Detections
Analytics

Ensure field-level encryption is enabled for AWS CloudFront distribution

MEDIUM

Description

CloudFront field-level encryption can be used to ensure that sensitive data is fully protected from the point of user entry through to the backend of a service. Amazon will allow for up to 10 fields to be encrypted in a single request. For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/documentdb/latest/developerguide/cloud_watch.html

Remediation

In AWS Console -

  1. Sign in to the AWS Console and open the CloudFront Console.
  2. Under Distributions, select the distribution that requires a compression setting.
  3. Under Behaviors, select the specific behavior to update.
  4. In the main Settings box, expand Additional settings.
  5. Under Field-level encryption, choose a profile.
  6. Select Save changes.

In Terraform -

  1. In the aws_cloudfront_distribution, set the ordered_cache_behavior.field_level_encryption_id to the correct profile id.

For more information on configuring a field-level encryption profile, see the AWS documentation.
References:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/field-level-encryption.html?icmpid=docs_cf_help_panel#field-level-encryption-setting-up
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#field_level_encryption_id

Policy Details

Rule Reference ID: AC_AWS_0388
CSP: AWS
Remediation Available: Yes
Domain: Data Protection
Resource: aws_cloudfront_distribution
Resource Category: Virtual Network
Resource Type: CloudFront

Frameworks