Skip to main content

An AWS CloudFront distribution allows unencrypted communications over HTTP

  • GG_ID: GG_IAC_0019
  • Severity: CRITICAL
  • Complexity: HIGH
  • Categories: DATA, NETWORK
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: False
  • User interaction required: True
  • Privileges required: False


Amazon CloudFront can allow different types of connections among which HTTP communications that are unencrypted. In that latter case, a malicious actor with sufficient network access could eavesdrop on the communications and read them in plaintext.


The data exchanged with CloudFront could be compromised.

Remediation guidelines#

Switch the AWS CloudFront viewer_protocol_policy parameter from "allow-all" to either "https-only" or "redirect-to-https". This should be first done in the IAC config. It can also be changed on the deployed infrastructure using the CloudFront console or the CloudFront API. Note that if you are serving content for your own domain name, you may have to perform some extra steps: see the official AWS documentation we referred.

External documentation#