Cloudfront origin access s3 origins remediation

Using Console

Using CLI

To remediate this misconfiguration in AWS using AWS CLI, you can follow the below steps:

Open the AWS CLI on your local machine.
Run the following command to list all the CloudFront distributions in your AWS account:

aws cloudfront list-distributions

Identify the distribution for which the Origin Access Identity should be enabled.
Run the following command to update the distribution configuration and enable Origin Access Identity:

aws cloudfront update-distribution --id <distribution-id> --distribution-config '{"Comment":"", "Origins": {"Quantity":1,"Items":[{"Id":"<origin-id>","DomainName":"<origin-domain-name>","OriginPath":"","CustomHeaders":{"Quantity":0},"S3OriginConfig":{"OriginAccessIdentity":"<origin-access-identity>"},"CustomOriginConfig":{"HTTPPort":80,"HTTPSPort":443,"OriginProtocolPolicy":"http-only","OriginSslProtocols":{"Quantity":3,"Items":["TLSv1","TLSv1.1","TLSv1.2"]},"OriginReadTimeout":30,"OriginKeepaliveTimeout":5}}]},"Enabled":true,"PriceClass":"PriceClass_All","ViewerCertificate":{"CloudFrontDefaultCertificate":true,"MinimumProtocolVersion":"TLSv1","CertificateSource":"cloudfront"},"DefaultRootObject":"","Logging":{"Enabled":false,"IncludeCookies":false,"Bucket":"","Prefix":""},"WebACLId":"","HttpVersion":"http2","IsIPV6Enabled":true}'

Replace the following placeholders with actual values:

<distribution-id>: The ID of the CloudFront distribution.
<origin-id>: The ID of the origin for which Origin Access Identity should be enabled.
<origin-domain-name>: The domain name of the origin for which Origin Access Identity should be enabled.
<origin-access-identity>: The ARN of the Origin Access Identity that should be associated with the origin.

After running the command, the CloudFront distribution configuration will be updated, and Origin Access Identity will be enabled for the specified origin.

Note: Make sure you have the necessary permissions to update the CloudFront distribution configuration.

Using Python

To remediate the misconfiguration “Origin Access Identity should be enabled for CloudFront distributions” in AWS using Python, follow the below steps:

Import the required libraries:

import boto3

Create a CloudFront client:

client = boto3.client('cloudfront')

Get the list of all distributions:

response = client.list_distributions()

Loop through the distributions and check if Origin Access Identity is enabled:

for distribution in response['DistributionList']['Items']:
    if distribution['Enabled'] and not distribution['Origins']['Items'][0]['S3OriginConfig']['OriginAccessIdentity']:
        print(f"Disabling distribution {distribution['Id']}...")
        client.update_distribution(
            DistributionConfig={
                'Id': distribution['Id'],
                'CallerReference': distribution['CallerReference'],
                'Comment': distribution['Comment'],
                'DefaultCacheBehavior': distribution['DefaultCacheBehavior'],
                'Origins': {
                    'Quantity': len(distribution['Origins']['Items']),
                    'Items': [
                        {
                            'Id': distribution['Origins']['Items'][0]['Id'],
                            'DomainName': distribution['Origins']['Items'][0]['DomainName'],
                            'S3OriginConfig': {
                                'OriginAccessIdentity': 'origin-access-identity/cloudfront/XXXXXXXXXXXX'
                            }
                        }
                    ]
                },
                'Enabled': True
            },
            IfMatch=distribution['ETag']
        )

Replace 'origin-access-identity/cloudfront/XXXXXXXXXXXX' with the actual Origin Access Identity that you want to use.
Run the Python script to remediate the misconfiguration.

With these steps, you can remediate the misconfiguration “Origin Access Identity should be enabled for CloudFront distributions” in AWS using Python.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Cloudfront origin access s3 origins remediation

Triage and Remediation

Remediation