Geo restriction disabled

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Geo restriction disabled

Metadata

Id: 7f8843f0-9ea5-42b4-a02b-753055113195

Cloud Provider: AWS

Platform: CloudFormation

Severity: Low

Category: Best Practices

Learn More

Provider Reference

Description

Geo restriction must be enabled to limit which geographic locations can access your content. Without it, content can be served globally, increasing attack surface and risking data residency or compliance violations.

In CloudFormation, the AWS::CloudFront::Distribution resource’s Properties.DistributionConfig.Restrictions.GeoRestriction.RestrictionType must be set to either whitelist or blacklist. Resources that omit this property or set it to none (or any value not containing whitelist or blacklist) will be flagged. When using whitelist or blacklist, populate the Locations array with the appropriate ISO 3166-1 alpha-2 country codes.

Secure configuration example:

MyDistribution:
  Type: AWS::CloudFront::Distribution
  Properties:
    DistributionConfig:
      Enabled: true
      Restrictions:
        GeoRestriction:
          RestrictionType: whitelist
          Locations:
            - US
            - CA

Compliant Code Examples

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Logging:
          IncludeCookies: 'false'
          Bucket: mylogs.s3.amazonaws.com
          Prefix: myprefix
        Restrictions:
          GeoRestriction:
            RestrictionType: whitelist
            Locations:
            - AQ
            - CV
        ViewerCertificate:
          CloudFrontDefaultCertificate: 'true'

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "myDistribution": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DistributionConfig": {
          "Logging": {
            "IncludeCookies": "false",
            "Bucket": "mylogs.s3.amazonaws.com",
            "Prefix": "myprefix"
          },
          "Restrictions": {
            "GeoRestriction": {
              "RestrictionType": "whitelist",
              "Locations": [
                "AQ",
                "CV"
              ]
            }
          },
          "ViewerCertificate": {
            "CloudFrontDefaultCertificate": "true"
          }
        }
      }
    }
  }
}

Non-Compliant Code Examples

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "myDistribution": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DistributionConfig": {
          "Logging": {
            "IncludeCookies": "false",
            "Bucket": "mylogs.s3.amazonaws.com",
            "Prefix": "myprefix"
          },
          "Restrictions": {
            "GeoRestriction": {
              "RestrictionType": "none"
            }
          },
          "ViewerCertificate": {
            "CloudFrontDefaultCertificate": "true"
          }
        }
      }
    }
  }
}

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myDistribution:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        Logging:
          IncludeCookies: 'false'
          Bucket: mylogs.s3.amazonaws.com
          Prefix: myprefix
        Restrictions:
          GeoRestriction:
            RestrictionType: none
        ViewerCertificate:
          CloudFrontDefaultCertificate: 'true'