Ce produit n'est pas pris en charge par le
site Datadog que vous avez sélectionné. (
).
Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel,
n'hésitez pas à nous contacter.
Id: 22c80725-e390-4055-8d14-a872230f6607
Cloud Provider: AWS
Platform: Ansible
Severity: Medium
Category: Networking and Firewall
Learn More
Description
CloudFront distributions must be associated with an AWS WAF Web ACL to filter malicious HTTP traffic and reduce the risk of application-layer attacks such as SQL injection, cross-site scripting, and automated bot abuse.
For Ansible tasks using the community.aws.cloudfront_distribution or cloudfront_distribution module, the web_acl_id property must be defined and set to the ARN of a WAFv2 Web ACL (global scope). This rule flags distributions where web_acl_id is missing or undefined. Ensure the attached WAFv2 Web ACL ARN is compatible with CloudFront.
Secure example (Ansible):
- name: create cloudfront distribution with WAF
community.aws.cloudfront_distribution:
state: present
alias:
- example.com
web_acl_id: arn:aws:wafv2:global:123456789012:regional/webacl/example-web-acl/abcd1234-ef56-7890-gh12-ijklmnopqrst
# other required distribution properties...
Compliant Code Examples
- name: create a basic distribution with defaults and tags
community.aws.cloudfront_distribution:
state: present
default_origin_domain_name: www.my-cloudfront-origin.com
tags:
Name: example distribution
Project: example project
Priority: '1'
web_acl_id: my-web-acl-id
Non-Compliant Code Examples
- name: create a basic distribution with defaults and tags
community.aws.cloudfront_distribution:
state: present
default_origin_domain_name: www.my-cloudfront-origin.com
tags:
Name: example distribution
Project: example project
Priority: '1'
