AWS CloudFront origin protocol policy does not enforce HTTPS-only
Description
This policy detects whether the AWS CloudFront distribution is configured to use HTTPS as the only allowed protocol for communication between CloudFront and its origin. Enforcing HTTPS-only ensures that data transmitted over the network is encrypted. Using HTTPS helps protect sensitive information, maintain data integrity, and secure communication channels. If this configuration is not enforced, data could be sent using unencrypted HTTP, which is vulnerable to interception and eavesdropping by malicious actors.
Code Example
resource "aws_cloudfront_distribution" "example" {
...
origin {
...
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = "https-only"
}
}
}Remediation
Ensure that the origin protocol policy in your AWS CloudFront distribution is set to enforce HTTPS-only.
Terraform
- Resource: aws_cloudfront_distribution
- Arguments: origin
In this example, an AWS CloudFront distribution is configured to enforce HTTPS-only communication between CloudFront and the origin by setting the `origin_protocol_policy` attribute to `https-only` in the custom_origin_config block.
Rule Details
| Field | Value |
|---|---|
| ID | IAC-0505 |
| Severity | MEDIUM |
| IaC Type | Cloudformation |
| Frameworks | Terraform, |
| Checkov ID | CKV2_AWS_72 |