Cloudfront Viewer Protocol Policy Allows HTTP

Query id: 31733ee2-fef0-4e87-9778-65da22a8ecf1
Query name: Cloudfront Viewer Protocol Policy Allows HTTP
Platform: CloudFormation
Severity: High
Category: Encryption
URL: Github

Description¶

Checks if the connection between CloudFront and the viewer is encrypted
Documentation

Code samples¶

Code samples with security vulnerabilities¶

Postitive test num. 1 - yaml file

 AW Re

Postitive test num. 2 - json file

#this is a problematic code where the query should report a result(s) STemplateFormatVersion: "2010-09-09" sources: cloudfrontdistribution_1: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: CacheBehaviors: - LambdaFunctionAssociations: - EventType: viewer-request LambdaFunctionARN: examp DefaultCacheBehavior: class="w">          ViewerProtocolPolicy: allow-all LambdaFunctionAssociations: - EventType: viewer-request LambdaFunctionARN: examp IPV6Enabled: true Origins: - CustomOriginConfig: OriginKeepaliveTimeout: 60 OriginReadTimeout: 30 Tags: - Key: name Value: example cloudfrontdistribution_2: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: CacheBehaviors: class="w">          - ViewerProtocolPolicy: allow-all LambdaFunctionAssociations: - EventType: viewer-request LambdaFunctionARN: examp DefaultCacheBehavior: LambdaFunctionAssociations: - EventType: viewer-request LambdaFunctionARN: examp IPV6Enabled: true Origins: - CustomOriginConfig: OriginKeepaliveTimeout: 60 OriginReadTimeout: 30 Tags: - Key: name Value: example { "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "cloudfrontdistribution_2": { "Type": "AWS::CloudFront::Distribution", "Properties": { "DistributionConfig": { "CacheBehaviors": [ { class="w">              "ViewerProtocolPolicy": "allow-all", "LambdaFunctionAssociations": [ { "EventType": "viewer-request", "LambdaFunctionARN": "examp" } ] } ], "DefaultCacheBehavior": { "LambdaFunctionAssociations": [ { "LambdaFunctionARN": "examp", "EventType": "viewer-request" } ] }, "IPV6Enabled": true, "Origins": [ { "CustomOriginConfig": { "OriginKeepaliveTimeout": 60, "OriginReadTimeout": 30 } } ], "Tags": [ { "Value": "example", "Key": "name" } ] } } }, "cloudfrontdistribution_1": { "Type": "AWS::CloudFront::Distribution", "Properties": { "DistributionConfig": { "DefaultCacheBehavior": { class="w">            "ViewerProtocolPolicy": "allow-all", "LambdaFunctionAssociations": [ { "EventType": "viewer-request", "LambdaFunctionARN": "examp" } ] }, "IPV6Enabled": true, "Origins": [ { "CustomOriginConfig": { "OriginKeepaliveTimeout": 60, "OriginReadTimeout": 30 } } ], "CacheBehaviors": [ { "LambdaFunctionAssociations": [ { "EventType": "viewer-request", "LambdaFunctionARN": "examp" } ] } ] }, "Tags": [ { "Key": "name", "Value": "example" } ] } } } }
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file#this code is a correct code for which the query should not find any result
AWSTemplateFormatVersion: "2010-09-09"
Resources:
  cloudfrontdistribution_1:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        CacheBehaviors:
          - LambdaFunctionAssociations:
              - EventType: viewer-request
                LambdaFunctionARN: examp
        DefaultCacheBehavior:
          ViewerProtocolPolicy: https-only
          LambdaFunctionAssociations:
            - EventType: viewer-request
              LambdaFunctionARN: examp
        IPV6Enabled: true
        Origins:
          - CustomOriginConfig:
              OriginKeepaliveTimeout: 60
              OriginReadTimeout: 30
      Tags:
        - Key: name
          Value: example

Negative test num. 2 - json file{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "cloudfrontdistribution_1": {
      "Type": "AWS::CloudFront::Distribution",
      "Properties": {
        "DistributionConfig": {
          "CacheBehaviors": [
            {
              "LambdaFunctionAssociations": [
                {
                  "EventType": "viewer-request",
                  "LambdaFunctionARN": "examp"
                }
              ]
            }
          ],
          "DefaultCacheBehavior": {
            "ViewerProtocolPolicy": "https-only",
            "LambdaFunctionAssociations": [
              {
                "EventType": "viewer-request",
                "LambdaFunctionARN": "examp"
              }
            ]
          },
          "IPV6Enabled": true,
          "Origins": [
            {
              "CustomOriginConfig": {
                "OriginKeepaliveTimeout": 60,
                "OriginReadTimeout": 30
              }
            }
          ]
        },
        "Tags": [
          {
            "Key": "name",
            "Value": "example"
          }
        ]
      }
    }
  }
}

Negative test num. 3 - yaml file#this code is a correct code for which the query should not find any result
AWSTemplateFormatVersion: "2010-09-09"
Resources:
  cloudfrontdistribution_1:
    Type: AWS::CloudFront::Distribution
    Properties:
      DistributionConfig:
        CacheBehaviors:
          - LambdaFunctionAssociations:
              - EventType: viewer-request
                LambdaFunctionARN: examp
        DefaultCacheBehavior:
          ViewerProtocolPolicy: redirect-to-https
          LambdaFunctionAssociations:
            - EventType: viewer-request
              LambdaFunctionARN: examp
        IPV6Enabled: true
        Origins:
          - CustomOriginConfig:
              OriginKeepaliveTimeout: 60
              OriginReadTimeout: 30
      Tags:
        - Key: name
          Value: example