For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/cloudformation-aws-geo-restriction-disabled.md. A documentation index is available at /llms.txt.

Geo restriction disabled

This product is not supported for your selected Datadog site. ().

Metadata

Id: cloudformation-aws-geo-restriction-disabled

Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Best Practices

Learn More

Description

Geo restriction must be enabled to limit which geographic locations can access your content. Without it, content can be served globally, increasing attack surface and risking data residency or compliance violations.

In CloudFormation, the AWS::CloudFront::Distribution resource’s Properties.DistributionConfig.Restrictions.GeoRestriction.RestrictionType must be set to either whitelist or blacklist. Resources that omit this property or set it to none (or any value not containing whitelist or blacklist) will be flagged. When using whitelist or blacklist, populate the Locations array with the appropriate ISO 3166-1 alpha-2 country codes.

Secure configuration example:

MyDistribution:
  Type: AWS::CloudFront::Distribution
  Properties:
    DistributionConfig:
      Enabled: true
      Restrictions:
        GeoRestriction:
          RestrictionType: whitelist
          Locations:
            - US
            - CA

Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Logging:
          IncludeCookies: 'false'
          Bucket: mylogs.s3.amazonaws.com
          Prefix: myprefix
        Restrictions:
          GeoRestriction:
            RestrictionType: whitelist
            Locations:
            - AQ
            - CV
        ViewerCertificate:
          CloudFrontDefaultCertificate: 'true'

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "myDistribution": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DistributionConfig": {
          "Logging": {
            "IncludeCookies": "false",
            "Bucket": "mylogs.s3.amazonaws.com",
            "Prefix": "myprefix"
          },
          "Restrictions": {
            "GeoRestriction": {
              "RestrictionType": "whitelist",
              "Locations": [
                "AQ",
                "CV"
              ]
            }
          },
          "ViewerCertificate": {
            "CloudFrontDefaultCertificate": "true"
          }
        }
      }
    }
  }
}

Non-Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Logging:
          IncludeCookies: 'false'
          Bucket: mylogs.s3.amazonaws.com
          Prefix: myprefix
        Restrictions:
          GeoRestriction:
            RestrictionType: none
        ViewerCertificate:
          CloudFrontDefaultCertificate: 'true'

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "myDistribution": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DistributionConfig": {
          "Logging": {
            "IncludeCookies": "false",
            "Bucket": "mylogs.s3.amazonaws.com",
            "Prefix": "myprefix"
          },
          "Restrictions": {
            "GeoRestriction": {
              "RestrictionType": "none"
            }
          },
          "ViewerCertificate": {
            "CloudFrontDefaultCertificate": "true"
          }
        }
      }
    }
  }
}