CloudFront Without WAF

  • Query id: 6d19ce0f-b3d8-4128-ac3d-1064e0f00494
  • Query name: CloudFront Without WAF
  • Platform: Crossplane
  • Severity: Medium
  • Category: Networking and Firewall
  • URL: Github

Description

All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
apiVersion: cloudfront.aws.crossplane.io/v1alpha1
kind: Distribution
metadata:
  name: sample-distribution
spec:
  forProvider:
    region: us-east-1
    distributionConfig:
      enabled: true
      comment: Crossplane - auto provisioning
      viewerCertificate:
        sslSupportMethod: sni-only
        cloudFrontDefaultCertificate: false
        minimumProtocolVersion: TLSv1.2_2018
      origins:
        items:
          - domainName: sample.s3.amazonaws.com
            id: s3Origin
            s3OriginConfig:
              originAccessIDentity: ""
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
  - name: metadata
    patches:
    - fromFieldPath: metadata.labels
  resources:
    - name: sample-cloudfront
      base: 
        apiVersion: cloudfront.aws.crossplane.io/v1alpha1
        kind: Distribution
        metadata:
          name: sample-distribution
        spec:
          forProvider:
            region: us-east-1
            distributionConfig:
              enabled: true
              comment: Crossplane - auto provisioning
              viewerCertificate:
                sslSupportMethod: sni-only
                cloudFrontDefaultCertificate: false
                minimumProtocolVersion: TLSv1.2_2018
              origins:
                items:
                  - domainName: sample.s3.amazonaws.com
                    id: s3Origin
                    s3OriginConfig:
                      originAccessIDentity: ""

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
apiVersion: cloudfront.aws.crossplane.io/v1alpha1
kind: Distribution
metadata:
  name: sample-distribution
spec:
  forProvider:
    region: us-east-1
    distributionConfig:
      enabled: true
      comment: Crossplane - auto provisioning
      viewerCertificate:
        sslSupportMethod: sni-only
        cloudFrontDefaultCertificate: false
        minimumProtocolVersion: TLSv1.2_2018
      webACLID: 473e64fd-f30b-4765-81a0-62ad96dd167a   
      origins:
        items:
          - domainName: sample.s3.amazonaws.com
            id: s3Origin
            s3OriginConfig:
              originAccessIDentity: ""
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
  name: cluster-aws
  labels:
    provider: aws
    cluster: eks
spec:
  compositeTypeRef:
    apiVersion: mydev.org/v1alpha1
    kind: CompositeCluster
  writeConnectionSecretsToNamespace: crossplane-system
  patchSets:
  - name: metadata
    patches:
    - fromFieldPath: metadata.labels
  resources:
    - name: sample-cloudfront
      base: 
        apiVersion: cloudfront.aws.crossplane.io/v1alpha1
        kind: Distribution
        metadata:
          name: sample-distribution
        spec:
          forProvider:
            region: us-east-1
            distributionConfig:
              enabled: true
              comment: Crossplane - auto provisioning
              viewerCertificate:
                sslSupportMethod: sni-only
                cloudFrontDefaultCertificate: false
                minimumProtocolVersion: TLSv1.2_2018
              webACLID: 473e64fd-f30b-4765-81a0-62ad96dd167a
              origins:
                items:
                  - domainName: sample.s3.amazonaws.com
                    id: s3Origin
                    s3OriginConfig:
                      originAccessIDentity: ""