Cloudfront origin failover remediation

Using Console

Using CLI

To remediate the misconfiguration “Origin Failover Should Be Enabled For CloudFront Distributions” for AWS using AWS CLI, follow the steps below:

Open your terminal and ensure that AWS CLI is installed and configured.
Run the following command to list all the CloudFront distributions in your AWS account:

aws cloudfront list-distributions

Identify the CloudFront distribution that needs to be remediated.
Run the following command to update the CloudFront distribution to enable origin failover:

aws cloudfront update-distribution --id <cloudfront-distribution-id> --origin-failover-status-enabled

Replace <cloudfront-distribution-id> with the actual ID of the CloudFront distribution.

Verify that origin failover has been enabled for the CloudFront distribution by running the following command:

aws cloudfront get-distribution --id <cloudfront-distribution-id> --query 'Distribution.Origins.Items[].OriginFailoverCriteria.StatusCodes.Quantity' --output text

This command will return the number of status codes that are required to trigger a failover. If the output is greater than 0, it means that origin failover has been enabled for the CloudFront distribution.

Repeat the above steps for all the CloudFront distributions in your AWS account that need to be remediated.

By following these steps, you can remediate the misconfiguration “Origin Failover Should Be Enabled For CloudFront Distributions” for AWS using AWS CLI.

Using Python

To remediate the misconfiguration “Origin Failover Should Be Enabled For CloudFront Distributions” for AWS using Python, you can follow the below steps:

Import the required AWS SDK libraries in your Python code. You will need boto3 and botocore libraries.

import boto3
from botocore.exceptions import ClientError

Create a boto3 client for CloudFront.

cloudfront_client = boto3.client('cloudfront')

Get the list of all the CloudFront distributions in your AWS account.

distributions = cloudfront_client.list_distributions()['DistributionList']['Items']

Loop through all the distributions and check if the “Origin Failover” is enabled or not. If it is not enabled, enable it.

for distribution in distributions:
    distribution_id = distribution['Id']
    distribution_config = cloudfront_client.get_distribution_config(Id=distribution_id)['DistributionConfig']
    if not distribution_config.get('Enabled', False):
        distribution_config['Enabled'] = True
        origin_failover_config = distribution_config.get('OriginFailoverSettings', {})
        origin_failover_config['Enabled'] = True
        distribution_config['OriginFailoverSettings'] = origin_failover_config
        try:
            cloudfront_client.update_distribution(DistributionConfig=distribution_config, Id=distribution_id, IfMatch=distribution_config['ETag'])
            print(f'Origin Failover enabled for CloudFront distribution {distribution_id}')
        except ClientError as e:
            print(f'Error enabling Origin Failover for CloudFront distribution {distribution_id}: {e}')

Run the Python script to enable the “Origin Failover” for all the CloudFront distributions in your AWS account.

Once the script is successfully executed, the “Origin Failover” will be enabled for all the CloudFront distributions in your AWS account.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Cloudfront origin failover remediation

Triage and Remediation

Remediation