Plugin Title Secure CloudFront Origin
Cloud AWS
Category CloudFront
Description Detects the use of secure web origins with secure protocols for CloudFront.
More Info Traffic passed between the CloudFront edge nodes and the backend resource should be sent over HTTPS with modern protocols for all web-based origins.
AWS Link http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web.html
Recommended Action Ensure that traffic sent between CloudFront and its origin is passed over HTTPS and uses TLSv1.1 or higher. Do not use the match-viewer option.


Detailed Remediation Steps

  1. Log into the AWS Management Console.
  2. Select the "Services" option and search for CloudFront.
  3. Select the "CloudFront Distribution" that needs to be verified.
  4. Click the "Distribution Settings" button from menu to get into the "CloudFront Distribution" configuration page.
  5. Select the Origins tab and choose the distribution origin that needs to be verified.
  6. On the Origin Settings page, ensure TLSv1.1 or higher protocol is enabled.
  7. On the Origin Settings page, verify the "Origin Protocol Policy" is set to "HTTPS Only".
  8. Scroll down and click on "Yes,Edit" and save the changes.
  9. Repeat steps number 5, 6 and 7 to verify another CloudFront Distribution.

Want to scan for this risk automatically?

Get Started Now