AWS CloudFront Security Part 1

Overview

This is my first AWS learning note in Jan. 2021.

After I review it in Sep 2021, more detail is added for clarity.

I once briefly worked in AWS space, then moved to Azure, I’m grateful to have opportunity to work on almost every aspect on Azure, including governance, compute and storage, networking, logging and data protection.

Now when I determine to learn more AWS on my own, I found the similarities between the cloud service providers. What I learned through my Azure work, helps me to pick up AWS skill quickly.

Azure equivalent of AWS CloudFront is Azure Content Delivery Network (CDN).

Amazon CloudFront is massively scaled and globally distributed. The CloudFront network has 225+ points of presence (PoPs) that are interconnected via the AWS backbone delivering ultra-low latency performance and high availability to your end users. If you use an AWS origin, traffic to the origin moves over AWS’s dedicated network backbone.

Objectives of Lab

We will focus on security features, including encryption, access control and network isolation.

• To protect data in transit, enforce https
• Serving private content with signed URLs and signed cookies (will be covered in future article)
• Custom http header (will be covered in future article)
• Use VPC security groups to allow only CloudFront IP ranges to access your applications.(will be covered in future article)

Environment

In order to explore the security features, first you create EC2 to host web site, you also need application load balancer to sit in front of EC2, create CloudFront distribution and use application load balancer as origin.

For networking, create VPC or use default, create public subnet (with igw route), EC2 is created in this public subnet, you will be able to browse the site via EC2 endpoint. ALB is public load balancer and will be assigned a public IP as well. Attach security group to both EC2 and load balancer, EC2 security group inbound rules should allow access from ALB, and also allow open the web site from your local machine for validation purpose.

EC2 Security Group Inbound

In case any connectivity issue, refer to Troubleshoot your Application Load Balancers — Elastic Load Balancing (amazon.com)

Here are sample CLI queries to list some of the resources.

List EC2

aws ec2 describe-instances ^
  --query "Reservations[*].Instances[*].{Instance:InstanceId, State:State.Name}" ^
  --filters Name=instance-state-name,Values=running ^
  --output json

Output

[
 [
 {
 “Instance”: “i-0c75dbfc5e1f9b973”,
 “State”: “running”
 }
 ]
]

List CloudFront

aws cloudfront list-distributions ^
--query "DistributionList.Items[].{DomainName: DomainName, OriginDomainName: Origins.Items[0].DomainName}"

Output

[
 {
 “DomainName”: “******22gy.cloudfront.net”,
 “OriginDomainName”: “albrq*******.us-east-1.elb.amazonaws.com”
 }
]

Now the site is up and running, also is accessible from ALB and from Cloudfront.

EC2 URL

Application Load Balancer URL

CloudFront URL

Viewer to CloudFront Https

Let’s configure CloudFront behavior to require https.

CloudFront Redirect Http to Https

When open http URL, get status 301

C:\Users\rquan>curl http://<*****>22gy.cloudfront.net/index.html
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>CloudFront</center>
</body>
</html>

When open https URL, get status 200

C:\Users\rquan>curl -I https://<******>22gy.cloudfront.net/index.html
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 10216
Connection: keep-alive
Date: Sun, 24 Jan 2021 19:33:07 GMT
Server: Apache/2.4.46 ()
Last-Modified: Sun, 13 Dec 2020 16:06:05 GMT
ETag: “27e8–5b65ab3e51540”
Accept-Ranges: bytes

Now let’s update CloudFront behavior to https only.

When browse http URL, get status 403.

C:\Users\rquan>curl -I http://<*****>22gy.cloudfront.net/index.html
HTTP/1.1 403 Forbidden
Server: CloudFront
Date: Sun, 24 Jan 2021 19:37:03 GMT
Content-Type: text/html
Content-Length: 915
Connection: keep-alive
X-Cache: Error from cloudfront

CloudFront to Origin Https

Update CloudFront Origin

Update origin configuration to require https only from CloudFront to ALB

Edit Origin

Update Origin Protocol Policy

ALB Custom Domain and Certificate

AWS does not support user to request certificate on *.amazonaws.com domain, AWS require you to add custom domain and certificate in order to add https listener to ALB (This makes sense, since *.amazonaws.com is owned by AWS, different customers will need to use domain they own).

I purchased rquan.work domain from godaddy, now let’s request a certificate from ACM using this domain.

Request Public Certificate for Wildcard Domain

Select DNS as Validation Method

Download CNAME record for validation

Domain Name,Record Name,Record Type,Record Value
*.rquan.work,<*****>582cd6d8.rquan.work.,CNAME,_761fe8<*****>.vtqfhvjlcp.acm-validations.aws.

There are two CNAME record added to zone rquan.work, one points to ALB URL, one is for validation and points to _761fe8<*****>.vtqfhvjlcp.acm-validations.aws.

Manage Zone and Add Two CNAME Record

After Validation is Done, Status is Issued

Add Https Listener to ALB

Validation

Open ALB Site via Https Using Custom Domain rquan.work
Site is up and running via ALB custom domain URL.

Open CloudFront Site Via Https, it’s also working.

Origin Protocol Policy — Match Viewer

Besides configure origin to https only, there is another option to set the policy to match viewer, below list all the scenarios for match viewer option.

Viewer to CloudFront Http and Https
------------------------------------------------
If viewer use http, send http request to origin, if viewer use https, send https request to origin
Viewer to CloludFront Http redirect to Https
------------------------------------------------
Viewer's Http request is redirected to Https, CloudFront send https request to origin
Viewer to CloludFront Https Only
------------------------------------------------
Viewer can only request via Https, CloudFront send https request to origin

More on ACM

AWS offers free public certificate when integrate with ELB.

Public and private SSL/TLS certificates provisioned through AWS Certificate Manager and used exclusively with ACM-integrated services, such as Elastic Load Balancing, Amazon CloudFront, and Amazon API Gateway, are free.

ACM automatically renews certificates that are deployed and in use with other AWS services as long as the CNAME record remains in your DNS configuration (DNS validation).

FAQs - AWS Certificate Manager - Amazon Web Services (AWS)

Azure app service has free certificate (not for free tier app servcie) and also offer to order a certificate from Azure portal. Azure load balancer seems no certificate integration feature.

Add and manage TLS/SSL certificates - Azure App Service

Integrate Azure DNS with your Azure resources - Azure DNS

Adding custom headers to origin requests — Amazon CloudFront

Conclusion

In this article, we create CloudFront, and use application load balancer as origin, we explored security feature to enforce https traffic. We learned ALB and ACM integration.

In next article, we will explore more about security feature around CloudFront.

References

Using HTTPS with CloudFront

Requiring HTTPS for Communication Between CloudFront and Your Custom Origin — Amazon CloudFront

Create an HTTPS listener for your Application Load Balancer

Serving private content with signed URLs and signed cookies

Restricting access to Application Load Balancers

Automatically update security groups for Amazon CloudFront IP ranges using AWS Lambda | Amazon Web…

https://aws.amazon.com/blogs/security/easier-certificate-validation-using-dns-with-aws-certificate-manager/