Ensure failover criteria is set for AWS Cloudfront Distribution

MEDIUM

Description

CloudFront can be configured to failover when receiving a specific code response from an origin location. This can help ensure that CloudFront sends requests to a different origin when the initial one becomes unreachable. This requires at least two origins to be configured as a part of an origin group. For more information, see the AWS documentation.
References:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/high_availability_origin_failover.html

Remediation

In AWS console -

  1. Open Cloudfront console and find the list of distributions in top pane.
  2. Select the distribution to update.
  3. Choose origins tab. Confirm more than one origin is configured.
  4. Use origin groups pane to create origin group.
  5. Configure origin group basic settings.
  6. Select HTTP status codes as failover criteria.

In Terraform -

  1. In the aws_cloudfront_distribution resource, set the value of 'status_codes' in 'failover_criteria' as needed.

References:
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution#status_codes

Policy Details

Rule Reference ID: AC_AWS_0020
CSP: AWS
Remediation Available: Yes
Domain: Resilience
Resource Category: Virtual Network
Resource Type: CloudFront

Frameworks