Connection Between CloudFront Origin Not Encrypted
- Query id: a5366a50-932f-4085-896b-41402714a388
- Query name: Connection Between CloudFront Origin Not Encrypted
- Platform: CloudFormation
- Severity: Medium
- Category: Encryption
- CWE: 319
- URL: Github
Description¶
Checks if the connection between the CloudFront and the origin server is encrypted
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
#this is a problematic code where the query should report a result(s)
AWSTemplateFormatVersion: "2010-09-09"
Resources:
cloudfrontdistribution_1:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
CacheBehaviors:
- LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: examp
DefaultCacheBehavior:
ViewerProtocolPolicy: allow-all
LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: examp
IPV6Enabled: true
Origins:
- CustomOriginConfig:
OriginKeepaliveTimeout: 60
OriginReadTimeout: 30
Tags:
- Key: name
Value: example
cloudfrontdistribution_2:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
CacheBehaviors:
ViewerProtocolPolicy: allow-all
LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: examp
DefaultCacheBehavior:
LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: examp
IPV6Enabled: true
Origins:
- CustomOriginConfig:
OriginKeepaliveTimeout: 60
OriginReadTimeout: 30
Tags:
- Key: name
Value: example
Positive test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"cloudfrontdistribution_1": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"CacheBehaviors": [
{
"LambdaFunctionAssociations": [
{
"EventType": "viewer-request",
"LambdaFunctionARN": "examp"
}
]
}
],
"DefaultCacheBehavior": {
"ViewerProtocolPolicy": "allow-all",
"LambdaFunctionAssociations": [
{
"EventType": "viewer-request",
"LambdaFunctionARN": "examp"
}
]
},
"IPV6Enabled": true,
"Origins": [
{
"CustomOriginConfig": {
"OriginKeepaliveTimeout": 60,
"OriginReadTimeout": 30
}
}
]
},
"Tags": [
{
"Key": "name",
"Value": "example"
}
]
}
},
"cloudfrontdistribution_2": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"Tags": [
{
"Key": "name",
"Value": "example"
}
],
"CacheBehaviors": {
"ViewerProtocolPolicy": "allow-all",
"LambdaFunctionAssociations": [
{
"EventType": "viewer-request",
"LambdaFunctionARN": "examp"
}
]
},
"DefaultCacheBehavior": {
"LambdaFunctionAssociations": [
{
"EventType": "viewer-request",
"LambdaFunctionARN": "examp"
}
]
},
"IPV6Enabled": true,
"Origins": [
{
"CustomOriginConfig": {
"OriginKeepaliveTimeout": 60,
"OriginReadTimeout": 30
}
}
]
}
}
}
}
}
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
#this code is a correct code for which the query should not find any result
AWSTemplateFormatVersion: "2010-09-09"
Resources:
cloudfrontdistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
CacheBehaviors:
- LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: examp
DefaultCacheBehavior:
LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: examp
IPV6Enabled: true
Origins:
- CustomOriginConfig:
OriginKeepaliveTimeout: 60
OriginReadTimeout: 30
Tags:
- Key: name
Value: example
Negative test num. 2 - json file
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"cloudfrontdistribution": {
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"DefaultCacheBehavior": {
"LambdaFunctionAssociations": [
{
"EventType": "viewer-request",
"LambdaFunctionARN": "examp"
}
]
},
"IPV6Enabled": true,
"Origins": [
{
"CustomOriginConfig": {
"OriginKeepaliveTimeout": 60,
"OriginReadTimeout": 30
}
}
],
"CacheBehaviors": [
{
"LambdaFunctionAssociations": [
{
"EventType": "viewer-request",
"LambdaFunctionARN": "examp"
}
]
}
]
},
"Tags": [
{
"Key": "name",
"Value": "example"
}
]
}
}
}
}