Use cloudfront secure headers (#42)

* Add ResponseHeadersPolicy
* Remove Lambda at Edge function
* Update Readme

Co-authored-by: Nick <[email protected]>

* Add missing step to diagram

Author: ConnorKirk

Makefile

@@ -41,9 +41,4 @@ build-static:
 
 package-static:
 	make build-static
-	cd source/witch && zip -r ../../witch.zip nodejs
-
-package-function:
-	make clean
-	make package-static
-	cd source/secured-headers/ && zip -r ../../s-headers.zip index.js
+	cd source/witch && zip -r ../../witch.zip nodejs

README.md

@@ -5,7 +5,7 @@ Use this solution to create a secure static website for your registered domain n
 - Is hosted on [Amazon S3](https://aws.amazon.com/s3/)
 - Is distributed by [Amazon CloudFront](https://aws.amazon.com/cloudfront/)
 - Uses an SSL/TLS certificate from [AWS Certificate Manager (ACM)](https://aws.amazon.com/certificate-manager/)
-- Uses [Lambda@Edge](https://aws.amazon.com/lambda/edge/) to add security headers to every server response
+- Uses [CloudFront Response Header Policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/adding-response-headers.html) to add security headers to every server response
 - Is deployed with [AWS CloudFormation](https://aws.amazon.com/cloudformation/)
 
 For more information about each of these components, see the **Solution details** section on this page.
@@ -14,30 +14,31 @@ For more information about each of these components, see the **Solution details*
 
 The following diagram shows an overview of how the solution works:
 
-![Architecture](./docs/images/architecture.png)
+![Architecture](./docs/images/cf-secure-static-site-architecture.png)
 
 1. The viewer requests the website at www.example.com.
 2. If the requested object is cached, CloudFront returns the object from its cache to the viewer.
 3. If the object is not in CloudFront’s cache, CloudFront requests the object from the origin (an S3 bucket).
-4. S3 returns the object to CloudFront, which triggers the Lambda@Edge origin response event.
-5. The object, including the security headers added by the Lambda@Edge function, is added to CloudFront’s cache.
-6. (Not shown) The objects is returned to the viewer. Subsequent responses for the object are served from the CloudFront cache.
+4. S3 returns the object to CloudFront
+5. CloudFront caches the object.
+6. The object is returned to the viewer. Subsequent responses for the object are served from the CloudFront cache.
+
 
 ## Solution details
 
 ### S3 configuration
 This solution creates an S3 bucket that hosts your static website’s assets. The website is only accessible via CloudFront, not directly from S3.
 
 ### CloudFront configuration
-This solution creates a CloudFront distribution to serve your website to viewers. The distribution is configured with a CloudFront [origin access identity](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) to make sure that the website is only accessible via CloudFront, not directly from S3. The distribution is also configured with a [Lambda@Edge function](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-at-the-edge.html) that adds security headers to every response.
+This solution creates a CloudFront distribution to serve your website to viewers. The distribution is configured with a CloudFront [origin access identity](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html) to make sure that the website is only accessible via CloudFront, not directly from S3. The distribution is also configured with a [CloudFront Response Header Policy](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/adding-response-headers.html) that adds security headers to every response.
 
 ### ACM configuration
 This solution creates an SSL/TLS certificate in ACM, and attaches it to the CloudFront distribution. This enables the distribution to serve your domain’s website using HTTPS.
 
-### Lambda@Edge configuration
-This solution creates a Lambda@Edge function that’s triggered on an [origin response event](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-cloudfront-trigger-events.html). The function adds security headers to every response served by CloudFront.
+### CloudFront Response Header Policy
+The CloudFront Response Header Policy adds security headers to every response served by CloudFront.
 
-The security headers can help mitigate some attacks, as explained in this blog post: [Adding HTTP Security Headers Using Lambda@Edge and Amazon CloudFront](https://aws.amazon.com/blogs/networking-and-content-delivery/adding-http-security-headers-using-lambdaedge-and-amazon-cloudfront/). Security headers are a group of headers in the web server response that tell web browsers to take extra security precautions. This solution adds the following headers to each response:
+The security headers can help mitigate some attacks, as explained in the [Amazon CloudFront - Understanding response header policies documentation](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/understanding-response-headers-policies.html#understanding-response-headers-policies-security). Security headers are a group of headers in the web server response that tell web browsers to take extra security precautions. This solution adds the following headers to each response:
 
 - [Strict-Transport-Security](https://infosec.mozilla.org/guidelines/web_security#http-strict-transport-security)
 - [Content-Security-Policy](https://infosec.mozilla.org/guidelines/web_security#content-security-policy)
@@ -70,7 +71,7 @@ To deploy the solution, you use [AWS CloudFormation](https://aws.amazon.com/clou
    following fields:
 
     - **SubDomain:** The subdomain for your registered domain name. Viewers use the subdomain to access your website, for example: www.example.com. We recommend using the default value of **www** as the subdomain.
-    - **DomainName:** Your registered domain name, such as example.com. This domain must be pointed to a Route 53 hosted zone.
+    - **DomainName:** Your registered domain name, such as example.com. This domain must be pointed to a Route 53 hosted zone.
     - **CreateApex:** Optionally create an Alias to the domain apex (example.com) in your CloudFront configuration.  Default is [no]
 
    After entering values, choose the **Next** button.
@@ -111,7 +112,7 @@ https://s3.amazonaws.com/solution-builders-us-east-1/amazon-cloudfront-secure-st
 3. Run the following command to package a build artifact.
 
