Check provider logo

CloudFront distribution has Field Level Encryption enabled

cloudfront_distributions_field_level_encryption_enabled

Severitylow
Servicecloudfront
by Prowler
encryption

CloudFront distributions have the default cache behavior associated with Field-Level Encryption via field_level_encryption_id, targeting specified request fields for edge encryption.

Risk

Absent field-level encryption, sensitive inputs (PII, payment data, credentials) may surface in origin paths, logs, or middleware in plaintext. This undermines confidentiality, enables data exfiltration and insider misuse, and can lead to session or account compromise if tokens are captured.

Run this check with Prowler CLI

prowler aws --checks cloudfront_distributions_field_level_encryption_enabled

Run in Prowler Cloud

Recommendation

Enable Field-Level Encryption for sensitive request fields and bind it to relevant cache behaviors. Apply least privilege to decryption keys, rotate and monitor keys, and separate duties. As defense in depth, minimize data collection, avoid logging secrets, require HTTPS end-to-end, and validate inputs.

Remediation

CLI

aws cloudfront create-field-level-encryption-config --field-level-encryption-config file://fle-config.json && aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --output json > current-config.json && echo 'Manually edit current-config.json to add FieldLevelEncryptionId to DefaultCacheBehavior, then run:' && echo 'aws cloudfront update-distribution --id <DISTRIBUTION_ID> --distribution-config file://current-config.json --if-match $(aws cloudfront get-distribution-config --id <DISTRIBUTION_ID> --query "ETag" --output text)'

Native IaC
Terraform
Other
  1. In the AWS Console, go to CloudFront
  2. If you don't have a Field-level encryption configuration:
    • In the left menu, click Public keys > Add public key (paste your RSA public key)
    • Click Field-level encryption > Create profile (choose the public key and add fields to encrypt)
    • Click Field-level encryption > Create configuration (set the profile as Default profile)
  3. Attach it to your distribution:
    • Go to Distributions > select <example_resource_id>
    • Choose Behaviors > select Default (*) > Edit
    • Set Field-level encryption configuration to your created configuration
    • Click Save changes and wait for deployment

Source Code

Resource Type

AwsCloudFrontDistribution

References