Cloudfront Viewer Protocol Policy Allows HTTP

  • Query id: a6d27cf7-61dc-4bde-ae08-3b353b609f76
  • Query name: Cloudfront Viewer Protocol Policy Allows HTTP
  • Platform: Ansible
  • Severity: Medium
  • Category: Encryption
  • CWE: 319
  • URL: Github

Description

Checks if the connection between CloudFront and the viewer is encrypted
Documentation

Code samples

Code samples with security vulnerabilities

Positive test num. 1 - yaml file
- name: example1
  community.aws.cloudfront_distribution:
    state: present
    caller_reference: unique test distribution ID
    origins:
      - id: 'my test origin-000111'
        domain_name: www.example.com
        origin_path: /production
        custom_headers:
          - header_name: MyCustomHeaderName
            header_value: MyCustomHeaderValue
    default_cache_behavior:
      target_origin_id: 'my test origin-000111'
      forwarded_values:
        query_string: true
        cookies:
          forward: all
        headers:
          - '*'
      viewer_protocol_policy: allow-all
      smooth_streaming: true
      compress: true
      allowed_methods:
        items:
          - GET
          - HEAD
        cached_methods:
          - GET
          - HEAD

- name: example2
  community.aws.cloudfront_distribution:
    state: present
    caller_reference: unique test distribution ID
    origins:
      - id: 'my test origin-000111'
        domain_name: www.example.com
        origin_path: /production
        custom_headers:
          - header_name: MyCustomHeaderName
            header_value: MyCustomHeaderValue
    cache_behaviors:
      target_origin_id: 'my test origin-000111'
      forwarded_values:
        query_string: true
        cookies:
          forward: all
        headers:
          - '*'
      viewer_protocol_policy: allow-all
      smooth_streaming: true
      compress: true
      allowed_methods:
        items:
          - GET
          - HEAD
        cached_methods:
          - GET
          - HEAD

Code samples without security vulnerabilities

Negative test num. 1 - yaml file
- name: example1
  community.aws.cloudfront_distribution:
    state: present
    caller_reference: unique test distribution ID
    origins:
    - id: my test origin-000111
      domain_name: www.example.com
      origin_path: /production
      custom_headers:
      - header_name: MyCustomHeaderName
        header_value: MyCustomHeaderValue
    default_cache_behavior:
      target_origin_id: my test origin-000111
      forwarded_values:
        query_string: true
        cookies:
          forward: all
        headers:
        - '*'
      viewer_protocol_policy: https-only
      smooth_streaming: true
      compress: true
      allowed_methods:
        items:
        - GET
        - HEAD
        cached_methods:
        - GET
        - HEAD

- name: example2
  community.aws.cloudfront_distribution:
    state: present
    caller_reference: unique test distribution ID
    origins:
    - id: my test origin-000111
      domain_name: www.example.com
      origin_path: /production
      custom_headers:
      - header_name: MyCustomHeaderName
        header_value: MyCustomHeaderValue
    cache_behaviors:
      target_origin_id: my test origin-000111
      forwarded_values:
        query_string: true
        cookies:
          forward: all
        headers:
        - '*'
      viewer_protocol_policy: https-only
      smooth_streaming: true
      compress: true
      allowed_methods:
        items:
        - GET
        - HEAD
        cached_methods:
        - GET
        - HEAD