For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/ansible-aws-viewer-protocol-policy-allows-http.md.
A documentation index is available at /llms.txt.
CloudFront distributions must enforce HTTPS for viewer connections to prevent sensitive data from being transmitted in plaintext and reduce the risk of downgrade or man-in-the-middle attacks.
For Ansible CloudFront resources (modules community.aws.cloudfront_distribution or cloudfront_distribution), the viewer_protocol_policy property in default_cache_behavior and in each cache_behaviors entry must be set to https-only or redirect-to-https. Tasks with viewer_protocol_policy set to allow-all or without an explicit secure setting are flagged. Ensure every cache behavior explicitly specifies a secure policy.
- name:example1community.aws.cloudfront_distribution:state:presentcaller_reference:unique test distribution IDorigins:- id:my test origin-000111domain_name:www.example.comorigin_path:/productioncustom_headers:- header_name:MyCustomHeaderNameheader_value:MyCustomHeaderValuedefault_cache_behavior:target_origin_id:my test origin-000111forwarded_values:query_string:truecookies:forward:allheaders:- '*'viewer_protocol_policy:https-onlysmooth_streaming:truecompress:trueallowed_methods:items:- GET- HEADcached_methods:- GET- HEAD- name:example2community.aws.cloudfront_distribution:state:presentcaller_reference:unique test distribution IDorigins:- id:my test origin-000111domain_name:www.example.comorigin_path:/productioncustom_headers:- header_name:MyCustomHeaderNameheader_value:MyCustomHeaderValuecache_behaviors:target_origin_id:my test origin-000111forwarded_values:query_string:truecookies:forward:allheaders:- '*'viewer_protocol_policy:https-onlysmooth_streaming:truecompress:trueallowed_methods:items:- GET- HEADcached_methods:- GET- HEAD
Non-Compliant Code Examples
- name:example1community.aws.cloudfront_distribution:state:presentcaller_reference:unique test distribution IDorigins:- id:'my test origin-000111'domain_name:www.example.comorigin_path:/productioncustom_headers:- header_name:MyCustomHeaderNameheader_value:MyCustomHeaderValuedefault_cache_behavior:target_origin_id:'my test origin-000111'forwarded_values:query_string:truecookies:forward:allheaders:- '*'viewer_protocol_policy:allow-allsmooth_streaming:truecompress:trueallowed_methods:items:- GET- HEADcached_methods:- GET- HEAD- name:example2community.aws.cloudfront_distribution:state:presentcaller_reference:unique test distribution IDorigins:- id:'my test origin-000111'domain_name:www.example.comorigin_path:/productioncustom_headers:- header_name:MyCustomHeaderNameheader_value:MyCustomHeaderValuecache_behaviors:target_origin_id:'my test origin-000111'forwarded_values:query_string:truecookies:forward:allheaders:- '*'viewer_protocol_policy:allow-allsmooth_streaming:truecompress:trueallowed_methods:items:- GET- HEADcached_methods:- GET- HEAD
1
2
rulesets:- Ansible / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
