Cloudfront traffic to origin unencrypted remediation

Using Console

Using CLI

To remediate the misconfiguration “CloudFront Distributions Should Use HTTPS For Secure Delivery of Web Content” for AWS using AWS CLI, follow the below steps:

Login to your AWS account using AWS CLI.
Identify the CloudFront distributions that are not using HTTPS for secure delivery of web content. You can use the following command to list all the CloudFront distributions in your account:
```
aws cloudfront list-distributions
```
Once you have identified the CloudFront distribution that is not using HTTPS, you can update it to use HTTPS by using the following command:
```
aws cloudfront update-distribution --id <distribution_id> --distribution-config file://config.json
```
Replace <distribution_id> with the ID of the CloudFront distribution that you want to update.

Create a JSON file named config.json and add the following code to it:

{
    "Comment": "Update CloudFront distribution to use HTTPS",
    "Enabled": true,
    "ViewerCertificate": {
        "ACMCertificateArn": "<ACM_certificate_ARN>",
        "MinimumProtocolVersion": "TLSv1.2_2018",
        "SSLSupportMethod": "sni-only"
    },
    "Origins": {
        "Quantity": 1,
        "Items": [
            {
                "Id": "<origin_id>",
                "DomainName": "<origin_domain_name>",
                "OriginPath": "",
                "CustomHeaders": {
                    "Quantity": 0
                },
                "CustomOriginConfig": {
                    "HTTPPort": 80,
                    "HTTPSPort": 443,
                    "OriginProtocolPolicy": "https-only",
                    "OriginSslProtocols": {
                        "Quantity": 3,
                        "Items": [
                            "TLSv1",
                            "TLSv1.1",
                            "TLSv1.2"
                        ]
                    }
                }
            }
        ]
    },
    "DefaultCacheBehavior": {
        "TargetOriginId": "<origin_id>",
        "ViewerProtocolPolicy": "redirect-to-https",
        "MinTTL": 0,
        "AllowedMethods": {
            "Quantity": 7,
            "Items": [
                "HEAD",
                "DELETE",
                "POST",
                "GET",
                "OPTIONS",
                "PUT",
                "PATCH"
            ],
            "CachedMethods": {
                "Quantity": 2,
                "Items": [
                    "GET",
                    "HEAD"
                ]
            }
        },
        "SmoothStreaming": false,
        "Compress": true,
        "LambdaFunctionAssociations": {
            "Quantity": 0
        }
    },
    "PriceClass": "PriceClass_All",
    "Enabled": true
}

Replace <ACM_certificate_ARN> with the ARN of the ACM certificate that you want to use for HTTPS. Replace <origin_id> with the ID of the CloudFront origin that you want to use for HTTPS. Replace <origin_domain_name> with the domain name of the CloudFront origin that you want to use for HTTPS.

Save the config.json file and run the aws cloudfront update-distribution command to update the CloudFront distribution to use HTTPS.
Verify that the CloudFront distribution is now using HTTPS by accessing the distribution’s URL in a web browser. The URL should start with https://.

Using Python

To remediate the misconfiguration of CloudFront distributions not using HTTPS for secure delivery of web content, you can use the following Python script:

First, import the necessary AWS SDK for Python (Boto3) libraries:

import boto3

Next, create a Boto3 client for CloudFront:

cloudfront = boto3.client('cloudfront')

Then, use the list_distributions() method to get a list of all CloudFront distributions:

response = cloudfront.list_distributions()

Loop through the distributions and check if they are using HTTPS:

for distribution in response['DistributionList']['Items']:
    if distribution['ViewerCertificate']['CertificateSource'] != 'cloudfront':
        print("Distribution {} is not using a CloudFront SSL certificate".format(distribution['Id']))
    elif distribution['ViewerCertificate']['MinimumProtocolVersion'] != 'TLSv1.2_2018':
        print("Distribution {} is not using TLSv1.2_2018".format(distribution['Id']))
    elif distribution['ViewerCertificate']['SSLSupportMethod'] != 'sni-only':
        print("Distribution {} is not using SNI-only SSL".format(distribution['Id']))
    else:
        print("Distribution {} is using HTTPS".format(distribution['Id']))

If a distribution is not using HTTPS, update its configuration using the update_distribution() method:

distribution_id = 'YOUR_DISTRIBUTION_ID'

response = cloudfront.get_distribution_config(Id=distribution_id)
config = response['DistributionConfig']

config['ViewerCertificate']['CloudFrontDefaultCertificate'] = True
config['ViewerCertificate']['MinimumProtocolVersion'] = 'TLSv1.2_2018'
config['ViewerCertificate']['SSLSupportMethod'] = 'sni-only'

response = cloudfront.update_distribution(DistributionConfig=config, Id=distribution_id, IfMatch=response['ETag'])

print("Distribution {} has been updated to use HTTPS".format(distribution_id))

Note: Replace YOUR_DISTRIBUTION_ID with the ID of the distribution you want to update.By following these steps, you can remediate the misconfiguration of CloudFront distributions not using HTTPS for secure delivery of web content in AWS using Python.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Cloudfront traffic to origin unencrypted remediation

Triage and Remediation

Remediation