Control: 12 CloudFront distributions should not point to non-existent S3 origins
Description
This control checks whether Amazon CloudFront distributions are pointing to non-existent Amazon S3 origins. The control fails for a CloudFront distribution if the origin is configured to point to a non-existent bucket. This control only applies to CloudFront distributions where an S3 bucket without static website hosting is the S3 origin.
When a CloudFront distribution in your account is configured to point to a non-existent bucket, a malicious third party can create the referenced bucket and serve their own content through your distribution. We recommend checking all origins regardless of routing behavior to ensure that your distributions are pointing to appropriate origins.
Remediation
To modify your CloudFront distribution to point to a new origin, see Updating a distribution in the Amazon CloudFront Developer Guide.
Usage
Run the control in your terminal:
powerpipe control run aws_compliance.control.foundational_security_cloudfront_12
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run aws_compliance.control.foundational_security_cloudfront_12 --share
SQL
This control uses a named query:
cloudfront_distribution_no_non_existent_s3_origin