AWS CloudFront viewer protocol policy is not configured with HTTPS
Description
AWS::CloudFront::Distribution ViewerCertificate determines the distribution's SSL/TLS configuration for communicating with viewers. We recommend you use the ViewerProtocolPolicy parameter to enable secure HTTPS communication between clients and your CloudFormation templates. Most browsers and clients released after 2010 support server name indication. AWS recommends to accept HTTPS connections only from viewers that support SNI and advises against receiving HTTPS connections from all viewers, including those that do not support SNI, set SslSupportMethod. This also results in additional monthly charges from CloudFront.
Code Example
resource "aws_cloudfront_distribution" "cloudfront" {
...
default_cache_behavior {
...
target_origin_id = "my-origin"
- viewer_protocol_policy = "allow-all"
+ viewer_protocol_policy = "redirect-to-https"
}
}Remediation
- Procedure*
Use * ViewerProtocolPolicy* in the * CacheBehavior* or * DefaultCacheBehavior*, and select * Redirect HTTP to HTTPS* or * HTTPS Only*. To specify how CloudFront should use SSL/TLS to communicate with your custom origin, use * CustomOriginConfig*. === Fix - Buildtime
Terraform
- Resource: aws_cloudfront_distribution
- Arguments: `viewer_protocol_policy` under `default_cache_behavior` or `ordered_cache_behavior` must not be `allow-all`. Acceptable values are `redirect-to-https` or `https-only`.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0088 |
| Severity | MEDIUM |
| IaC Type | Cloudformation |
| Frameworks | CloudFormation, Terraform |
| Checkov ID | CKV_AWS_34 |