Geo Restriction Disabled
- Query id: 7f8843f0-9ea5-42b4-a02b-753055113195
- Query name: Geo Restriction Disabled
- Platform: CloudFormation
- Severity: Low
- Category: Best Practices
- CWE: 668
- URL: Github
Description¶
Geo Restriction feature should be enabled, to restrict or allow users in specific locations accessing web application content
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Logging:
IncludeCookies: 'false'
Bucket: mylogs.s3.amazonaws.com
Prefix: myprefix
Restrictions:
GeoRestriction:
RestrictionType: none
ViewerCertificate:
CloudFrontDefaultCertificate: 'true'
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myDistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"Logging": {
"IncludeCookies": "false",
"Bucket": "mylogs.s3.amazonaws.com",
"Prefix": "myprefix"
},
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "none"
}
},
"ViewerCertificate": {
"CloudFrontDefaultCertificate": "true"
}
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
AWSTemplateFormatVersion: '2010-09-09'
Resources:
myDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Logging:
IncludeCookies: 'false'
Bucket: mylogs.s3.amazonaws.com
Prefix: myprefix
Restrictions:
GeoRestriction:
RestrictionType: whitelist
Locations:
- AQ
- CV
ViewerCertificate:
CloudFrontDefaultCertificate: 'true'
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"myDistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"Logging": {
"IncludeCookies": "false",
"Bucket": "mylogs.s3.amazonaws.com",
"Prefix": "myprefix"
},
"Restrictions": {
"GeoRestriction": {
"RestrictionType": "whitelist",
"Locations": [
"AQ",
"CV"
]
}
},
"ViewerCertificate": {
"CloudFrontDefaultCertificate": "true"
}
}
}
}
}
}