
'DomainName': distribution['Origins']['Items'][0]['DomainName'],
'S3OriginConfig': {
'OriginAccessIdentity': 'origin-access-identity/cloudfront/XXXXXXXXXXXX'
}
}
]
},
'Enabled': True
},
IfMatch=distribution['ETag']
)
-
Replace
'origin-access-identity/cloudfront/XXXXXXXXXXXX'with the actual Origin Access Identity that you want to use. -
Run the Python script to remediate the misconfiguration.
With these steps, you can remediate the misconfiguration “Origin Access Identity should be enabled for CloudFront distributions” in AWS using Python.