v1.0 for Steampipe, Powerpipe, Flowpipe, 116 plugins, and 44 mods →
Powerpipe Hub 
Hub
Mods
turbot/aws_compliance
Overview
32Dashboards
1295Controls
585Queries
4Variables
GitHub

Control: 6 CloudFront distributions should have AWS WAF enabled

Description

This control checks whether CloudFront distributions are associated with either AWS WAF or AWS WAFv2 web ACLs. The control fails if the distribution is not associated with a web ACL.

AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It allows you to configure a set of rules, called a web access control list (web ACL), that allow, block, or count web requests based on customizable web security rules and conditions that you define. Ensure your CloudFront distribution is associated with an AWS WAF web ACL to help protect it from malicious attacks.

Remediation

For information on how to associate a web ACL with a CloudFront distribution, see Using AWS WAF to control access to your content.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_cloudfront_6

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_cloudfront_6 --share

SQL

This control uses a named query:

cloudfront_distribution_waf_enabled

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = protective_services
foundational_security_item_id = cloudfront_6
plugin = aws
service = AWS/CloudFront