Powerpipe Detection Mods →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: CloudFront distributions should have origin access identity enabled

Description

This control checks whether an AWS CloudFront distribution with AWS S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cloudfront_distribution_origin_access_identity_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cloudfront_distribution_origin_access_identity_enabled --share

SQL

This control uses a named query:

select
  arn as resource,
  case
    when o ->> 'DomainName' not like '%s3.amazonaws.com' then 'skip'
    when o ->> 'DomainName' like '%s3.amazonaws.com'
    and o -> 'S3OriginConfig' ->> 'OriginAccessIdentity' = '' then 'alarm'
    else 'ok'
  end as status,
  case
    when o ->> 'DomainName' not like '%s3.amazonaws.com' then title || ' origin type is not s3.'
    when o ->> 'DomainName' like '%s3.amazonaws.com'
    and o -> 'S3OriginConfig' ->> 'OriginAccessIdentity' = '' then title || ' origin access identity not configured.'
    else title || ' origin access identity configured.'
  end as reason
  
  , region, account_id
from
  aws_cloudfront_distribution,
  jsonb_array_elements(origins) as o;

Tags

category = Compliance
nist_csf = true
plugin = aws
service = AWS/CloudFront