CloudFront distribution origin is not set to S3 or origin protocol policy is not set to https-only AffectingCloudFront service inAWS
Severity
CCSS (Common Configuration Scoring System) is a set of measures used to determine the severity of the rule.
Each rule is associated with a high-level category. For example IAM, Container, Monitoring, Logging, Network, etc.
Is your environment affected by this misconfiguration?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CC-00146
- creditSnyk Research Team
Description
CloudFront connections should be encrypted during transmission over networks that can be accessed by malicious individuals. If a CloudFront distribution uses a custom origin, CloudFront should only use HTTPS to communicate with it. This does not apply if the CloudFront distribution is configured to use S3 as origin.
How to fix?
Set theorigin block with a validdomain_name attribute orcustom_origin_config block.
Valid values:
- S3 origin: A
domain_nameattribute that ends ins3.amazonaws.comor references anaws_s3_bucketresource - Custom origin: A
custom_origin_configblock with anorigin_protocol_policyattribute set tohttps-only
Example configuration:
# S3 as originresource "aws_cloudfront_distribution" "s3_distribution" { origin { domain_name = "${aws_s3_bucket.b.bucket_regional_domain_name}" origin_id = "${aws_s3_bucket.b.id}" s3_origin_config { origin_access_identity = "${aws_cloudfront_origin_access_identity.origin_access_identity.cloudfront_access_identity_path}" } } enabled = true restrictions { geo_restriction { restriction_type = "whitelist" locations = ["US", "CA", "GB", "DE"] } } viewer_certificate { cloudfront_default_certificate = true } default_cache_behavior { allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] cached_methods = ["GET", "HEAD"] target_origin_id = "${aws_s3_bucket.b.id}" forwarded_values { query_string = false cookies { forward = "none" } } viewer_protocol_policy = "redirect-to-https" min_ttl = 0 default_ttl = 3600 max_ttl = 86400 }}# Custom originresource "aws_cloudfront_distribution" "s3_distribution" { origin { domain_name = "example.com" origin_id = "${local.origin_id}" custom_origin_config { http_port = "80" https_port = "443" origin_ssl_protocols = ["SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"] origin_protocol_policy = "https-only" } } enabled = true restrictions { geo_restriction { restriction_type = "whitelist" locations = ["US", "CA", "GB", "DE"] } } viewer_certificate { cloudfront_default_certificate = true } default_cache_behavior { allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] cached_methods = ["GET", "HEAD"] target_origin_id = "${local.origin_id}" forwarded_values { query_string = false cookies { forward = "none" } } viewer_protocol_policy = "redirect-to-https" min_ttl = 0 default_ttl = 3600 max_ttl = 86400 }}