Cloudfront viewer protocol policy remediation

Using Console

Using CLI

To remediate the misconfiguration “Communication With Viewers Should Be Encrypted Using HTTPS” in AWS using AWS CLI, follow these steps:

Open the AWS CLI on your local machine and run the following command to update the CloudFront distribution configuration:

aws cloudfront update-distribution --id <distribution-id> --distribution-config file://<path_to_config_file>

Note: Replace <distribution-id> with the ID of your CloudFront distribution and <path_to_config_file> with the path to your CloudFront distribution configuration file.

In the CloudFront distribution configuration file, add the following JSON code to enable HTTPS encryption for viewer communication:

"ViewerCertificate": {
  "CloudFrontDefaultCertificate": true,
  "MinimumProtocolVersion": "TLSv1.2_2018",
  "SSLSupportMethod": "sni-only"
}

Save the configuration file and run the update-distribution command again to apply the changes.
Wait for the CloudFront distribution to deploy the changes. This may take several minutes.
Verify that HTTPS encryption is enabled for viewer communication by accessing your CloudFront distribution using HTTPS. You can do this by visiting the domain name of your CloudFront distribution in a web browser and checking that the URL starts with “https://” and has a green padlock icon.

That’s it! You have now remediated the misconfiguration “Communication With Viewers Should Be Encrypted Using HTTPS” in AWS using AWS CLI.

Using Python

To remediate the misconfiguration “Communication With Viewers Should Be Encrypted Using HTTPS” for AWS using python, you can follow the below steps:

Open the AWS console and navigate to the CloudFront service.
Select the distribution for which you want to enable HTTPS.
Click on the “Behaviors” tab and select the behavior for which you want to enable HTTPS.
Click on “Edit” and then select “Yes” for the “Redirect HTTP to HTTPS” option.
Scroll down to the “Viewer Protocol Policy” option and select “Redirect HTTP to HTTPS”.
Save the changes.

To automate this process using Python, you can use the AWS SDK boto3. Here’s a sample code:

import boto3

# Initialize the CloudFront client
cloudfront = boto3.client('cloudfront')

# Get the distribution ID for which you want to enable HTTPS
distribution_id = 'YOUR_DISTRIBUTION_ID'

# Get the current configuration for the distribution
response = cloudfront.get_distribution_config(Id=distribution_id)

# Enable HTTPS for the viewer
response['DistributionConfig']['ViewerCertificate']['MinimumProtocolVersion'] = 'TLSv1.2_2018'

# Save the updated configuration
cloudfront.update_distribution(DistributionConfig=response['DistributionConfig'], Id=distribution_id, IfMatch=response['ETag'])

Note: Replace YOUR_DISTRIBUTION_ID with the actual distribution ID for which you want to enable HTTPS.

AWS Introduction

AWS Pricing

AWS Threats

AWS Misconfigurations

Cloudfront viewer protocol policy remediation

Triage and Remediation

Remediation