Ensure there is an encrypted connection between AWS CloudFront server and Origin server

HIGH

Description

Data loss can occur due to un-encrypted connection between AWS CloudFront and Origin server.

Remediation

In AWS Console -

Sign in to the AWS Console and open the CloudFront Console.
Under Distributions, select the distribution that requires a secure setting.
Under Origins, select the specific Origin to update (Note: this will only work on non-S3 origins; S3 origins cannot use HTTPS).
For Protocol, choose HTTPS Only with TLSv1.2 selected.
Select Save changes.

In Terraform -

In the aws_cloudfront_distribution, set the ordered_cache_behavior.viewer_protocol_policy to either https-only or redirect-to-https.

For more information, see the AWS or Terraform documentation.
References:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution

Policy Details

Rule Reference ID: AC_AWS_0547

CSP: AWS

Remediation Available: Yes

Domain: Data Protection

Resource: aws_cloudfront_distribution

Resource Category: Virtual Network

Resource Type: CloudFront

Frameworks

GDPR
HIPAA
NIST-800-171
NIST-800-53
NIST-CSF
PCI-DSSv3.2.1
PCI-DSSv4.0
CCM
NY-DFS
SOC2
WELL-ARCH