For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-cdn-configuration-is-missing.md. A documentation index is available at /llms.txt.

CDN configuration is missing

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-cdn-configuration-is-missing

Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Best Practices

Learn More

Description

CloudFront distributions must be active and include at least one origin so client traffic is routed through CloudFront’s caching and security controls (for example, AWS WAF, AWS Shield, and origin access controls). Without an active distribution or defined origins, traffic can bypass these protections and origins can be exposed to direct access and increased attack surface.

In CloudFormation, ensure resources of type AWS::CloudFront::Distribution set Properties.DistributionConfig.Enabled to true and that Properties.DistributionConfig contains an Origins entry with at least one origin definition. Resources missing the Origins object or with Enabled set to false (or the string "false") will be flagged.

For S3 origins, also configure origin access identity (OAI) or origin access control (OAC), and ensure each origin includes required fields such as Id and DomainName to prevent unintended public access.

Secure configuration example:

MyDistribution:
  Type: AWS::CloudFront::Distribution
  Properties:
    DistributionConfig:
      Enabled: true
      Origins:
        - Id: myS3Origin
          DomainName: my-bucket.s3.amazonaws.com
          S3OriginConfig: {}
      DefaultCacheBehavior:
        TargetOriginId: myS3Origin
        ViewerProtocolPolicy: redirect-to-https

Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myDistribution:
    Type: 'AWS::CloudFront::Distribution'
    Properties:
      DistributionConfig:
        Origins:
        - DomainName: www.example.com
          Id: myCustomOrigin
          CustomOriginConfig:
            HTTPPort: '80'
            HTTPSPort: '443'
            OriginProtocolPolicy: http-only
        Enabled: 'true'
        Comment: Somecomment
        DefaultRootObject: index.html
        Logging:
          IncludeCookies: 'true'
          Bucket: mylogs.s3.amazonaws.com
          Prefix: myprefix

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "myDistribution": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DistributionConfig": {
          "Enabled": "true",
          "Comment": "Somecomment",
          "DefaultRootObject": "index.html",
          "Logging": {
            "IncludeCookies": "true",
            "Bucket": "mylogs.s3.amazonaws.com",
            "Prefix": "myprefix"
          },
          "Origins": [
            {
              "DomainName": "www.example.com",
              "Id": "myCustomOrigin",
              "CustomOriginConfig": {
                "OriginProtocolPolicy": "http-only",
                "HTTPPort": "80",
                "HTTPSPort": "443"
              }
            }
          ]
        }
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myDistribution:
    Type: 'AWS::CloudFront::Distribution'
    Properties:
      DistributionConfig:
        Enabled: 'false'
        Comment: Somecomment
        DefaultRootObject: index.html
        Logging:
          IncludeCookies: 'true'
          Bucket: mylogs.s3.amazonaws.com
          Prefix: myprefix

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "myDistribution": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DistributionConfig": {
          "Comment": "Somecomment",
          "DefaultRootObject": "index.html",
          "Logging": {
            "IncludeCookies": "true",
            "Bucket": "mylogs.s3.amazonaws.com",
            "Prefix": "myprefix"
          },
          "Enabled": "false"
        }
      }
    }
  }
}