Cloudfront distribution is field-level encrypted

cloudfront

Description

Ensure that AWS CloudFront field-level encryption is enabled.

Rationale

Field-level encryption ensures sensitive data, such as identification and credit card numbers, is protected across your services and applications.

Remediation

From the console

Follow the Setting Up Field-Level Encryption docs to enable field-level encryption.

From the command line

  1. Generate a RSA key pair. Run ssh-keygen -t rsa.

  2. Run create-public-key with the generated key.

    create-public-key.sh

        aws cloudfront create-public-key
            --public-key-config CallerReference="0123456789012",Name="public-key",EncodedKey="-----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY-----",Comment="Field-level encryption public key."
        
  3. Modify the returned configuration in a new JSON file by setting PublicKeyID as your public ID key. Configure any other options you require and save the file.

    public-key-id.json

        {
          "PublicKey": {
            ...
            "Id": "PUBKEYID000000",
            ...
          }
        }
        
  4. Run create-field-level-encryption-profile using the path of the configuration file saved in step 3.

    create-field-level-encryption-profile.sh

        aws cloudfront create-field-level-encryption-profile
            --field-level-encryption-profile-config public-key-id.json
        
  5. Modify the returned configuration in a new JSON file by setting ProfileID as your profile ID. Configure any other options you require and save the file.

    profile-id.json

        {
          ...
          "ContentTypeProfileConfig": {
            ...
            "Items": [
              {
                "ProfileId": "ABCD1234567890",
              }
            ]
          }
        }
        
  6. Run create-field-level-encryption-config using the path of the configuration file saved in step 5.

    create-field-level-encryption-config.sh

        aws cloudfront create-field-level-encryption-config
            --field-level-encryption-config profile-id.json
        
  7. Run get-distribution-config with your AWS CloudFront distribution ID to retrieve your distribution’s configuration information.

    get-distribution-id.sh

        aws cloudfront get-distribution-config
            --id ID000000000000
        
  8. Modify the returned configuration in a new JSON file by setting FieldLevelEncryptionID as your field level encryption ID. Configure any other options you require and save the file.

Note: Viewer Protocol Policy and Origin Protocol Policy must both be set to HTTPS.











field-level-encryption-id.json

    {
      "DistributionConfig": {
        ...
        "Origins": {
          "Items": [
            {
              ...,
              "OriginProtocolPolicy": "https-only",
            },
          ],
            ...
        },
        "DefaultCacheBehavior": {
          "FieldLevelEncryptionId": "ACBD1234567890",
          "ViewerProtocolPolicy" : "https-only"
        },
        ...
      }
    }
    
  1. Run update-distribution with your AWS CloudFront distribution id, the configuration file saved in step 8, and etag to enable field-level encryption.

    update-distribution.sh

        aws cloudfront update-distribution
            --id ID000000000000
            --distribution-config field-level-encryption-id.json
            --if-match E1000000000000