AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
Origin Failover Should Be Enabled For CloudFront Distributions
More Info:
Origin Failover feature should be enabled for your Amazon CloudFront web distributions in order to improve the availability of the content delivered to your end users
Risk Level
Low
Address
Reliability, Security
Compliance Standards
CBP
Triage and Remediation
Remediation
To remediate the misconfiguration “Origin Failover Should Be Enabled For CloudFront Distributions” for AWS using the AWS console, follow the below steps:
- Log in to the AWS Management Console.
- Go to the CloudFront service page.
- Select the distribution for which you want to enable Origin Failover.
- Click on the “Origins and Origin Groups” tab.
- Select the origin for which you want to enable failover.
- Click on the “Edit” button.
- Scroll down to the “Origin Failover” section.
- Click on the “Yes” radio button to enable Origin Failover.
- Provide the alternate origin details in the “Alternate Domain Name” field.
- Click on the “Create” button to create a new origin group.
- Click on the “Save Changes” button to save the changes made.
Once you have followed these steps, Origin Failover will be enabled for your CloudFront distribution.
To remediate the misconfiguration “Origin Failover Should Be Enabled For CloudFront Distributions” for AWS using AWS CLI, follow the steps below:
-
Open your terminal and ensure that AWS CLI is installed and configured.
-
Run the following command to list all the CloudFront distributions in your AWS account:
aws cloudfront list-distributions
-
Identify the CloudFront distribution that needs to be remediated.
-
Run the following command to update the CloudFront distribution to enable origin failover:
aws cloudfront update-distribution --id <cloudfront-distribution-id> --origin-failover-status-enabled
Replace <cloudfront-distribution-id> with the actual ID of the CloudFront distribution.
- Verify that origin failover has been enabled for the CloudFront distribution by running the following command:
aws cloudfront get-distribution --id <cloudfront-distribution-id> --query 'Distribution.Origins.Items[].OriginFailoverCriteria.StatusCodes.Quantity' --output text
This command will return the number of status codes that are required to trigger a failover. If the output is greater than 0, it means that origin failover has been enabled for the CloudFront distribution.
- Repeat the above steps for all the CloudFront distributions in your AWS account that need to be remediated.
By following these steps, you can remediate the misconfiguration “Origin Failover Should Be Enabled For CloudFront Distributions” for AWS using AWS CLI.
To remediate the misconfiguration “Origin Failover Should Be Enabled For CloudFront Distributions” for AWS using Python, you can follow the below steps:
- Import the required AWS SDK libraries in your Python code. You will need
boto3andbotocorelibraries.
import boto3
from botocore.exceptions import ClientError
- Create a
boto3client for CloudFront.
cloudfront_client = boto3.client('cloudfront')
- Get the list of all the CloudFront distributions in your AWS account.
distributions = cloudfront_client.list_distributions()['DistributionList']['Items']
- Loop through all the distributions and check if the “Origin Failover” is enabled or not. If it is not enabled, enable it.
for distribution in distributions:
distribution_id = distribution['Id']
distribution_config = cloudfront_client.get_distribution_config(Id=distribution_id)['DistributionConfig']
if not distribution_config.get('Enabled', False):
distribution_config['Enabled'] = True
origin_failover_config = distribution_config.get('OriginFailoverSettings', {})
origin_failover_config['Enabled'] = True
distribution_config['OriginFailoverSettings'] = origin_failover_config
try:
cloudfront_client.update_distribution(DistributionConfig=distribution_config, Id=distribution_id, IfMatch=distribution_config['ETag'])
print(f'Origin Failover enabled for CloudFront distribution {distribution_id}')
except ClientError as e:
print(f'Error enabling Origin Failover for CloudFront distribution {distribution_id}: {e}')
- Run the Python script to enable the “Origin Failover” for all the CloudFront distributions in your AWS account.
Once the script is successfully executed, the “Origin Failover” will be enabled for all the CloudFront distributions in your AWS account.