🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: CloudFront distributions should encrypt traffic to custom origins

Description

This control checks if AWS CloudFront distributions are encrypting traffic to custom origins. This control fails for a CloudFront distribution whose origin protocol policy allows 'http-only'. This control also fails if the distribution's origin protocol policy is 'match-viewer' while the viewer protocol policy is 'allow-all'.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cloudfront_distribution_custom_origins_encryption_in_transit_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cloudfront_distribution_custom_origins_encryption_in_transit_enabled --share

SQL

This control uses a named query:

with viewer_protocol_policy_value as (
  select
    distinct arn
  from
    aws_cloudfront_distribution,
      jsonb_array_elements(
    case jsonb_typeof(cache_behaviors -> 'Items')
        when 'array' then (cache_behaviors -> 'Items')
        else null end
    ) as cb
  where
    cb ->> 'ViewerProtocolPolicy' = 'allow-all'
),
origin_protocol_policy_value as (
  select
    distinct arn,
    o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' as origin_protocol_policy
  from
    aws_cloudfront_distribution,
    jsonb_array_elements(origins) as o
  where
    o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'http-only'
    or o -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'match-viewer'
)
select
  distinct b.arn as resource,
  case
    when o.arn is not null and o.origin_protocol_policy = 'http-only' then 'alarm'
    when o.arn is not null and o.origin_protocol_policy = 'match-viewer' and ( v.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') ) then 'alarm'
    else 'ok'
  end as status,
  case
    when o.arn is not null and o.origin_protocol_policy = 'http-only' then title || ' custom origins traffic not encrypted in transit.'
    when o.arn is not null and o.origin_protocol_policy = 'match-viewer' and ( v.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') )  then title || ' custom origins traffic not encrypted in transit.'
    else title || ' custom origins traffic encrypted in transit.'
  end as reason
  
  , region, account_id
from
  aws_cloudfront_distribution as b
  left join origin_protocol_policy_value as o on b.arn = o.arn
  left join viewer_protocol_policy_value as v on b.arn = v.arn;

Tags

category = Compliance
gxp_21_cfr_part_11 = true
gxp_eu_annex_11 = true
nist_csf = true
pci_dss_v321 = true
plugin = aws
service = AWS/CloudFront