Skip to main content

CloudFront distributions should encrypt traffic to custom origins

Severity: Medium

Resource Types: AWS::CloudFront::Distribution

Description

This control checks if Amazon CloudFront distributions are encrypting traffic to custom origins. This control fails for a CloudFront distribution whose origin protocol policy allows 'http-only'. This control also fails if the distribution's origin protocol policy is 'match-viewer' while the viewer protocol policy is 'allow-all'.

HTTPS (TLS) can be used to help prevent eavesdropping or manipulation of network traffic. Only encrypted connections over HTTPS (TLS) should be allowed.

Remediation

To update the Origin Protocol Policy to require encryption for your CloudFront connections, see Requiring HTTPS for communication between CloudFront and your custom origin in the Amazon CloudFront Developer Guide.