<  Back to rules search

Cloudfront distribution is field-level encrypted

cloudfront
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Description

Ensure that AWS CloudFront field-level encryption is enabled.

Rationale

Field-level encryption ensures sensitive data, such as identification and credit card numbers, is protected across your services and applications.

Remediation

From the console

Follow the Setting Up Field-Level Encryption docs to enable field-level encryption.

From the command line

  1. Generate a RSA key pair. Run ssh-keygen -t rsa.

  2. Run create-public-key with the generated key.

    create-public-key.sh

        aws cloudfront create-public-key
            --public-key-config CallerReference="0123456789012",Name="public-key",EncodedKey="-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----",Comment="Field-level encryption public key."
        
  3. Modify the returned configuration in a new JSON file by setting PublicKeyID as your public ID key. Configure any other options you require and save the file.

    public-key-id.json

        {
          "PublicKey": {
            ...
            "Id": "PUBKEYID000000",
            ...
          }
        }
        
  4. Run create-field-level-encryption-profile using the path of the configuration file saved in step 3.

    create-field-level-encryption-profile.sh

        aws cloudfront create-field-level-encryption-profile
            --field-level-encryption-profile-config public-key-id.json
        
  5. Modify the returned configuration in a new JSON file by setting ProfileID as your profile ID. Configure any other options you require and save the file.

    profile-id.json

        {
          ...
          "ContentTypeProfileConfig": {
            ...
            "Items": [
              {
                "ProfileId": "ABCD1234567890",
              }
            ]
          }
        }
        
  6. Run create-field-level-encryption-config using the path of the configuration file saved in step 5.

    create-field-level-encryption-config.sh

        aws cloudfront create-field-level-encryption-config
            --field-level-encryption-config profile-id.json
        
  7. Run get-distribution-config with your AWS CloudFront distribution ID to retrieve your distribution’s configuration information.

    get-distribution-id.sh

        aws cloudfront get-distribution-config
            --id ID000000000000
        
  8. Modify the returned configuration in a new JSON file by setting FieldLevelEncryptionID as your field level encryption ID. Configure any other options you require and save the file.

Note: Viewer Protocol Policy and Origin Protocol Policy must both be set to HTTPS.











field-level-encryption-id.json

    {
      "DistributionConfig": {
        ...
        "Origins": {
          "Items": [
            {
              ...,
              "OriginProtocolPolicy": "https-only",
            },
          ],
            ...
        },
        "DefaultCacheBehavior": {
          "FieldLevelEncryptionId": "ACBD1234567890",
          "ViewerProtocolPolicy" : "https-only"
        },
        ...
      }
    }
    
  1. Run update-distribution with your AWS CloudFront distribution id, the configuration file saved in step 8, and etag to enable field-level encryption.

    update-distribution.sh

        aws cloudfront update-distribution
            --id ID000000000000
            --distribution-config field-level-encryption-id.json
            --if-match E1000000000000