Benchmark: CloudFront
Description
This section contains recommendations for configuring CloudFront resources.
Usage
Install the mod:
mkdir dashboardscd dashboardspowerpipe mod initpowerpipe mod install github.com/turbot/steampipe-mod-aws-complianceStart the Powerpipe server:
steampipe service startpowerpipe serverOpen http://localhost:9033 in your browser and select CloudFront.
Run this benchmark in your terminal:
powerpipe benchmark run aws_compliance.benchmark.all_controls_cloudfrontSnapshot and share results via Turbot Pipes:
powerpipe benchmark run aws_compliance.benchmark.all_controls_cloudfront --shareControls
- CloudFront distributions should have origin failover configured
- CloudFront distributions should encrypt traffic to custom origins
- CloudFront distributions should have a default root object configured
- CloudFront distributions should require encryption in transit
- CloudFront distributions should have field level encryption enabled
- CloudFront distributions should have geo restriction enabled
- CloudFront distributions should have latest TLS version
- CloudFront distributions access logs should be enabled
- CloudFront distributions should not use deprecated SSL protocols between edge locations and custom origins
- CloudFront distributions should not point to non-existent S3 origins
- CloudFront distributions should encrypt traffic to non S3 origins
- CloudFront distributions should have origin access identity enabled
- CloudFront distributions should use SNI to serve HTTPS requests
- CloudFront distributions should use custom SSL/TLS certificates
- CloudFront distributions should use secure SSL cipher
- CloudFront distributions should use the recommended TLS security policy
- CloudFront distributions should have AWS WAF enabled