Amazon CloudFront

CloudFront Not Using HTTPS

This plugin ensures the redirection of non-HTTPS traffic to HTTPS for CloudFront distributions.

Risk Level: High

Description: 

This plugin ensures the redirection of non-HTTPS traffic to HTTPS for CloudFront distributions. CloudFront may be set up to accept only HTTPS connections or reroute HTTPS connections to HTTPS for optimum security.

PingSafe strongly recommends removing HTTP-only listeners from distributions.

About the Service :

Amazon CloudFront is a web service that accelerates your online content delivery to your users, such as.html,.css,.js, or picture files. CloudFront provides your content over a global data center network known as edge locations. When a user requires the material you provide with CloudFront, the request is routed to the lowest delay location, which ensures the optimum performance for the content.

Impact : 

When CloudFront does not use HTTPS the security can be comprised. In order to ensure optimum security, it is essential for CloudFront to use HTTPS. 

Steps to reproduce :

  1. Log In the AWS Console.
  2. Move to Cloudfront dashboard.
  3. Click on the Distributions panel on the left panel to access the distributions.
  4. On the distribution panel, select web and enabled to list all active web distributions available.
  5. Next, select the CDN distribution you want to examine.
  6. Click on the Distribution Settings button to access the resources.
  7. Select the behaviors tab and select the distribution default behavior entry.
  8. Click on the Edit button and then on the Edit Behavior page, verify the Viewer Protocol Policy configuration settings.
  9. If HTTP and HTTPS setting is currently selected, hence the CloudFront is not using HTTPS.

Steps for remediation :

  1. Log In the AWS Console.
  2. Move to Cloudfront dashboard.
  3. Click on the Distributions panel on the left panel to access the distributions.
  4. On the distribution panel, select web and enabled to list all active web distributions available.
  5. Next, select the CDN distribution you want to examine.
  6. Click on the Distribution Settings button to access the resources.
  7. Select the behaviors tab and select the distribution default behavior entry.
  8. Click on the Edit button and then on the Edit Behavior page, perform appropriate actions to enforce encryption for your web content i.e. either set the Viewer Protocol Policy configuration attribute to Redirect HTTP to HTTPS or set the Viewer Protocol Policy attribute to HTTPS only.

 

References: