--- title: Cloudfront viewer protocol policy allows HTTP description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > Cloudfront viewer protocol policy allows HTTP --- # Cloudfront viewer protocol policy allows HTTP {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `terraform-aws-cloudfront-viewer-protocol-policy-allows-http` **Provider:** AWS **Platform:** Terraform **Severity:** Medium **Category:** Encryption #### Learn More{% #learn-more %} - [Provider Reference](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution) ### Description{% #description %} This check ensures that the connection between Amazon CloudFront and the viewer is encrypted by verifying the `viewer_protocol_policy` attribute. If set to `allow-all` (for example, `viewer_protocol_policy = "allow-all"`), CloudFront can serve content over both HTTP and HTTPS, leaving data in transit vulnerable to interception or man-in-the-middle attacks. To address this, the attribute should be set to `https-only` in all cache behaviors (for example, `viewer_protocol_policy = "https-only"`), ensuring all communications between CloudFront and the end user are encrypted, thus preserving the confidentiality and integrity of the data. ## Compliant Code Examples{% #compliant-code-examples %} ```terraform #this code is a correct code for which the query should not find any result resource "aws_cloudfront_distribution" "negative1" { origin { domain_name = "mybucket" origin_id = "myS3Origin" s3_origin_config { origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" } } enabled = true default_cache_behavior { allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] cached_methods = ["GET", "HEAD"] target_origin_id = "myS3Origin" forwarded_values { query_string = false cookies { forward = "none" } } viewer_protocol_policy = "https-only" min_ttl = 0 default_ttl = 3600 max_ttl = 86400 } restrictions { geo_restriction { restriction_type = "whitelist" locations = ["US", "CA", "GB", "DE"] } } viewer_certificate { cloudfront_default_certificate = false minimum_protocol_version = "SSLv3" } } ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```terraform #this is a problematic code where the query should report a result(s) resource "aws_cloudfront_distribution" "positive1" { origin { domain_name = "mybucket" origin_id = "myS3Origin" s3_origin_config { origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" } } enabled = true default_cache_behavior { allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] cached_methods = ["GET", "HEAD"] target_origin_id = "myS3Origin" forwarded_values { query_string = false cookies { forward = "none" } } viewer_protocol_policy = "allow-all" min_ttl = 0 default_ttl = 3600 max_ttl = 86400 } restrictions { geo_restriction { restriction_type = "whitelist" locations = ["US", "CA", "GB", "DE"] } } viewer_certificate { cloudfront_default_certificate = false minimum_protocol_version = "SSLv3" } } resource "aws_cloudfront_distribution" "positive2" { origin { domain_name = "mybucket" origin_id = "myS3Origin" s3_origin_config { origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" } } enabled = true default_cache_behavior { allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] cached_methods = ["GET", "HEAD"] target_origin_id = "myS3Origin" forwarded_values { query_string = false cookies { forward = "none" } } viewer_protocol_policy = "https-only" min_ttl = 0 default_ttl = 3600 max_ttl = 86400 } ordered_cache_behavior { path_pattern = "/content/immutable/*" allowed_methods = ["GET", "HEAD", "OPTIONS"] cached_methods = ["GET", "HEAD", "OPTIONS"] target_origin_id = "myS3Origin" forwarded_values { query_string = false headers = ["Origin"] cookies { forward = "none" } } min_ttl = 0 default_ttl = 86400 max_ttl = 31536000 compress = true viewer_protocol_policy = "allow-all" } restrictions { geo_restriction { restriction_type = "whitelist" locations = ["US", "CA", "GB", "DE"] } } viewer_certificate { cloudfront_default_certificate = false minimum_protocol_version = "SSLv3" } } ``` ```terraform resource "aws_cloudfront_distribution" "positive3" { origin { domain_name = "mybucket" origin_id = "myS3Origin" s3_origin_config { origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567" } } enabled = true default_cache_behavior { allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"] cached_methods = ["GET", "HEAD"] target_origin_id = "myS3Origin" forwarded_values { query_string = false cookies { forward = "none" } } viewer_protocol_policy = "https-only" min_ttl = 0 default_ttl = 3600 max_ttl = 86400 } ordered_cache_behavior { path_pattern = "/content/immutable/*" allowed_methods = ["GET", "HEAD", "OPTIONS"] cached_methods = ["GET", "HEAD", "OPTIONS"] target_origin_id = "myS3Origin" forwarded_values { query_string = false headers = ["Origin"] cookies { forward = "none" } } min_ttl = 0 default_ttl = 86400 max_ttl = 31536000 compress = true viewer_protocol_policy = "https-only" } ordered_cache_behavior { path_pattern = "/content/*" allowed_methods = ["GET", "HEAD", "OPTIONS"] cached_methods = ["GET", "HEAD", "OPTIONS"] target_origin_id = "myS3Origin" forwarded_values { query_string = false headers = ["Origin"] cookies { forward = "none" } } min_ttl = 0 default_ttl = 86400 max_ttl = 31536000 compress = true viewer_protocol_policy = "allow-all" } restrictions { geo_restriction { restriction_type = "whitelist" locations = ["US", "CA", "GB", "DE"] } } viewer_certificate { cloudfront_default_certificate = false minimum_protocol_version = "SSLv3" } } ```