turbot/aws_compliance

Control: CloudFront distributions should encrypt traffic to custom origins

Description

This control checks if AWS CloudFront distributions are encrypting traffic to custom origins. This control fails for a CloudFront distribution whose origin protocol policy allows 'http-only'. This control also fails if the distribution's origin protocol policy is 'match-viewer' while the viewer protocol policy is 'allow-all'.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cloudfront_distribution_custom_origins_encryption_in_transit_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cloudfront_distribution_custom_origins_encryption_in_transit_enabled --share

SQL

This control uses a named query:

cloudfront_distribution_custom_origins_encryption_in_transit_enabled

Tags