<  Back to rules search

Cloudfront distribution is field-level encrypted

cloudfront
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Description

Ensure that AWS CloudFront field-level encryption is enabled.

Rationale

Field-level encryption ensures sensitive data, such as identification and credit card numbers, is protected across your services and applications.

Remediation

From the console

Follow the Setting Up Field-Level Encryption docs to enable field-level encryption.

From the command line

  1. Generate a RSA key pair. Run ssh-keygen -t rsa.

  2. Run create-public-key with the generated key.

    create-public-key.sh

        aws cloudfront create-public-key
        --public-key-config CallerReference="0123456789012",Name="public-key",EncodedKey="-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----",Comment="Field-level encryption public key."

  3. Modify the returned configuration in a new JSON file by setting PublicKeyID as your public ID key. Configure any other options you require and save the file.

    public-key-id.json

        {
      "PublicKey": {
        ...
        "Id": "PUBKEYID000000",
        ...
      }
    }

  4. Run create-field-level-encryption-profile using the path of the configuration file saved in step 3.

    create-field-level-encryption-profile.sh

        aws cloudfront create-field-level-encryption-profile
        --field-level-encryption-profile-config public-key-id.json

  5. Modify the returned configuration in a new JSON file by setting ProfileID as your profile ID. Configure any other options you require and save the file.

    profile-id.json

        {
      ...
      "ContentTypeProfileConfig": {
        ...
        "Items": [
          {
            "ProfileId": "ABCD1234567890",
          }
        ]
      }
    }

  6. Run create-field-level-encryption-config using the path of the configuration file saved in step 5.

    create-field-level-encryption-config.sh

        aws cloudfront create-field-level-encryption-config
        --field-level-encryption-config profile-id.json

  7. Run get-distribution-config with your AWS CloudFront distribution ID to retrieve your distribution’s configuration information.

    get-distribution-id.sh

        aws cloudfront get-distribution-config
        --id ID000000000000

  8. Modify the returned configuration in a new JSON file by setting FieldLevelEncryptionID as your field level encryption ID. Configure any other options you require and save the file.

Note: Viewer Protocol Policy and Origin Protocol Policy must both be set to HTTPS.

















field-level-encryption-id.json















    {
      "DistributionConfig": {
        ...
        "Origins": {
          "Items": [
            {
              ...,
              "OriginProtocolPolicy": "https-only",
            },
          ],
            ...
        },
        "DefaultCacheBehavior": {
          "FieldLevelEncryptionId": "ACBD1234567890",
          "ViewerProtocolPolicy" : "https-only"
        },
        ...
      }
    }

  1. Run update-distribution with your AWS CloudFront distribution id, the configuration file saved in step 8, and etag to enable field-level encryption.

    update-distribution.sh

        aws cloudfront update-distribution
        --id ID000000000000
        --distribution-config field-level-encryption-id.json
        --if-match E1000000000000