The connection between CloudFront and the origin server has HTTP allowed

ID

aws_cloudfront_http_allowed

Severity

high

Vendor

AWS

Resource

Encryption

Tags

reachable

Description

The connection between CloudFront and the origin server has HTTP allowed. If the communication is through HTTP the data is not encrypted. A malicious user can see the data in plain text for the packages intercepted.

To fix it you must configure viewer_protocol_policy with https-only or redirect-to-https value.

Learn more about this topic at AWS CloudFront HTTPS communication.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create a distribution
      community.aws.cloudfront_distribution:
        state: present
        caller_reference: unique test distribution ID
        origins:
            - id: 'my test origin-000111'
              domain_name: www.example.com
              origin_path: /production
              custom_headers:
                - header_name: MyCustomHeaderName
                  header_value: MyCustomHeaderValue
        default_cache_behavior:
          target_origin_id: 'my test origin-000111'
          forwarded_values:
            query_string: true
            cookies:
              forward: all
            headers:
             - '*'
          viewer_protocol_policy: allow-all
          smooth_streaming: true
          compress: true
          allowed_methods:
            items:
              - GET
              - HEAD
            cached_methods:
              - GET
              - HEAD
        logging:
          enabled: true
          include_cookies: false
          bucket: mylogbucket.s3.amazonaws.com
          prefix: myprefix/
        enabled: false
        comment: this is a CloudFront distribution with logging

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create a distribution
      community.aws.cloudfront_distribution:
        state: present
        caller_reference: unique test distribution ID
        origins:
            - id: 'my test origin-000111'
              domain_name: www.example.com
              origin_path: /production
              custom_headers:
                - header_name: MyCustomHeaderName
                  header_value: MyCustomHeaderValue
        default_cache_behavior:
          target_origin_id: 'my test origin-000111'
          forwarded_values:
            query_string: true
            cookies:
              forward: all
            headers:
             - '*'
          viewer_protocol_policy: https-only # or redirect-to-https
          smooth_streaming: true
          compress: true
          allowed_methods:
            items:
              - GET
              - HEAD
            cached_methods:
              - GET
              - HEAD
        logging:
          enabled: true
          include_cookies: false
          bucket: mylogbucket.s3.amazonaws.com
          prefix: myprefix/
        enabled: false
        comment: this is a CloudFront distribution with logging