Cloudfront Distributions which accept unencrypted traffic respond to requests in plain text compromising all information sent and recieved.
AWS CloudFront is used to distribute content from your application to end users, making it the first point of contact in your request chain, therefore it’s crucial to ensure that your Cloudfront Distributions are properly configured to handle requests securely. Responding to unencrypted requests means the communication between the user and CloudFront is in plain text, leaving both the request and response fully exposed to any actors that are within network vicinity of the network communication. This means not only can CloudFront and the user’s machine view the full request, but every machine along the route from the user, networks, ISPs, and CloudFront endpoints can also access the entire request and response body. For example, shared environments like offices, homes with multiple users, or public networks, plain text communications across these networks can be intercepted and read.
Even if the content is intended to be public, unencrypted communications exposes exactly what each user is requesting from your service, compromising user privacy. Additionally, there are reputational and SEO consequences from internet providers for services that utilise unencrypted HTTP communication. Providing HTTP services without encryption is no longer viable in today’s environment due to the risks to user privacy and business reputation.
Fortunately, AWS makes securing your CloudFront distribution simple. By configuring a public certificate for your domain and attaching it to CloudFront, you can ensure encrypted traffic is delivered to users. AWS will also automatically handle certificate renewals, ensuring ongoing secure communication for your domain.
SkySiege’s AWS Vulnerability Scan automatically detects this vulnerability across all AWS Regions with the report delivered the same day.
Unfortunately there’s no universal fix to this issue. In most scenarios, redirecting all insecure traffic to a secure endpoint complete with appropriate TLS configuration is all that is needed to prevent insecure communications. However, this depends on a number of elements such as:
To get advice or to automatically detect this issue, find out more about our Vulnerability Assessment:
If using the Cloudfront provided domain then this simply follow step 4 in the below list. Otherwise if a secure endpoint is available and clients can be expected to follow the redirect for your custom domain then configuration in Cloudfront is simple:
us-east-1Alternate Domain Name and select the corresponding ACM certificate for that domainViewer Protocol PolicyDetailed instructions for this can be found in the AWS Documentation