AWS CloudFront Distributions With Field-Level Encryption Not Enabled

This policy identifies CloudFront distributions for which field-level encryption is not enabled. Field-level encryption adds an additional layer of security along with HTTPS which protects specific data throughout system processing so that only certain applications can see it.

Policy Details

Policy Subtype
Run, Build
Severity
Medium
Template Type
CloudFormation

Build Rules

AWS ECS task definition readonlyRootFilesystem not enabled.
JSON Query:
$.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].ReadonlyRootFilesystem any null or $.Resources.*[?(@.Type=='AWS::ECS::TaskDefinition')].Properties.ContainerDefinitions[*].ReadonlyRootFilesystem any equal false
Recommendation:
Recommended solution for enabling readonlyRootFilesystem for AWS ECS task definition.
It is recommended that readonlyRootFilesystem is enabled for AWS ECS task definition. Please make sure your "ContainerDefinitions" template has "ReadonlyRootFilesystem" and is set to "true".
For example:
"ContainerDefinitions" : [ { "Name": {"Ref": "AppName"}, "ReadonlyRootFilesystem": true, "Image":"amazon/amazon-ecs-sample", "Cpu": "10", "Memory":"0.5GB", "Essential": "true" }]

Run Rule Recommendation

  1. Sign in to AWS management console.
  2. Navigate to 'CloudFront' dashboard from the 'Services' panel.
  3. select 'Web' and 'Enabled' from 'Viewing' dropdown menu in 'Distributions' page.
  4. Select the reported distribution from the list.
  5. Click 'Distribution Settings' button from the top menu.
  6. Switch to the 'Behaviors' tab and select the default behavior.
  7. Click the 'Edit' button.
  8. On the 'Edit Behavior' page, from 'Field-level Encryption Config' dropdown list, select the name/ID of the field-level encryption configuration already created.
  9. In case field-level encryption configuration is not created follow below link to create the configuration.
    Note:
    field-level encryption configuration cab be set only when 'Viewer Protocol Policy' and 'Origin Protocol Policy' settings are using 'HTTPS'.
  10. Click 'Yes,Edit' to save the changes.

Recommended For You