Monitor and audit CloudFront to ensure security, availability, reliability is not compromised.
Automatically Compress Web Content
Ensure that Amazon Cloudfront Content Delivery Network (CDN) distributions are configured to automatically compress content for web requests in order to increase your web applications performance and reduce bandwidth costs.
Enable Geo Restriction
Ensure that geo restriction is enabled for your Amazon CloudFront CDN distribution to whitelist or blacklist a country in order to allow or restrict users in specific locations from accessing web application content.
Use CloudFront CDN service
Ensure that AWS CloudFront Content Delivery Network (CDN) service is used within your AWS account to secure and accelerate the delivery of your websites, media files or static resources.
Use Recommended SSL Protocols
Ensure that your AWS Cloudfront Content Delivery Network distributions are not using insecure SSL protocols (i.e. SSLv3) for HTTPS communication between CloudFront edge locations and your custom origins.
CloudFront must be integrated with AWS WAF
Ensure that all your AWS CloudFront web distributions are integrated with the Web Application Firewall (AWS WAF) service to protect against application-layer attacks
Logging Feature must be enabled
Ensure that your AWS Cloudfront distributions have the Logging feature enabled in order to track all viewer requests for the content delivered through the Content Delivery Network (CDN).
Check Security Policy version
Ensure that your Amazon CloudFront distributions use a security policy with minimum TLSv1.1 or TLSv1.2 and appropriate security ciphers for HTTPS viewer connections.
Use HTTPS to secure delivery of web content
Ensure that the communication between your AWS CloudFront distributions and their custom origins is encrypted using HTTPS in order to secure the delivery of your web content.
Communication must be encrypted using HTTPS
Ensure that the communication between your Amazon CloudFront CDN distribution and its viewers (end users) is encrypted using HTTPS in order to secure the delivery of your web application content
Origin Access Identity must be enabled
Ensure that the origin access identity feature is enabled for all your AWS Cloudfront CDN distributions that utilize an S3 bucket as an origin in order to restrict any direct access to your objects through Amazon S3 URLs.
Enable Field-Level Encryption
Ensure that field-level encryption is enabled for your Amazon CloudFront web distributions in order to help protect sensitive data like credit card numbers or social security numbers, and to help protect your data across application services.
Use CDNs for web applications
Ensure that your web application is using Amazon Cloudfront Content Distribution Network (CDN) to secure its content delivery.
HTTPS Enabled on CloudFront
Check if CloudFront distributions are set to HTTPS
Origin Failover must be enabled
Ensure that Origin Failover feature is enabled for your Amazon CloudFront web distributions in order to improve the availability of the content delivered to your end users
Help Us Improve!
If you have any suggestions to improve this checklist, please let us know by filling out