AWS CloudFront web distribution with geo restriction disabled
Description
The policy is checking whether AWS CloudFront web distributions have geographic restrictions enabled. This involves setting up geo restrictions to control access based on the geographic location of users attempting to access the content distributed by CloudFront.
Enabling geographic restrictions is important for maintaining control over where your content is accessible. This helps ensure compliance with regional legal and regulatory requirements while enhancing security by blocking access from regions irrelevant to your business or associated with potential malicious activity. By implementing geo restrictions, you can better protect your data and align with regional laws and policies.
Code Example
resource "aws_cloudfront_distribution" "example" {
...
restrictions {
geo_restriction {
restriction_type = "whitelist" # Or "blacklist" depending on your use case
locations = ["US", "CA", "GB"] # Example of allowed countries
}
}
...
}Remediation
Terraform
- Resource: aws_cloudfront_distribution
- Arguments: restrictions
Enable geo restriction for your AWS CloudFront distribution by including a restrictions block inside the aws_cloudfront_distribution resource. This block allows you to configure geo restrictions by specifying which countries are allowed or denied access.
This example demonstrates how to enable geo restriction for an AWS CloudFront distribution using Terraform.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0421 |
| Severity | LOW |
| IaC Type | Terraform |
| Frameworks | Terraform, TerraformPlan |
| Checkov ID | CKV_AWS_374 |