The connection between CloudFront and the origin server has HTTP allowed

ID

aws_cloudfront_http_allowed

Severity

high

Vendor

AWS

Resource

Encryption

Tags

asvs50-v11.3.1, asvs50-v14.2.2, reachable

Description

The connection between CloudFront and the origin server has HTTP allowed. If the communication is through HTTP the data is not encrypted. A malicious user can see the data in plain text for the packages intercepted.

To fix it you must configure viewer_protocol_policy with https-only or redirect-to-https value.

Learn more about this topic at AWS CloudFront HTTPS communication.

Examples

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create a distribution
      community.aws.cloudfront_distribution:
        state: present
        caller_reference: unique test distribution ID
        origins:
            - id: 'my test origin-000111'
              domain_name: www.example.com
              origin_path: /production
              custom_headers:
                - header_name: MyCustomHeaderName
                  header_value: MyCustomHeaderValue
        default_cache_behavior:
          target_origin_id: 'my test origin-000111'
          forwarded_values:
            query_string: true
            cookies:
              forward: all
            headers:
             - '*'
          viewer_protocol_policy: allow-all
          smooth_streaming: true
          compress: true
          allowed_methods:
            items:
              - GET
              - HEAD
            cached_methods:
              - GET
              - HEAD
        logging:
          enabled: true
          include_cookies: false
          bucket: mylogbucket.s3.amazonaws.com
          prefix: myprefix/
        enabled: false
        comment: this is a CloudFront distribution with logging

Mitigation / Fix

---
- name: Example playbook
  hosts: localhost
  tasks:
    - name: create a distribution
      community.aws.cloudfront_distribution:
        state: present
        caller_reference: unique test distribution ID
        origins:
            - id: 'my test origin-000111'
              domain_name: www.example.com
              origin_path: /production
              custom_headers:
                - header_name: MyCustomHeaderName
                  header_value: MyCustomHeaderValue
        default_cache_behavior:
          target_origin_id: 'my test origin-000111'
          forwarded_values:
            query_string: true
            cookies:
              forward: all
            headers:
             - '*'
          viewer_protocol_policy: https-only # or redirect-to-https
          smooth_streaming: true
          compress: true
          allowed_methods:
            items:
              - GET
              - HEAD
            cached_methods:
              - GET
              - HEAD
        logging:
          enabled: true
          include_cookies: false
          bucket: mylogbucket.s3.amazonaws.com
          prefix: myprefix/
        enabled: false
        comment: this is a CloudFront distribution with logging