🚀Launch Week 07, January 27th - 31st, 2025🚀
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-aws-compliance
Overview
32Dashboards
1295Benchmarks
585Queries
4Variables
GitHub

Control: 12 CloudFront distributions should not point to non-existent S3 origins

Description

This control checks whether Amazon CloudFront distributions are pointing to non-existent Amazon S3 origins. The control fails for a CloudFront distribution if the origin is configured to point to a non-existent bucket. This control only applies to CloudFront distributions where an S3 bucket without static website hosting is the S3 origin.

When a CloudFront distribution in your account is configured to point to a non-existent bucket, a malicious third party can create the referenced bucket and serve their own content through your distribution. We recommend checking all origins regardless of routing behavior to ensure that your distributions are pointing to appropriate origins.

Remediation

To modify your CloudFront distribution to point to a new origin, see Updating a distribution in the Amazon CloudFront Developer Guide.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_cloudfront_12

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_cloudfront_12 --share

SQL

This control uses a named query:

with distribution_with_non_existent_bucket as (
  select
    distinct d.arn as arn,
    to_jsonb(string_to_array((string_agg(split_part(o ->> 'Id', '.s3', 1), ',')),',')) as bucket_name_list
  from
    aws_cloudfront_distribution as d,
    jsonb_array_elements(d.origins) as o
    left join aws_s3_bucket as b on b.name = split_part(o ->> 'Id', '.s3', 1)
  where
    b.name is null
    and o ->> 'DomainName' like '%.s3.%'
  group by
    d.arn
)
select
  distinct b.arn as resource,
  case
    when b.arn is null then 'ok'
    else 'alarm'
  end as status,
  case
    when b.arn is null then title || ' does not point to any non-existent S3 origins.'
    when jsonb_array_length(b.bucket_name_list) > 0
      then title ||
    case
      when jsonb_array_length(b.bucket_name_list) > 2
        then concat(' point to non-existent S3 origins ', b.bucket_name_list #>> '{0}', ', ', b.bucket_name_list #>> '{1}', ' and ' || (jsonb_array_length(b.bucket_name_list) - 2)::text || ' more.' )
      when jsonb_array_length(b.bucket_name_list) = 2
        then concat(' point to non-existent S3 origins ', b.bucket_name_list #>> '{0}', ' and ', b.bucket_name_list #>> '{1}', '.')
    else concat(' point to non-existent S3 origin ', b.bucket_name_list #>> '{0}', '.')
    end
  end as reason
  
  , region, account_id
from
  aws_cloudfront_distribution as d
  left join distribution_with_non_existent_bucket as b on b.arn = d.arn;

Tags

aws_foundational_security = true
category = Compliance
foundational_security_category = resource_configuration
foundational_security_item_id = cloudfront_12
plugin = aws
service = AWS/CloudFront