AWS Config Rule: CloudFront Traffic to Origin Encrypted
CLOUDFRONT_TRAFFIC_TO_ORIGIN_ENCRYPTED
Ryan Ware
Last Update 5 maanden geleden
Description: Checks if Amazon CloudFront distributions are encrypting traffic to custom origins. The rule is NON_COMPLIANT if ‘OriginProtocolPolicy’ is ‘http-only’ or if ‘OriginProtocolPolicy’ is ‘match-viewer’ and ‘ViewerProtocolPolicy’ is ‘allow-all’.
AWS Region: Only available in US East (N. Virginia) Region
Trigger type: Configuration changes
How to Resolve Manually
It is worth noting that the 'OriginProtocolPolicy' only applies to CloudFront Distribution Origin's which do not use Amazon S3 as an Origin Domain. If you use Amazon S3 as an origin Domain, this AWS Config Rule will not apply.
If you are using an alternate Origin Domain, such as API Gateway, you will see the Protocol appear in the Origin Settings, such as the picture displays below;
To ensure that we remediate this Config Rule if it is non-compliant, we must ensure that this Protocal is set to HTTPS Only
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here