Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cloudfront: Support for Field-Level Encryption in CloudFront BehaviorOptions #30203

Closed
2 tasks
meryemben92 opened this issue May 15, 2024 · 3 comments
Closed
2 tasks

cloudfront: Support for Field-Level Encryption in CloudFront BehaviorOptions #30203

meryemben92 opened this issue May 15, 2024 · 3 comments
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.

Comments

@meryemben92
Copy link

meryemben92 commented May 15, 2024
edited
Loading

Describe the feature

I am requesting support for enabling field-level encryption in CloudFront BehaviorOptions within the AWS CDK. Recently, a high vulnerability issue has been raised: "CloudFront distributions that utilize HTTP POST Methods should have field-level encryption enabled."

However, currently, the AWS CDK does not support configuring field-level encryption directly in BehaviorOptions. This limitation requires the use of lower-level constructs (CfnDistribution), which complicates the setup and deviates from the convenience provided by the high-level Distribution construct.

Use Case

We need to secure sensitive data in HTTP POST requests by enabling field-level encryption in CloudFront distributions. Field-level encryption helps to protect specific data fields as they transit through CloudFront, ensuring compliance with security policies and protecting sensitive information.

Proposed Solution

Extend the BehaviorOptions in the aws-cloudfront module to include a property for field-level encryption, such as:

interface BehaviorOptions {
  ...
  fieldLevelEncryptionId?: string;
  ...
}

Other Information

Current Workaround

Currently, we have to define field-level encryption profiles and configurations using CfnResource and attach them to behaviors using the low-level CfnDistribution construct, which makes the code more complex and harder to maintain.

Example

Here’s an example of the current workaround:

export const createCloudFrontDistribution = (construct: Construct, distributionId: string) => {
  const bucket = new Bucket(construct, 'MyBucket');

  // Create a field-level encryption profile
  const fieldLevelEncryptionProfile = new CfnFieldLevelEncryptionProfile(
    construct,
    'MyFieldLevelEncryptionProfile',
    {
      encryptionEntities: {
        items: [
          {
            publicKeyId: 'your-public-key-id',
            providerId: 'provider-id',
            fieldPatterns: {
              items: ['field-to-encrypt'],
            },
          },
        ],
        quantity: 1,
      },
      name: 'MyFieldLevelEncryptionProfile',
    }
  );

  // Create a field-level encryption configuration
  const fieldLevelEncryptionConfig = new CfnFieldLevelEncryptionConfig(
    construct,
    'MyFieldLevelEncryptionConfig',
    {
      queryArgProfileConfig: {
        forwardWhenQueryArgProfileIsUnknown: true,
        queryArgProfiles: {
          items: [],
          quantity: 0,
        },
      },
      contentTypeProfileConfig: {
        forwardWhenContentTypeIsUnknown: false,
        contentTypeProfiles: {
          items: [],
          quantity: 0,
        },
      },
      fieldLevelEncryptionProfileId: fieldLevelEncryptionProfile.ref,
    }
  );

  // Create the high-level Distribution construct
  const distribution = new Distribution(construct, distributionId, {
    defaultBehavior: {
      origin: new origins.S3Origin(bucket),
      allowedMethods: AllowedMethods.ALLOW_ALL,
      viewerProtocolPolicy: ViewerProtocolPolicy.REDIRECT_TO_HTTPS,
    },
  });

  // Attach the field-level encryption config to the default behavior
  const cfnDistribution = distribution.node.defaultChild as CfnDistribution;
  cfnDistribution.addOverride('Properties.DistributionConfig.DefaultCacheBehavior.FieldLevelEncryptionId', fieldLevelEncryptionConfig.ref);
};

Request

Please consider adding support for field-level encryption in the BehaviorOptions for CloudFront distributions in AWS CDK. This enhancement will greatly simplify securing sensitive data in our applications.

Acknowledgements

  • I may be able to implement this feature request
  • This feature might incur a breaking change

CDK version used

2.141.0

Environment details (OS name and version, etc.)

OS: Ubuntu 22.04.4
Node.js: 18.18.2
@meryemben92 meryemben92 added feature-request A feature should be added or improved. needs-triage This issue or PR still needs to be triaged. labels May 15, 2024
@github-actions github-actions bot added the @aws-cdk/aws-cloudfront Related to Amazon CloudFront label May 15, 2024
@pahud pahud added p2 effort/small Small work item – less than a day of effort and removed needs-triage This issue or PR still needs to be triaged. labels May 16, 2024
@pahud
Copy link
Contributor

pahud commented May 16, 2024

Interesting. I can't find any document about how to create FieldLevelEncryptionConfig in CFN. Is CfnFieldLevelEncryptionConfig your custom construct? Can you share more info about this?

@pahud pahud added the response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days. label May 16, 2024
@github-actions GitHub Actions
Copy link

This issue has not received a response in a while. If you want to keep this issue open, please leave a comment below and auto-close will be canceled.

@github-actions github-actions bot added the closing-soon This issue will automatically close in 4 days unless further comments are made. label May 18, 2024
@github-actions github-actions bot mentioned this issue May 20, 2024
Closed
@github-actions github-actions bot added closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. and removed closing-soon This issue will automatically close in 4 days unless further comments are made. labels May 23, 2024
@github-actions github-actions bot mentioned this issue Jun 1, 2024
Closed
@aws-cdk-automation
Copy link
Collaborator

Comments on closed issues and PRs are hard for our team to see. If you need help, please open a new issue that references this one.

@aws aws locked as resolved and limited conversation to collaborators Jul 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
@aws-cdk/aws-cloudfront Related to Amazon CloudFront closed-for-staleness This issue was automatically closed because it hadn't received any attention in a while. effort/small Small work item – less than a day of effort feature-request A feature should be added or improved. p2 response-requested Waiting on additional info and feedback. Will move to "closing-soon" in 7 days.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@pahud @aws-cdk-automation @meryemben92