6.4 Ensure Geo-Restriction is enabled within Cloudfront Distribution

Information

Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css, .php, image, and media files, to end users. CloudFront delivers your content through a worldwide network of edge locations. When an end user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so content is delivered with the best possible performance. If the content is already in that edge location, CloudFront delivers it immediately. If the content is not currently in that edge location, CloudFront retrieves it from a customer defined Origin, such as AWS S3, AWS ELB or EC2.
Provides the ability to block IP addresses based on Geo IP from reaching your CDN or Web Application resources. Can be used to assist in mitigation of DoS attacks.

Solution

Using the Amazon unified command line interface:

* For enabling GeoRestrictions first save locally the current distribution config:

aws cloudfront get-distribution-config --id _<application_cfn_distribution_id_> --query "DistributionConfig" > /tmp/cf-distribution.json

* Edit the GeoRestrictions section in /tmp/cf-distribution.json with the desired configuration (similar to the below sample):

"Restrictions": {
"GeoRestriction": {
"RestrictionType": "_<blacklist|whitelist>_",
"Quantity": 3,
"Items": ["_<country_code_1>_", "_<country_code_2>_"]
}
},

* Retrieve the current ETag of your CloudFront distribution:

aws cloudfront get-distribution-config --id _<application_cfn_distribution_id_> --query "ETag"

* Update the CloudFront distribution using the edited config and the above Etag:

aws cloudfront update-distribution --id _<application_cfn_distribution_id_> --distribution-config file:///tmp/cf-distribution.json --if-match _<application_cfn_distribution_etag_>

See Also

https://workbench.cisecurity.org/files/260

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7(11)

Plugin: amazon_aws

Control ID: 4b34b9a14ac9c96b1a7b2e7e02487b3d5cf97d3a37caa82b5e8173ca4d9eedda