For AI agents: A markdown version of this page is available at https://docs.datadoghq.com/security/code_security/iac_security/iac_rules/terraform-aws-cloudfront-without-waf.md.
A documentation index is available at /llms.txt.
AWS CloudFront distributions should be integrated with AWS Web Application Firewall (WAF) by specifying the web_acl_id attribute. If a CloudFront distribution is created without a WAF association (web_acl_id missing), the application is left vulnerable to common web attacks such as SQL injection and cross-site scripting. Failing to link a WAF to your CloudFront distribution increases the risk of security breaches, potential data loss, and service interruption.
Compliant Code Examples
module"acm"{source="terraform-aws-modules/acm/aws"version="~> v2.0"domain_name=var.site_domainzone_id=data.aws_route53_zone.this.zone_idtags=var.tagsproviders={aws=aws.us_east_1 # cloudfront needs acm certificate to be from "us-east-1" region
}}resource"aws_cloudfront_distribution""negative1"{origin{domain_name=var.public_alb_domainorigin_id="alb"custom_origin_config{http_port=80https_port=443origin_protocol_policy="https-only"origin_ssl_protocols=["TLSv1","TLSv1.1","TLSv1.2"]}}enabled=trueis_ipv6_enabled=truecomment=var.site_domainweb_acl_id="test"aliases=[var.site_domain]default_cache_behavior{allowed_methods=["DELETE","GET","HEAD","OPTIONS","PATCH","POST","PUT"]cached_methods=["GET","HEAD","OPTIONS"]target_origin_id="alb"forwarded_values{query_string=trueheaders=["*"]cookies{forward="all"}}viewer_protocol_policy="redirect-to-https"min_ttl=0default_ttl=0max_ttl=0compress=true} # Cache behavior with precedence 0
ordered_cache_behavior{path_pattern="wp-content/*"allowed_methods=["DELETE","GET","HEAD","OPTIONS","PATCH","POST","PUT"]cached_methods=["GET","HEAD","OPTIONS"]target_origin_id="alb"forwarded_values{query_string=trueheaders=["Host"]cookies{forward="all"}}min_ttl=900default_ttl=900max_ttl=900compress=trueviewer_protocol_policy="redirect-to-https"} # Cache behavior with precedence 1
ordered_cache_behavior{path_pattern="wp-includes/*"allowed_methods=["DELETE","GET","HEAD","OPTIONS","PATCH","POST","PUT"]cached_methods=["GET","HEAD","OPTIONS"]target_origin_id="alb"forwarded_values{query_string=trueheaders=["Host"]cookies{forward="all"}}min_ttl=3600default_ttl=3600max_ttl=3600compress=trueviewer_protocol_policy="redirect-to-https"}price_class=var.cf_price_classtags=var.tagsrestrictions{geo_restriction{restriction_type="none"}}viewer_certificate{acm_certificate_arn=module.acm.this_acm_certificate_arnssl_support_method="sni-only"minimum_protocol_version="TLSv1.1_2016"} # By default, cloudfront caches error for five minutes. There can be situation when a developer has accidentally broken the website and you would not want to wait for five minutes for the error response to be cached.
# https://docs.aws.amazon.com/AmazonS3/latest/dev/CustomErrorDocSupport.html
custom_error_response{error_code=400error_caching_min_ttl=var.error_ttl}custom_error_response{error_code=403error_caching_min_ttl=var.error_ttl}custom_error_response{error_code=404error_caching_min_ttl=var.error_ttl}custom_error_response{error_code=405error_caching_min_ttl=var.error_ttl}depends_on=[aws_ecs_service.this]}
Non-Compliant Code Examples
module"acm"{source="terraform-aws-modules/acm/aws"version="~> v2.0"domain_name=var.site_domainzone_id=data.aws_route53_zone.this.zone_idtags=var.tagsproviders={aws=aws.us_east_1 # cloudfront needs acm certificate to be from "us-east-1" region
}}resource"aws_cloudfront_distribution""positive1"{origin{domain_name=var.public_alb_domainorigin_id="alb"custom_origin_config{http_port=80https_port=443origin_protocol_policy="https-only"origin_ssl_protocols=["TLSv1","TLSv1.1","TLSv1.2"]}}enabled=trueis_ipv6_enabled=truecomment=var.site_domainaliases=[var.site_domain]default_cache_behavior{allowed_methods=["DELETE","GET","HEAD","OPTIONS","PATCH","POST","PUT"]cached_methods=["GET","HEAD","OPTIONS"]target_origin_id="alb"forwarded_values{query_string=trueheaders=["*"]cookies{forward="all"}}viewer_protocol_policy="redirect-to-https"min_ttl=0default_ttl=0max_ttl=0compress=true} # Cache behavior with precedence 0
ordered_cache_behavior{path_pattern="wp-content/*"allowed_methods=["DELETE","GET","HEAD","OPTIONS","PATCH","POST","PUT"]cached_methods=["GET","HEAD","OPTIONS"]target_origin_id="alb"forwarded_values{query_string=trueheaders=["Host"]cookies{forward="all"}}min_ttl=900default_ttl=900max_ttl=900compress=trueviewer_protocol_policy="redirect-to-https"} # Cache behavior with precedence 1
ordered_cache_behavior{path_pattern="wp-includes/*"allowed_methods=["DELETE","GET","HEAD","OPTIONS","PATCH","POST","PUT"]cached_methods=["GET","HEAD","OPTIONS"]target_origin_id="alb"forwarded_values{query_string=trueheaders=["Host"]cookies{forward="all"}}min_ttl=3600default_ttl=3600max_ttl=3600compress=trueviewer_protocol_policy="redirect-to-https"}price_class=var.cf_price_classtags=var.tagsrestrictions{geo_restriction{restriction_type="none"}}viewer_certificate{acm_certificate_arn=module.acm.this_acm_certificate_arnssl_support_method="sni-only"minimum_protocol_version="TLSv1.1_2016"} # By default, cloudfront caches error for five minutes. There can be situation when a developer has accidentally broken the website and you would not want to wait for five minutes for the error response to be cached.
# https://docs.aws.amazon.com/AmazonS3/latest/dev/CustomErrorDocSupport.html
custom_error_response{error_code=400error_caching_min_ttl=var.error_ttl}custom_error_response{error_code=403error_caching_min_ttl=var.error_ttl}custom_error_response{error_code=404error_caching_min_ttl=var.error_ttl}custom_error_response{error_code=405error_caching_min_ttl=var.error_ttl}depends_on=[aws_ecs_service.this]}
1
2
rulesets:- Terraform / AWS # Rules to enforce / AWS.
Request a personalized demo
Get Started with Datadog
Ask AI
AI-generated responses may be inaccurate. Verify important info.
