Ensure cloudfront distribution ViewerProtocolPolicy is set to HTTPS
ViewerProtocolPolicy in cloudfront distribution determines it's SSL/TLS configuration for communicating with viewers. You can configure one or more cache behaviors in your CloudFront distribution to require HTTPS for communication between viewers and CloudFront. For enhanced safety, use the ViewerProtocolPolicy parameter to enable secure HTTPS communication between clients and your CloudForamtion templates
Risk Level: High
Cloud Entity: AWS CloudFront Distribution
CloudGuard Rule ID: D9.CFT.CRY.17
Covered by Spectral: Yes
Category: Management Tools
GSL LOGIC
AWS_CloudFront_Distribution should not have ( DistributionConfig.CacheBehaviors contain [ ViewerProtocolPolicy='allow-all' ] or DistributionConfig.DefaultCacheBehavior contain [ ViewerProtocolPolicy='allow-all' ])
REMEDIATION
From CFT
- Supply AWS::CloudFront::Distribution::DefaultCacheBehavior::ViewerProtocolPolicy property with values: "https-only" or "redirect-to-https" only.
- Supply AWS::CloudFront::Distribution::CacheBehaviors::ViewerProtocolPolicy property with values: "https-only" or "redirect-to-https" only.
See below example;
Resources:
MyDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
...
DefaultCacheBehavior:
...
ViewerProtocolPolicy: "https-only"
...
CacheBehaviors:
...
ViewerProtocolPolicy: "redirect-to-https"
...
References
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-cachebehavior.html#cfn-cloudfront-distribution-cachebehavior-viewerprotocolpolicy
- https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-defaultcachebehavior.html#cfn-cloudfront-distribution-defaultcachebehavior-viewerprotocolpolicy
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https.html
AWS CloudFront Distribution
A distribution tells CloudFront where you want content to be delivered from, and the details about how to track and manage content delivery. The following topics explain some basics about CloudFront distributions and provide detailed information about the settings you can choose to configure your distributions to meet your business needs
Compliance Frameworks
- AWS CloudFormation ruleset
Updated over 1 year ago