Amazon S3

One To Many S3 Bucket CloudFront Mapping

This plugin ensures an S3 bucket is an origin to only one distribution.

Risk Level: Low

Description

This plugin ensures an S3 bucket is an origin to only one distribution. For the better functioning of the cloud infrastructure, it is recommended to have only one CloudFront distribution for an S3 bucket.

About the Service

Amazon S3: Amazon Simple Storage Service, popularly known as Amazon S3, is a storage space available on the cloud. Using Amazon S3, you can store and retrieve any amount of data. The S3 versioning process maintains versions of an S3 bucket whenever any action is carried out.

Impact

According to the AWS docs, an origin is a location where content is stored, and from which CloudFront gets content to serve to viewers. For, optimal usage of AWS resources, it is recommended to point an S3 bucket as origin to only one CloudFront distribution.

Steps to Reproduce

Using AWS Console-

  1. Log In to your AWS Console.
  2. Open the Amazon CloudFront Management Console. You can use this link (https://console.aws.amazon.com/cloudfront) to navigate directly if already logged in. 
  3. A list of Distributions will be displayed. Select the distribution you wish to examine by clicking on its name.
  4. Move to the Origins section.
  5. If the Origin type is “S3”, mark the bucket mentioned in the origin name and origin domain.
  6. Now, repeat the steps for other distributions as well. If more than one CloudFront distributions have the same S3 bucket as origin, the vulnerability exists.

Steps for Remediation

Make sure the S3 bucket is origin to only one distribution.

Using AWS Console:

  1. Log In to your AWS Console.
  2. Open the Amazon CloudFront Management Console. You can use this link (https://console.aws.amazon.com/cloudfront) to navigate directly if already logged in. 
  3. A list of Distributions will be displayed. Select one of the distributions which have duplicated S3 bucket as the origin and have to be deleted. Make sure, one of the distributions is left unchanged.
  4. Move to the Origins section.
  5. Click on the radio button beside the S3 Bucket origin you wish to delete. Finally, click on the Delete button.
  6. Repeat the steps for other distributions as well with the same S3 origin.