Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS

ViewerProtocolPolicy in cloudfront distribution determines it's SSL/TLS configuration for communicating with viewers. You can configure one or more cache behaviors in your CloudFront distribution to require HTTPS for communication between viewers and CloudFront. For enhanced safety, use the ViewerProtocolPolicy parameter to enable secure HTTPS communication between clients and your CloudForamtion templates

Risk Level: High
Cloud Entity: AWS CloudFront Distribution
CloudGuard Rule ID: D9.CFT.CRY.17
Covered by Spectral: Yes
Category: Management Tools

GSL LOGIC

AWS_CloudFront_Distribution should not have ( DistributionConfig.CacheBehaviors contain [ ViewerProtocolPolicy='allow-all' ] or DistributionConfig.DefaultCacheBehavior contain [ ViewerProtocolPolicy='allow-all' ])

REMEDIATION

From CFT

  1. Supply AWS::CloudFront::Distribution::DefaultCacheBehavior::ViewerProtocolPolicy property with values: "https-only" or "redirect-to-https" only.
  2. Supply AWS::CloudFront::Distribution::CacheBehaviors::ViewerProtocolPolicy property with values: "https-only" or "redirect-to-https" only.
    See below example;
Resources:
MyDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
...
DefaultCacheBehavior:
...
ViewerProtocolPolicy: "https-only"
...
CacheBehaviors:
...
ViewerProtocolPolicy: "redirect-to-https"
...

References

  1. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-cachebehavior.html#cfn-cloudfront-distribution-cachebehavior-viewerprotocolpolicy
  2. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-defaultcachebehavior.html#cfn-cloudfront-distribution-defaultcachebehavior-viewerprotocolpolicy
  3. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html

AWS CloudFront Distribution

A distribution tells CloudFront where you want content to be delivered from, and the details about how to track and manage content delivery. The following topics explain some basics about CloudFront distributions and provide detailed information about the settings you can choose to configure your distributions to meet your business needs

Compliance Frameworks

  • AWS CloudFormation ruleset