I'm trying to fully disable HTTP connections on CloudFront, specifically port 80. I'm not interested in simply redirecting or returning a 403 error; I want CloudFront to not respond at all to any HTTP requests. My setup includes a CloudFront distribution linked via Route 53, and my domain is on the HSTS preload list, which means modern browsers default to HTTPS. I initially set the ViewerProtocolPolicy to redirect-to-https, but that still leaves the port 80 open and susceptible to potential security issues, as pointed out in a recent pentest. Here's the situation: I'd like CloudFront to completely ignore HTTP requests, so that port 80 is unreachable, without returning any headers or error messages. Is this achievable with CloudFront, or is there a hard limit preventing this? Solving this while keeping it simple and maintaining CloudFront is my goal, though I'm open to learning about other solutions too. Thanks!
1 Answer
It sounds like you're trying to achieve something that might not be possible with CloudFront. Essentially, you're dealing with Layer 7 configurations, which means CloudFront operates at the application layer and doesn't directly control the TCP listener on port 80. If you want to completely disable HTTP, there's no straightforward way to force CloudFront to ignore it entirely like an L4 solution would. The usual approach is to use an HTTPS redirect, which should suffice for most use cases. It's more about how CloudFront is designed rather than a lack of understanding from the pentester's side.
I understand the OSI layer distinctions, but I’m curious about AWS's infrastructure. What exactly stops CloudFront from just not responding on port 80? Is it an architectural choice they've made or a fundamental limitation? I want to know if there might be a workaround or a plan to address this.