Plugin Title Public S3 CloudFront Origin
Cloud AWS
Category CloudFront
Description Detects the use of an S3 bucket as a CloudFront origin without an origin access identity
More Info When S3 is used as an origin for a CloudFront bucket, the contents should be kept private and an origin access identity should allow CloudFront access. This prevents someone from bypassing the caching benefits that CloudFront provides, repeatedly loading objects directly from S3, and amassing a large access bill.
AWS Link http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html
Recommended Action Create an origin access identity for CloudFront, then make the contents of the S3 bucket private.


Detailed Remediation Steps

    1.Log into the AWS Management Console.
  1. Select the "Services" option and search for CloudFront.
  2. Select the "CloudFront Distribution" that needs to be verified.
  3. Click the "Distribution Settings" button from menu to get into the "CloudFront Distribution" configuration page.
  4. Click the "Origins and Origin Groups" button from the top menu to get into the "Origins" configuration page and select the "Origin" which needs to be verified.
  5. Click the "Edit" button from the "Origins" tab on the menu.
  6. On the Origin Settings, verify the "Restrict Bucket Access".If Restrict Bucket Access is set to No then the access to the S3 bucket used as the origin is not secured.
  7. On the "Restrict Bucket Access" choose "Yes" so it requires that users always access your Amazon S3 content using CloudFront URLs, not Amazon S3 URLs.
  8. On the "Origin Access Identity" choose "Create a New Identity" and if already have an origin access identity, click use an "Existing Identity". Enter a comment that can be used to identify the new origin access identity.
  9. Click on the "Yes, Update Bucket Policy" on "Grant Read Permissions on Bucket" so CloudFront updates bucket permissions to grant the specified origin access identity the permission to read files in your bucket.
  10. Click on "Yes,Edit" button to save the changes.
  11. Navigate to "S3 bucket dashboard" and choose the S3 bucket used to verify the "Permissions" on S3 bucket.
  12. Click the "Permissons" tab from menu to get into the "Public access settings" for the bucket.
  13. Click on the "Edit" button and scroll down to "Manage public access control lists" and "Manage public bucket policies" to verify the "Permissions". Select the "Permissions" and click on "Save" to make the contents of the S3 bucket private.
  14. Repeat the steps number 6 and 7 to verify origin access identity for CloudFront.

Want to scan for this risk automatically?

Get Started Now