Amazon CloudFront

CloudFront Origin Uses Insecure HTTP

This plugin recognizes the use of HTTP protocol sources for CloudFront origin.

Risk Level: Low

Description: 

This plugin recognizes the use of HTTP protocol sources. The traffic between the edge nodes of CloudFront and the backend resource should be sent over HTTPS.

About the Service :

Amazon CloudFront is a web service that accelerates your online content delivery to your users, such as.html,.css,.js, or picture files. CloudFront provides your content over a global data center network known as edge locations. When a user requires the material you provide with CloudFront, the request is routed to the lowest delay location, which ensures the optimum performance for the content.

Impact : 

The link between the Cloudfront and the original server may be exposed by insecure and unsuccessful distribution protocols like HTTPS for Cloud front systems,  which allows an attacker to intercept Cloudfront traffic over the safe channel by using a man-in-the-middle strategy.

Steps to reproduce :

  1. Log In the AWS Console.
  2. Move to Cloudfront dashboard.
  3. Click on the Distributions panel on the left panel to access the distributions.
  4. Choose the distribution origin that you want to verify from the Origins tab.
  5. Verify the protocols enabled within the Origin Protocols Policy category, on the Origin Settings page.
  6. If the HTTP only box is checked that means the CloudFront uses insecure HTTP.

Steps for remediation :

  1. Log In the AWS Console.
  2. Move to Cloudfront dashboard.
  3. Click on the Distributions panel on the left panel to access the distributions.
  4. Choose the distribution origin that you want to verify from the Origins tab.
  5. Verify the protocols enabled within the Origin Protocols Policy, on the Origin Settings page.
  6. If the HTTP only box is checked that means the CloudFront uses insecure HTTP.
  7. Uncheck the insecure HTTP’s checkbox and Click Yes, Edit to save the changes.

References: