Public S3 CloudFront Origin

This plugin identifies the usage of S3 as a CloudFront source without an identity of the source access.

Risk Level: HIGH

Description: 

This plugin identifies the usage of S3 as a CloudFront source without an identity of the source access. When S3 is utilized as a CloudFront bucket source, the contents should be kept private, and CloudFront should have access to an original identity. This helps avoid circumventing the cache advantages provided by CloudFront, by loading items from S3 frequently and by collecting a high bill of access.

PingSafe strongly recommends creating an origin access identity for CloudFront, then make the contents of the S3 bucket private.

About the Service :

Amazon CloudFront is a web service that accelerates your online content delivery to your users, such as.html,.css,.js, or picture files. CloudFront provides your content over a global data center network known as edge locations. When a user requires the material you provide with CloudFront, the request is routed to the lowest delay location, which ensures the optimum performance for the content.

Impact : 

In the absence of creation access identity for CloudFront and the contents of the S3 bucket is private, malicious people can bypass the caching benefits that CloudFront provides, repeatedly loading objects directly from S3, and amassing a large access bill.

Steps to reproduce :

  1. Log In the AWS Console.
  2. Move to Cloudfront dashboard. (https://console.aws.amazon.com/cloudfront/ )
  3. Click on the Distributions panel on the left panel to access the distributions.
  4. Select S3 Origin from the Origin Type in the Origins tab.
  5. Verify the Restrict Bucket Access setting’s status on the Origin Settings page.
  6.  If Restrict Bucket Access is set to No that means the access to the S3 bucket is not restricted, therefore the selected AWS Cloudfront CDN distribution is using an S3 origin without an origin access identity.

Steps for remediation :

  1. Log In the AWS Console.
  2. Move to Cloudfront dashboard. (https://console.aws.amazon.com/cloudfront/)
  3. Click on the Distributions panel on the left panel to access the distributions.
  4. Select S3 Origin from the Origin Type in the Origins tab.
  5. Verify the Restrict Bucket Access setting’s status on the Origin Settings page.
  6.  If Restrict Bucket Access is set to No that means the access to the S3 bucket is not restricted, therefore the selected AWS Cloudfront CDN distribution is using an S3 origin without an origin access identity.
  7. Select Yes to enforce restriction to the access to the S3 bucket.
  8. Select Create a New Identity option next to Origin Access Identity.
  9. Enter a unique comment in the Comment box.
  10. To automatically grant read permission to the new origin access identity associated with the distribution S3 origin, select Yes in Update Bucket Policy.

References: