Using CloudFront to encrypt
sensitive data at the edge
If there is more than one application or service behind the origin end point, you may want to protect sensitive data that the viewer submits via HTTP POST to the origin application stack. By using end-to-end HTTPS with CloudFront, you ensure that sensitive data is encrypted from the client to the origin. CloudFront's Field-Level Encryption (FLE) allows you to add an additional layer of security by encrypting fields in the POST form with a public key at the edge, allowing only certain applications to decrypt it. For example, if an e-commerce system receives sensitive information like a customer's phone number or address, it can be separately encrypted at the edge before sending them to origin applications. The origin application can decrypt the sensitive data using the private keys.
To use CloudFront’s FLE, you first need to upload the public key of a private-public key pair. With this
public key, you can make an FLE profile that defines which fields should be encrypted. Next,
create a configuration that defines which content type (decided by an HTML form element’s
enctype attribute) is associated with an FLE profile. When these fields are encrypted by
CloudFront and forwarded to the origin, the relevant application can decrypt them using a private
key.
