Control: CloudFront distributions should require encryption in transit

Description

This control checks whether an Amazon CloudFront distribution requires viewers to use HTTPS directly or whether it uses redirection. The control fails if ViewerProtocolPolicy is set to allow-all for defaultCacheBehavior or for cacheBehaviors.

Usage

Run the control in your terminal:

powerpipe control run terraform_aws_compliance.control.cloudfront_distribution_encryption_in_transit_enabled

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run terraform_aws_compliance.control.cloudfront_distribution_encryption_in_transit_enabled --share

SQL

This control uses a named query:

  with cloudfront_distribution as (
    select
      *
    from
      terraform_resource
    where type = 'aws_cloudfront_distribution'
  ), data as (
    select
      distinct address
    from
      cloudfront_distribution,
      jsonb_array_elements(
      case jsonb_typeof(attributes_std -> 'ordered_cache_behavior' -> 'Items')
        when 'array' then (attributes_std -> 'ordered_cache_behavior' -> 'Items')
        else null end
      ) as cb
    where
      cb ->> 'ViewerProtocolPolicy' = 'allow-all'
)
select
  b.address as resource,
  case
    when d.address is not null or (attributes_std -> 'default_cache_behavior' ->> 'ViewerProtocolPolicy' = 'allow-all') then 'alarm'
    else 'ok'
  end status,
  split_part(b.address, '.', 2) || case
    when d.address is not null or (attributes_std -> 'default_cache_behavior' ->> 'ViewerProtocolPolicy' = 'allow-all') then ' data not encrypted in transit'
    else ' data encrypted in transit'
  end || '.' reason
  
  , path || ':' || start_line
from
  cloudfront_distribution as b
  left join data as d on b.address = d.address;

Control: CloudFront distributions should require encryption in transit

Description

Usage

SQL

Tags