We want to host our API using lambda + API gateway HTTP api + CloudFront distribution. In a traditional hosting I would only open TCP port 443 for HTTPS and deny all traffic on port 80, in order to follow REST API security guidelines. See OWASP TLS cheat-sheet and OWASP REST security cheat-sheet:
API-only endpoints should disable HTTP altogether and only support encrypted connections. When that is not possible, API endpoints should fail requests made over unencrypted HTTP connections instead of redirecting them.
Secure REST services must only provide HTTPS endpoints.
However, with CloudFront, while it's possible to restrict the origin to HTTPS and configure the cache behavior to use HTTPS only, the documentation shows that the TCP port 80 is NOT truly disabled:
HTTPS only
Viewers can access your content only if they're usingHTTPS. If a viewer sends an HTTP request instead of an HTTPS request,CloudFront returns HTTP status code 403 (Forbidden) and does notreturn the object.
So in my opinion, this CloudFront restriction makes it impossible to fully comply with security guidelines. Failing the HTTP request with a 4XX status code, while mentioned in the cheat-sheet, is a less secure approach - even when coupled with HSTS. Or is there a way to disable the TCP port 80 that I am missing?