turbot/steampipe-mod-aws-compliance

Control: 15 CloudFront distributions should use the recommended TLS security policy

Description

This control checks whether an Amazon CloudFront distribution is configured to use the recommended TLS security policy. The control fails if the CloudFront distribution is not configured to use the recommended TLS security policy.

Usage

Run the control in your terminal:

powerpipe control run aws_compliance.control.foundational_security_cloudfront_15

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run aws_compliance.control.foundational_security_cloudfront_15 --share

SQL

This control uses a named query:

select
arn as resource,
case
when viewer_certificate is null then 'alarm'
when not (viewer_certificate ->> 'MinimumProtocolVersion' = ANY($1::text[])) then 'alarm'
else 'ok'
end as status,
case
when viewer_certificate is null then title || ' has no MinimumProtocolVersion set.'
when not (viewer_certificate ->> 'MinimumProtocolVersion' = ANY($1::text[])) then title || ' uses non-recommended MinimumProtocolVersion: ' || (viewer_certificate ->> 'MinimumProtocolVersion') || '.'
else title || ' uses recommended MinimumProtocolVersion: ' || (viewer_certificate ->> 'MinimumProtocolVersion') || '.'
end as reason
, region, account_id
from
aws_cloudfront_distribution

Params

ArgsNameDefaultDescriptionVariable
$1cloudfront_distribution_tls_security_policy
["TLSv1.2_2021"]
A list of SSL policies for CloudFront distributions.

Tags