Details

Configure the Viewer Protocol Policy for your CloudFront cache to redirect HTTP requests to HTTPS requests or to require that viewers use only the HTTPS protocol to access your objects in the CloudFront cache. You should also configure one or more cache behaviors in the same distribution to allow both HTTP and HTTPS, so you can require HTTPS for some objects but not for others.

In order to use HTTPS, a SSLTLS certificate must be attached.

This depends on your data classification policy and needs to be configured according to your encryption policy.

To ensure that objects are encrypted from edge locations to viewers using HTTP or HTTPS depending on your data classification and encryption policies, use only HTTPS.

Solution

Using the Amazon unified command line interface:

* For configuring “ViewerProtocolPolicy” first save locally the current distribution config:

aws cloudfront get-distribution-config –id –query “DistributionConfig” > /tmp/cf-distribution.json

* Edit and replace “ViewerProtocolPolicy” element in /tmp/cf-distribution.json with the below section:

“ViewerProtocolPolicy”: “redirect-to-https”,

* Retrieve the current ETag of your CloudFront distribution:

aws cloudfront get-distribution-config –id –query “ETag”

* Update the CloudFront distribution using the edited config and the above Etag:

aws cloudfront update-distribution –id –distribution-config file:///tmp/cf-distribution.json –if-match

Supportive Information

The following resource is also helpful.

• https://workbench.cisecurity.org/files/260

This security hardening control applies to the following category of controls within NIST 800-53: System and Communications Protection.This control applies to the following type of system amazon_aws.

References

• 800-53|SC-7

Source

• Tenable.com/audits