An AWS CloudFront distribution allows unencrypted communications over HTTP
Severity | Exploitability | Providers | Categories |
---|---|---|---|
CRITICAL | LOW | AWS | DATA, NETWORK |
Description
Amazon CloudFront can allow different types of connections among which HTTP communications that are unencrypted. In that latter case, a malicious actor with sufficient network access could eavesdrop on the communications and read them in plaintext.
Impact
Potential data exposure | Visible in logs | User interaction required | Privileges required |
---|---|---|---|
True | False | True | False |
The data exchanged with CloudFront could be compromised.
Remediation guidelines
Switch the AWS CloudFront viewer_protocol_policy
parameter from "allow-all" to either
"https-only" or "redirect-to-https". This should be first done in the IAC config.
It can also be changed on the deployed infrastructure using the CloudFront console or
the CloudFront API. Note that if you are serving content for your own domain name, you
may have to perform some extra steps : see the official AWS documentation we referred.