Cloudfront Viewer Protocol Policy Allows HTTP
- Query id: 31733ee2-fef0-4e87-9778-65da22a8ecf1
- Query name: Cloudfront Viewer Protocol Policy Allows HTTP
- Platform: CloudFormation
- Severity: Medium
- Category: Encryption
- CWE: 319
- URL: Github
Description¶
Checks if the connection between CloudFront and the viewer is encrypted
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
AWSTemplateFormatVersion: "2010-09-09"
Resources:
cloudfrontdistribution_1:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
CacheBehaviors:
- LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: examp
DefaultCacheBehavior:
ViewerProtocolPolicy: allow-all
LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: examp
IPV6Enabled: true
Origins:
- CustomOriginConfig:
OriginKeepaliveTimeout: 60
OriginReadTimeout: 30
Tags:
- Key: name
Value: example
cloudfrontdistribution_2:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
CacheBehaviors:
- ViewerProtocolPolicy: allow-all
LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: examp
DefaultCacheBehavior:
LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: examp
IPV6Enabled: true
Origins:
- CustomOriginConfig:
OriginKeepaliveTimeout: 60
OriginReadTimeout: 30
Tags:
- Key: name
Value: example
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"cloudfrontdistribution_2": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"CacheBehaviors": [
{
"ViewerProtocolPolicy": "allow-all",
"LambdaFunctionAssociations": [
{
"EventType": "viewer-request",
"LambdaFunctionARN": "examp"
}
]
}
],
"DefaultCacheBehavior": {
"LambdaFunctionAssociations": [
{
"LambdaFunctionARN": "examp",
"EventType": "viewer-request"
}
]
},
"IPV6Enabled": true,
"Origins": [
{
"CustomOriginConfig": {
"OriginKeepaliveTimeout": 60,
"OriginReadTimeout": 30
}
}
],
"Tags": [
{
"Value": "example",
"Key": "name"
}
]
}
}
},
"cloudfrontdistribution_1": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"DefaultCacheBehavior": {
"ViewerProtocolPolicy": "allow-all",
"LambdaFunctionAssociations": [
{
"EventType": "viewer-request",
"LambdaFunctionARN": "examp"
}
]
},
"IPV6Enabled": true,
"Origins": [
{
"CustomOriginConfig": {
"OriginKeepaliveTimeout": 60,
"OriginReadTimeout": 30
}
}
],
"CacheBehaviors": [
{
"LambdaFunctionAssociations": [
{
"EventType": "viewer-request",
"LambdaFunctionARN": "examp"
}
]
}
]
},
"Tags": [
{
"Key": "name",
"Value": "example"
}
]
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
AWSTemplateFormatVersion: "2010-09-09"
Resources:
cloudfrontdistribution_1:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
CacheBehaviors:
- LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: examp
DefaultCacheBehavior:
ViewerProtocolPolicy: https-only
LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: examp
IPV6Enabled: true
Origins:
- CustomOriginConfig:
OriginKeepaliveTimeout: 60
OriginReadTimeout: 30
Tags:
- Key: name
Value: example
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"cloudfrontdistribution_1": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"CacheBehaviors": [
{
"LambdaFunctionAssociations": [
{
"EventType": "viewer-request",
"LambdaFunctionARN": "examp"
}
]
}
],
"DefaultCacheBehavior": {
"ViewerProtocolPolicy": "https-only",
"LambdaFunctionAssociations": [
{
"EventType": "viewer-request",
"LambdaFunctionARN": "examp"
}
]
},
"IPV6Enabled": true,
"Origins": [
{
"CustomOriginConfig": {
"OriginKeepaliveTimeout": 60,
"OriginReadTimeout": 30
}
}
]
},
"Tags": [
{
"Key": "name",
"Value": "example"
}
]
}
}
}
}
Negative test num. 3 - yaml file
#this code is a correct code for which the query should not find any result
AWSTemplateFormatVersion: "2010-09-09"
Resources:
cloudfrontdistribution_1:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
CacheBehaviors:
- LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: examp
DefaultCacheBehavior:
ViewerProtocolPolicy: redirect-to-https
LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: examp
IPV6Enabled: true
Origins:
- CustomOriginConfig:
OriginKeepaliveTimeout: 60
OriginReadTimeout: 30
Tags:
- Key: name
Value: example