terraform-aws-cloudfront-s3-cdn icon indicating copy to clipboard operation
terraform-aws-cloudfront-s3-cdn copied to clipboard

Published 20 hours ago verified publisher icon cloudposse

Disable SSL-only policy if ACM certificate given

Open emyller opened this issue 4 years ago • 5 comments
trafficstars

what

  • Disables SSL-only requests restriction at S3 static-website settings when Cloudfront will handle TLS given an ACM certificate.

why

  • There is a conflict when setting up both CDN-level TLS and S3-level SSL, which makes S3 respond with a HTTP 403 error.

references

  • Closes #175

emyller avatar Aug 06 '21 21:08 emyller

To maintainers: can you please explain a use case justifying allow_ssl_requests_only=true since this module includes a Cloudfront CDN with TLS settings of its own? Thanks!

emyller avatar Aug 06 '21 21:08 emyller

When deploying AWS Config and SecurityHub with the AWS Well-Architected Best Practices, it will raise an issue if TLS on a bucket is not mandatory.

osterman avatar Aug 07 '21 00:08 osterman

If the module has problems with this enabled, then I suspect we have a cloud front misconfiguration for the origin, since I can't see why it should ever send non TLS requests.

osterman avatar Aug 07 '21 00:08 osterman

If the module has problems with this enabled, then I suspect we have a cloud front misconfiguration for the origin, since I can't see why it should ever send non TLS requests.

Gotcha. My guess is that Cloudfront would communicate internally with S3, similarly to an ALB when it communicates with the hosts within a target group -- both scenarios not needing TLS. I can see a flaw in the Cloudfront-S3 scenario though: in case someone has the bucket name, they could make requests without TLS.

I can help investigating why the origin fails making TLS requests to S3 in a case like #175. I doesn't happen everywhere -- I've used this module before and didn't see this issue.

emyller avatar Aug 09 '21 13:08 emyller

If the module has problems with this enabled, then I suspect we have a cloud front misconfiguration for the origin, since I can't see why it should ever send non TLS requests.

Gotcha. My guess is that Cloudfront would communicate internally with S3, similarly to an ALB when it communicates with the hosts within a target group -- both scenarios not needing TLS. I can see a flaw in the Cloudfront-S3 scenario though: in case someone has the bucket name, they could make requests without TLS.

I can help investigating why the origin fails making TLS requests to S3 in a case like #175. I doesn't happen everywhere -- I've used this module before and didn't see this issue.

I believe the issue is with the default origin protocol policy here: https://github.com/cloudposse/terraform-aws-cloudfront-s3-cdn/blob/master/main.tf#L413 the origin generated by the default s3_origins var will have this problem - it gets forced to http-only but the bucket gets a policy to Deny http-only. I think a fix would be to have the default set to match-viewer (the AWS default) and then let allow_ssl_requests_only=true change it to https-only. I'd even be in favor of keeping allow_ssl_requests_only=true as default but make sure the origin_protocol_policy on the resource is set appropriately to align with the bucket policy.

dawilk avatar Jul 09 '22 22:07 dawilk