Benchmark: CloudFront
Overview
This section contains recommendations for configuring CloudFront resources and options.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-compliance
Start the Powerpipe server:
steampipe service startpowerpipe server
Open http://localhost:9033 in your browser and select CloudFront.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.foundational_security_cloudfront
Snapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.foundational_security_cloudfront --share
Controls
- 1 CloudFront distributions should have a default root object configured
- 3 CloudFront distributions should require encryption in transit
- 4 CloudFront distributions should have origin failover configured
- 5 CloudFront distributions should have logging enabled
- 6 CloudFront distributions should have AWS WAF enabled
- 7 CloudFront distributions should use custom SSL/TLS certificates
- 8 CloudFront distributions should use SNI to serve HTTPS requests
- 9 CloudFront distributions should encrypt traffic to custom origins
- 10 CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins
- 12 CloudFront distributions should not point to non-existent S3 origins
- 13 CloudFront distributions should use origin access control