Cloudfront viewer protocol policy allows HTTP
This product is not supported for your selected
Datadog site. (
).
Id: 55af1353-2f62-4fa0-a8e1-a210ca2708f5
Cloud Provider: AWS
Platform: Terraform
Severity: Medium
Category: Encryption
Learn More
Description
This check ensures that the connection between Amazon CloudFront and the viewer is encrypted by verifying the viewer_protocol_policy attribute. If set to allow-all (for example, viewer_protocol_policy = "allow-all"), CloudFront can serve content over both HTTP and HTTPS, leaving data in transit vulnerable to interception or man-in-the-middle attacks. To address this, the attribute should be set to https-only in all cache behaviors (for example, viewer_protocol_policy = "https-only"), ensuring all communications between CloudFront and the end user are encrypted, thus preserving the confidentiality and integrity of the data.
Compliant Code Examples
#this code is a correct code for which the query should not find any result
resource "aws_cloudfront_distribution" "negative1" {
origin {
domain_name = "mybucket"
origin_id = "myS3Origin"
s3_origin_config {
origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567"
}
}
enabled = true
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "myS3Origin"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "https-only"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = ["US", "CA", "GB", "DE"]
}
}
viewer_certificate {
cloudfront_default_certificate = false
minimum_protocol_version = "SSLv3"
}
}
Non-Compliant Code Examples
#this is a problematic code where the query should report a result(s)
resource "aws_cloudfront_distribution" "positive1" {
origin {
domain_name = "mybucket"
origin_id = "myS3Origin"
s3_origin_config {
origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567"
}
}
enabled = true
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "myS3Origin"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "allow-all"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = ["US", "CA", "GB", "DE"]
}
}
viewer_certificate {
cloudfront_default_certificate = false
minimum_protocol_version = "SSLv3"
}
}
resource "aws_cloudfront_distribution" "positive2" {
origin {
domain_name = "mybucket"
origin_id = "myS3Origin"
s3_origin_config {
origin_access_identity = "origin-access-identity/cloudfront/ABCDEFG1234567"
}
}
enabled = true
default_cache_behavior {
allowed_methods = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "myS3Origin"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
viewer_protocol_policy = "https-only"
min_ttl = 0
default_ttl = 3600
max_ttl = 86400
}
ordered_cache_behavior {
path_pattern = "/content/immutable/*"
allowed_methods = ["GET", "HEAD", "OPTIONS"]
cached_methods = ["GET", "HEAD", "OPTIONS"]
target_origin_id = "myS3Origin"
forwarded_values {
query_string = false
headers = ["Origin"]
cookies {
forward = "none"
}
}
min_ttl = 0
default_ttl = 86400
max_ttl = 31536000
compress = true
viewer_protocol_policy = "allow-all"
}
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = ["US", "CA", "GB", "DE"]
}
}
viewer_certificate {
cloudfront_default_certificate = false
minimum_protocol_version = "SSLv3"
}
}