     ```shell
-    make package-function
+    make package-static
     ```
 
 4. Copy your website content into the **www** folder.
@@ -138,8 +139,8 @@ https://s3.amazonaws.com/solution-builders-us-east-1/amazon-cloudfront-secure-st
         --template-file packaged.template \
         --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \
         --parameter-overrides  DomainName=<your domain name> SubDomain=<your website subdomain>
-    ```
-    
+    ```
+    
 8. [Optional] Run the following command to deploy the packaged CloudFormation template to a CloudFormation stack with a domain apex.
 
     ```shell
@@ -148,8 +149,8 @@ https://s3.amazonaws.com/solution-builders-us-east-1/amazon-cloudfront-secure-st
         --template-file packaged.template \
         --capabilities CAPABILITY_NAMED_IAM CAPABILITY_AUTO_EXPAND \
         --parameter-overrides  DomainName=<your domain name> SubDomain=<your website subdomain> CreateApex=yes
-    ```
-
+    ```
+
 
 ### Updating the site Content Security Policy
 

ci/include.lst

@@ -1,5 +1,4 @@
 templates
 cfn-publish.config
-s-headers.zip
 witch.zip
 www

docs/images/architecture.png

@@ -50,44 +50,6 @@ Resources:
             Principal:
               CanonicalUser: !GetAtt CloudFrontOriginAccessIdentity.S3CanonicalUserId
 
-  LambdaEdgeFunction:
-    DeletionPolicy: Retain
-    Type: AWS::Serverless::Function
-    Properties:
-      Handler: index.handler
-      Role: !GetAtt LambdaEdgeFunctionRole.Arn
-      CodeUri: ../s-headers.zip
-      Runtime: 'nodejs12.x'
-      Timeout: 25
-
-  Lambdaversion:
-    Type: AWS::Lambda::Version
-    Properties: 
-      FunctionName: !Ref LambdaEdgeFunction
-      Description: v1
-
-  LambdaEdgeFunctionRole:
-    Type: AWS::IAM::Role
-    Properties:
-      Path: '/'
-      ManagedPolicyArns:
-          - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
-      AssumeRolePolicyDocument:
-        Version: '2012-10-17'
-        Statement:
-          -
-            Sid: 'AllowLambdaServiceToAssumeRole'
-            Effect: 'Allow'
-            Action:
-              - 'sts:AssumeRole'
-            Principal:
-              Service:
-              - 'lambda.amazonaws.com'
-              - 'edgelambda.amazonaws.com'
-      Tags:
-        - Key: Solution
-          Value: ACFS3
-
   CloudFrontDistribution:
     Type: AWS::CloudFront::Distribution
     Properties:
@@ -102,11 +64,8 @@ Resources:
             QueryString: true
           MaxTTL: 31536000
           TargetOriginId: !Sub 'S3-${AWS::StackName}-root'
-          LambdaFunctionAssociations:
-            - 
-              EventType: origin-response
-              LambdaFunctionARN: !Ref Lambdaversion
           ViewerProtocolPolicy: 'redirect-to-https'
+          ResponseHeadersPolicyId: !Ref ResponseHeadersPolicy
         CustomErrorResponses:
           - ErrorCachingMinTTL: 60
             ErrorCode: 404
@@ -172,11 +131,35 @@ Resources:
           # The  following HosteZoneId is always used for alias records pointing to CF.
           HostedZoneId: 'Z2FDTNDATAQYW2'
 
-Outputs:
-  LambdaEdgeFunctionVersion:
-    Description: Security Lambda version
-    Value: !Ref Lambdaversion
+  ResponseHeadersPolicy:
+      Type: AWS::CloudFront::ResponseHeadersPolicy
+      Properties: 
+        ResponseHeadersPolicyConfig: 
+          Comment: "practera-security-headers-for-${env:APPV2S3BUCKET}"
+          Name: "practera-security-headers-for-GlobalAPPv2"
+          SecurityHeadersConfig: 
+            StrictTransportSecurity: 
+              AccessControlMaxAgeSec: 63072000
+              IncludeSubdomains: true
+              Override: true
+              Preload: true
+            ContentSecurityPolicy: 
+              ContentSecurityPolicy: "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'"
+              Override: true
+            ContentTypeOptions: 
+              Override: true
+            FrameOptions:
+              FrameOption: DENY
+              Override: true
+            ReferrerPolicy: 
+              ReferrerPolicy: "same-origin"
+              Override: true
+            XSSProtection: 
+              ModeBlock: true
+              Override: true
+              Protection: true
 
+Outputs:
   CloudFrontDistribution:
     Description: CloudFront distribution
     Value: !GetAtt CloudFrontDistribution.DomainName

docs/images/cf-secure-static-site-architecture.png

@@ -98,9 +98,6 @@ Outputs:
   CFDistributionName:
     Description: CloudFront distribution
     Value: !GetAtt CloudFrontStack.Outputs.CloudFrontDistribution
-  LambdaEdgeFunctionVersion:
-    Description: Security Lambda version
-    Value: !GetAtt CloudFrontStack.Outputs.LambdaEdgeFunctionVersion
   CloudFrontDomainName:
     Description: Website address
     Value: !GetAtt CloudFrontStack.Outputs.CloudFrontDomainName