More Info:

Origin Failover feature should be enabled for your Amazon CloudFront web distributions in order to improve the availability of the content delivered to your end users

Risk Level

Low

Address

Reliability, Security

Compliance Standards

CBP

Triage and Remediation

Remediation

Using Console

To remediate the misconfiguration “Origin Failover Should Be Enabled For CloudFront Distributions” for AWS using the AWS console, follow the below steps:
  1. Log in to the AWS Management Console.
  2. Go to the CloudFront service page.
  3. Select the distribution for which you want to enable Origin Failover.
  4. Click on the “Origins and Origin Groups” tab.
  5. Select the origin for which you want to enable failover.
  6. Click on the “Edit” button.
  7. Scroll down to the “Origin Failover” section.
  8. Click on the “Yes” radio button to enable Origin Failover.
  9. Provide the alternate origin details in the “Alternate Domain Name” field.
  10. Click on the “Create” button to create a new origin group.
  11. Click on the “Save Changes” button to save the changes made.
Once you have followed these steps, Origin Failover will be enabled for your CloudFront distribution.

To remediate the misconfiguration “Origin Failover Should Be Enabled For CloudFront Distributions” for AWS using AWS CLI, follow the steps below:
  1. Open your terminal and ensure that AWS CLI is installed and configured.
  2. Run the following command to list all the CloudFront distributions in your AWS account: 
aws cloudfront list-distributions
  1. Identify the CloudFront distribution that needs to be remediated.
  2. Run the following command to update the CloudFront distribution to enable origin failover: 
aws cloudfront update-distribution --id <cloudfront-distribution-id> --origin-failover-status-enabled
Replace <cloudfront-distribution-id> with the actual ID of the CloudFront distribution.
  1. Verify that origin failover has been enabled for the CloudFront distribution by running the following command:
aws cloudfront get-distribution --id <cloudfront-distribution-id> --query 'Distribution.Origins.Items[].OriginFailoverCriteria.StatusCodes.Quantity' --output text
This command will return the number of status codes that are required to trigger a failover. If the output is greater than 0, it means that origin failover has been enabled for the CloudFront distribution.
  1. Repeat the above steps for all the CloudFront distributions in your AWS account that need to be remediated.
By following these steps, you can remediate the misconfiguration “Origin Failover Should Be Enabled For CloudFront Distributions” for AWS using AWS CLI.
To remediate the misconfiguration “Origin Failover Should Be Enabled For CloudFront Distributions” for AWS using Python, you can follow the below steps:
  1. Import the required AWS SDK libraries in your Python code. You will need boto3 and botocore libraries.
import boto3
from botocore.exceptions import ClientError
  1. Create a boto3 client for CloudFront.
cloudfront_client = boto3.client('cloudfront')
  1. Get the list of all the CloudFront distributions in your AWS account.
distributions = cloudfront_client.list_distributions()['DistributionList']['Items']
  1. Loop through all the distributions and check if the “Origin Failover” is enabled or not. If it is not enabled, enable it.
for distribution in distributions:
    distribution_id = distribution['Id']
    distribution_config = cloudfront_client.get_distribution_config(Id=distribution_id)['DistributionConfig']
    if not distribution_config.get('Enabled', False):
        distribution_config['Enabled'] = True
        origin_failover_config = distribution_config.get('OriginFailoverSettings', {})
        origin_failover_config['Enabled'] = True
        distribution_config['OriginFailoverSettings'] = origin_failover_config
        try:
            cloudfront_client.update_distribution(DistributionConfig=distribution_config, Id=distribution_id, IfMatch=distribution_config['ETag'])
            print(f'Origin Failover enabled for CloudFront distribution {distribution_id}')
        except ClientError as e:
            print(f'Error enabling Origin Failover for CloudFront distribution {distribution_id}: {e}')
  1. Run the Python script to enable the “Origin Failover” for all the CloudFront distributions in your AWS account.
Once the script is successfully executed, the “Origin Failover” will be enabled for all the CloudFront distributions in your AWS account.

Additional Reading: