🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: CloudFront distributions should require encryption in transit

Description

This control checks whether an AWS CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for cacheBehaviors.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.cloudfront_distribution_encryption_in_transit_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.cloudfront_distribution_encryption_in_transit_enabled --share

SQL

This control uses a named query:

with data as (
  select
    distinct arn
  from
    aws_cloudfront_distribution,
      jsonb_array_elements(
    case jsonb_typeof(cache_behaviors -> 'Items')
        when 'array' then (cache_behaviors -> 'Items')
        else null end
    ) as cb
  where
    cb ->> 'ViewerProtocolPolicy' = 'allow-all'
)
select
  b.arn as resource,
  case
    when d.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') then 'alarm'
    else 'ok'
  end as status,
  case
    when d.arn is not null or (default_cache_behavior ->> 'ViewerProtocolPolicy' = 'allow-all') then title || ' data not encrypted in transit.'
    else title || ' data encrypted in transit.'
  end as reason
  
  , b.region, b.account_id
from
  aws_cloudfront_distribution as b
  left join data as d on b.arn = d.arn;

Tags

category = Compliance
gdpr = true
hipaa_final_omnibus_security_rule_2013 = true
hipaa_security_rule_2003 = true
nist_csf = true
pci_dss_v321 = true
plugin = aws
service = AWS/CloudFront
soc_2 = true