cloud/aws/cloudfront/cloudfront-viewer-policy.yaml

id: cloudfront-viewer-policy

info:
  name: CloudFront Viewer Protocol Policy
  author: DhiyaneshDK
  severity: medium
  description: |
    Ensure that the communication between your Amazon CloudFront distribution and its viewers is encrypted using HTTPS in order to secure the delivery of your web content.
  impact: |
    Failing to enforce HTTPS for viewer connections in CloudFront can expose web content to interception and manipulation, compromising the security and integrity of sensitive data transmitted between users and the distribution
  remediation: |
    Configure your Amazon CloudFront distribution's viewer protocol policy to either redirect HTTP requests to HTTPS or require HTTPS connections exclusively, ensuring secure delivery of web content and protecting against potential data breaches.
  reference:
    - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/viewer-protocol-policy.html
    - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html
  tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config

variables:
  region: "us-west-2"

flow: |
  code(1)
  for(let DistributionListItemsId of iterate(template.distributions)){
    set("distribution", DistributionListItemsId)
    code(2)
  }

self-contained: true

code:
  - engine:
      - sh
      - bash

    source: |
      aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json

    extractors:
      - type: json
        name: distributions
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash

    source: |
        aws cloudfront get-distribution-config --id $distribution --query 'DistributionConfig.CacheBehaviors.Items[*].ViewerProtocolPolicy' --output json --region $region

    matchers:
      - type: word
        words:
          - '"allow-all"'

    extractors:
      - type: dsl
        dsl:
          - '"CloudFront Viewer Policy " + distribution + " allows all"'
# digest: 490a004630440220768d2a4c15a0516365ef4fe8d25f47e5c0f96c483617c859a77548cfe800ff5202204ab9615b2800dec6a7b7118656bad06d1f33ec1a43040081e0fc53d622215b36:922c64590222798bb761d5b6d8e72950
AWS - Cloudfront 2024-10-18 08:10:08 +05:30			`id: cloudfront-viewer-policy`

			`info:`
			`name: CloudFront Viewer Protocol Policy`
			`author: DhiyaneshDK`
			`severity: medium`
			`description: \|`
			`Ensure that the communication between your Amazon CloudFront distribution and its viewers is encrypted using HTTPS in order to secure the delivery of your web content.`
			`impact: \|`
			`Failing to enforce HTTPS for viewer connections in CloudFront can expose web content to interception and manipulation, compromising the security and integrity of sensitive data transmitted between users and the distribution`
			`remediation: \|`
			`Configure your Amazon CloudFront distribution's viewer protocol policy to either redirect HTTP requests to HTTPS or require HTTPS connections exclusively, ensuring secure delivery of web content and protecting against potential data breaches.`
			`reference:`
			`- https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/viewer-protocol-policy.html`
			`- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html`
			`tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config`
Revert "chore: update TemplateMan 🤖" This reverts commit c31d574176f2b9e6f8d4fe573a24e7192f808e84. 2025-05-27 10:39:47 +08:00
AWS - Cloudfront 2024-10-18 08:10:08 +05:30			`variables:`
			`region: "us-west-2"`

			`flow: \|`
			`code(1)`
			`for(let DistributionListItemsId of iterate(template.distributions)){`
			`set("distribution", DistributionListItemsId)`
			`code(2)`
			`}`

			`self-contained: true`

			`code:`
			`- engine:`
			`- sh`
			`- bash`

			`source: \|`
			`aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json`

			`extractors:`
			`- type: json`
			`name: distributions`
			`internal: true`
			`json:`
			`- '.[]'`

			`- engine:`
			`- sh`
			`- bash`

			`source: \|`
			`aws cloudfront get-distribution-config --id $distribution --query 'DistributionConfig.CacheBehaviors.Items[*].ViewerProtocolPolicy' --output json --region $region`

			`matchers:`
			`- type: word`
			`words:`
			`- '"allow-all"'`

			`extractors:`
			`- type: dsl`
			`dsl:`
chore: sign templates 🤖 2024-11-03 18:33:29 +00:00			`- '"CloudFront Viewer Policy " + distribution + " allows all"'`
chore: sign templates 🤖 2024-12-01 13:57:55 +00:00			`# digest: 490a004630440220768d2a4c15a0516365ef4fe8d25f47e5c0f96c483617c859a77548cfe800ff5202204ab9615b2800dec6a7b7118656bad06d1f33ec1a43040081e0fc53d622215b36:922c64590222798bb761d5b6d8e72950`