Cloudfront distribution is field-level encrypted

Docs > Datadog Security > OOTB Rules > Cloudfront distribution is field-level encrypted

Description

Ensure that AWS CloudFront field-level encryption is enabled.

Rationale

Field-level encryption ensures sensitive data, such as identification and credit card numbers, is protected across your services and applications.

Remediation

From the console

Follow the Setting Up Field-Level Encryption docs to enable field-level encryption.

From the command line

Generate a RSA key pair. Run ssh-keygen -t rsa.

Run create-public-key with the generated key.

create-public-key.sh

    aws cloudfront create-public-key
        --public-key-config CallerReference="0123456789012",Name="public-key",EncodedKey="-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----",Comment="Field-level encryption public key."
    

Modify the returned configuration in a new JSON file by setting PublicKeyID as your public ID key. Configure any other options you require and save the file.
public-key-id.json
```
    {
      "PublicKey": {
        ...
        "Id": "PUBKEYID000000",
        ...
      }
    }
    
```

Run create-field-level-encryption-profile using the path of the configuration file saved in step 3.

create-field-level-encryption-profile.sh

    aws cloudfront create-field-level-encryption-profile
        --field-level-encryption-profile-config public-key-id.json
    

Modify the returned configuration in a new JSON file by setting ProfileID as your profile ID. Configure any other options you require and save the file.

profile-id.json

    {
      ...
      "ContentTypeProfileConfig": {
        ...
        "Items": [
          {
            "ProfileId": "ABCD1234567890",
          }
        ]
      }
    }
    

Run create-field-level-encryption-config using the path of the configuration file saved in step 5.
create-field-level-encryption-config.sh
```
    aws cloudfront create-field-level-encryption-config
        --field-level-encryption-config profile-id.json
    
```
Run get-distribution-config with your AWS CloudFront distribution ID to retrieve your distribution’s configuration information.
get-distribution-id.sh
```
    aws cloudfront get-distribution-config
        --id ID000000000000
    
```
Modify the returned configuration in a new JSON file by setting FieldLevelEncryptionID as your field level encryption ID. Configure any other options you require and save the file.

Note: Viewer Protocol Policy and Origin Protocol Policy must both be set to HTTPS.














field-level-encryption-id.json









    {
      "DistributionConfig": {
        ...
        "Origins": {
          "Items": [
            {
              ...,
              "OriginProtocolPolicy": "https-only",
            },
          ],
            ...
        },
        "DefaultCacheBehavior": {
          "FieldLevelEncryptionId": "ACBD1234567890",
          "ViewerProtocolPolicy" : "https-only"
        },
        ...
      }
    }

Run update-distribution with your AWS CloudFront distribution id, the configuration file saved in step 8, and etag to enable field-level encryption.

update-distribution.sh

    aws cloudfront update-distribution
        --id ID000000000000
        --distribution-config field-level-encryption-id.json
        --if-match E1000000000000
    