Control: CloudFront distributions should encrypt traffic to custom origins
Description
This control checks if AWS CloudFront distributions are encrypting traffic to custom origins. This control fails for a CloudFront distribution whose origin protocol policy allows 'http-only'. This control also fails if the distribution's origin protocol policy is 'match-viewer' while the viewer protocol policy is 'allow-all'.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.cloudfront_distribution_custom_origins_encryption_in_transit_enabledSnapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.cloudfront_distribution_custom_origins_encryption_in_transit_enabled --shareSQL
This control uses a named query:
cloudfront_distribution_custom_origins_encryption_in_transit_enabled