Ensure AWS CloudFront web distribution with geo restriction is enabled
Geo Restriction has the ability to block IP addresses based on Geo IP by whitelist or blacklist a country in order to allow or restrict users in specific locations from accessing web application content. It is recommended to have geo restriction feature enabled, to restrict or allow users in specific locations accessing web application content. This configuration helps with prevention of DDos Attacks.
Risk Level: Low
Cloud Entity: Amazon CloudFront
CloudGuard Rule ID: D9.AWS.NET.42
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
CloudFront should not have distributionConfig.restrictions.geoRestriction.restrictionType='none'
REMEDIATION
From Portal
- Sign in to the AWS console
- Select the region, from the region drop-down, in which the issue is generated
- Navigate to CloudFront Distributions Dashboard
- Select relevant Distribution
- On 'Geographic Restrictions' tab, click the 'Edit' button
- On 'Edit Geo-Restrictions' page, Set 'Enable Geo-Restriction' to 'Yes' and whitelist/blacklist countries as per your requirement.
- Click 'Yes, Edit'
From TF
Add the geo_restriction field to enable AWS CloudFront web distribution with geo restriction
resource "aws_cloudfront_distribution" "test" {
origin {
domain_name = aws_s3_bucket.b.bucket_regional_domain_name
origin_id = local.s3_origin_id
s3_origin_config {
origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567"
}
}
+ restrictions {
+ geo_restriction {
+ restriction_type = "whitelist"
+ locations = ["US", "CA"]
+ }
}
From Command Line
To update the existing cloudfront , run:
aws cloudfront update-distribution --id ID --distribution-config file://FILE.json --if-match E-TAG
References
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html
- https://aws.amazon.com/premiumsupport/knowledge-center/cloudfront-geo-restriction/
- https://docs.aws.amazon.com/cli/latest/reference/cloudfront/update-distribution.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution
Amazon CloudFront
Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css, .php, image, and media files, to end users. CloudFront delivers your content through a worldwide network of edge locations. When an end user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so content is delivered with the best possible performance. If the content is already in that edge location, CloudFront delivers it immediately.
Compliance Frameworks
- AWS CloudGuard Best Practices
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS ITSG-33
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago