| Plugin Title | Secure CloudFront Origin |
| Cloud | AWS |
| Category | CloudFront |
| Description | Detects the use of secure web origins with secure protocols for CloudFront. |
| More Info | Traffic passed between the CloudFront edge nodes and the backend resource should be sent over HTTPS with modern protocols for all web-based origins. |
| AWS Link | http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web.html |
| Recommended Action | Ensure that traffic sent between CloudFront and its origin is passed over HTTPS and uses TLSv1.1 or higher. Do not use the match-viewer option. |
- Log in to the AWS Management Console.
- Select the "Services" option and search for CloudFront.
- Select the "Distribution" that needs to be verified.
- Click the "Distribution id" to get into the Distribution's configuration page.
- Select the "General" tab and click on "Edit" button under settings.
- On the Edit Settings page, Scroll to the "Custom SSL certificate - optional" settings and ensure that you have a valid certificate selected from the dropdown if you are using your own certificate.
- Under "Security policy" ensure TLSv1.2(recommended) or higher protocol is selected.
- Scroll down and click on "Save changes".
- Repeat steps number 5, 6 and 7 to verify other CloudFront Distributions.
- For distributions not using HTTPS and only using HTTP create a new distribution with similar source but set Viewer Protocol Policy to either HTTP to HTTPS or HTTPS only.
