Amazon CloudFront

Insecure CloudFront Origin Protocol

This plugin detects the use of insecure web origins with secure protocols for CloudFront.

Risk Level: Medium

Description: 

This plugin detects the use of insecure web origins with secure protocols for CloudFront. Traffic between the edge nodes of CloudFront and the backend resource should be transmitted to all web-based origins using current protocols.

PingSafe strongly recommends ensuring that traffic sent between CloudFront and its origin uses TLSv1.1 or higher.

About the Service :

Amazon CloudFront is a web service that accelerates your online content delivery to your users, such as.html,.css,.js, or picture files. CloudFront provides your content over a global data center network known as edge locations. When a user requires the material you provide with CloudFront, the request routes to the lowest delay location, ensuring optimum performance for the content.

Impact : 

The link between the Cloudfront and the original server may be exposed by insecure and unsuccessful distribution protocols for Cloud front systems,  which allows an attacker to intercept Cloudfront traffic over the safe channel by using a man-in-the-middle strategy.

Steps to reproduce :

  1. Log In the AWS Console.
  2. Move to Cloudfront dashboard. (https://console.aws.amazon.com/cloudfront/) 
  3. Click on the Distributions panel on the left panel to access the distributions.
  4. Choose the distribution origin that you want to verify from the Origins tab.
  5. Verify the protocols enabled within the Origin SSL Protocols category, on the Origin Settings page. If any of the origins protocols is currently enabled: the Cloudfront configuration is vulnerable to exploits.

Steps for remediation :

  1. Log In the AWS Console.
  2. Move to Cloudfront dashboard. (https://console.aws.amazon.com/cloudfront/)  
  3. Click on the Distributions panel on the left panel to access the distributions.
  4. Choose the distribution origin that you want to verify from the Origins tab.
  5. Verify the protocols enabled on the Origin Settings page.
  6. Uncheck the origin’s checkbox and Click Yes, Edit to save the changes.

 

References: