CloudWiki
Rules
Medium

Ensure CloudFront web distributions enforce field-level encryption

Security & Compliance
APRA
AWS Well-Architected Framework
GDPR
HIPAA
NIST4
PCI-DSS
NIST 800-53
HITRUST
Description

To enhance the security of your Amazon CloudFront web distributions, it's recommended to enable field-level encryption. This feature provides an extra layer of protection, in addition to SSL encryption (HTTPS), that safeguards specific sensitive data during system processing, ensuring that only certain applications within your environment can access this data. Make sure that you enable field-level encryption for your Amazon CloudFront web distributions to secure sensitive data such as social security numbers or credit card numbers. Enabling field-level encryption helps to ensure that your data is protected across application services.

Remediation

To ensure that your CloudFront web distributions enforce field-level encryption, you can follow these remediation steps:

  1. Open the Amazon CloudFront console.
  2. Select the web distribution that you want to update.
  3. Click on the "Behaviors" tab.
  4. Select the behavior that you want to update.
  5. Click on the "Edit" button.
  6. Scroll down to the "Field-level Encryption Config" section.
  7. Check if the "Enable Field-level Encryption" checkbox is selected. If not, select it.
  8. Select the appropriate field-level encryption configuration from the drop-down menu.
  9. Click "Yes, Edit" to apply the changes.

You can also enable field-level encryption when you create a new CloudFront web distribution by selecting the appropriate field-level encryption configuration under the "Origin Settings" section.

After enabling field-level encryption, ensure that your application services are configured to decrypt the data using the appropriate private key. Additionally, ensure that you have proper access controls in place for managing the private key used for field-level encryption.

Enforced Resources
CloudFront
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.