CloudFront Without WAF
- Query id: 6d19ce0f-b3d8-4128-ac3d-1064e0f00494
- Query name: CloudFront Without WAF
- Platform: Crossplane
- Severity: Medium
- Category: Networking and Firewall
- URL: Github
Description¶
All AWS CloudFront distributions should be integrated with the Web Application Firewall (AWS WAF) service
Documentation
Code samples¶
Code samples with security vulnerabilities¶
Positive test num. 1 - yaml file
apiVersion: cloudfront.aws.crossplane.io/v1alpha1
kind: Distribution
metadata:
name: sample-distribution
spec:
forProvider:
region: us-east-1
distributionConfig:
enabled: true
comment: Crossplane - auto provisioning
viewerCertificate:
sslSupportMethod: sni-only
cloudFrontDefaultCertificate: false
minimumProtocolVersion: TLSv1.2_2018
origins:
items:
- domainName: sample.s3.amazonaws.com
id: s3Origin
s3OriginConfig:
originAccessIDentity: ""
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-cloudfront
base:
apiVersion: cloudfront.aws.crossplane.io/v1alpha1
kind: Distribution
metadata:
name: sample-distribution
spec:
forProvider:
region: us-east-1
distributionConfig:
enabled: true
comment: Crossplane - auto provisioning
viewerCertificate:
sslSupportMethod: sni-only
cloudFrontDefaultCertificate: false
minimumProtocolVersion: TLSv1.2_2018
origins:
items:
- domainName: sample.s3.amazonaws.com
id: s3Origin
s3OriginConfig:
originAccessIDentity: ""
Code samples without security vulnerabilities¶
Negative test num. 1 - yaml file
apiVersion: cloudfront.aws.crossplane.io/v1alpha1
kind: Distribution
metadata:
name: sample-distribution
spec:
forProvider:
region: us-east-1
distributionConfig:
enabled: true
comment: Crossplane - auto provisioning
viewerCertificate:
sslSupportMethod: sni-only
cloudFrontDefaultCertificate: false
minimumProtocolVersion: TLSv1.2_2018
webACLID: 473e64fd-f30b-4765-81a0-62ad96dd167a
origins:
items:
- domainName: sample.s3.amazonaws.com
id: s3Origin
s3OriginConfig:
originAccessIDentity: ""
---
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: cluster-aws
labels:
provider: aws
cluster: eks
spec:
compositeTypeRef:
apiVersion: mydev.org/v1alpha1
kind: CompositeCluster
writeConnectionSecretsToNamespace: crossplane-system
patchSets:
- name: metadata
patches:
- fromFieldPath: metadata.labels
resources:
- name: sample-cloudfront
base:
apiVersion: cloudfront.aws.crossplane.io/v1alpha1
kind: Distribution
metadata:
name: sample-distribution
spec:
forProvider:
region: us-east-1
distributionConfig:
enabled: true
comment: Crossplane - auto provisioning
viewerCertificate:
sslSupportMethod: sni-only
cloudFrontDefaultCertificate: false
minimumProtocolVersion: TLSv1.2_2018
webACLID: 473e64fd-f30b-4765-81a0-62ad96dd167a
origins:
items:
- domainName: sample.s3.amazonaws.com
id: s3Origin
s3OriginConfig:
originAccessIDentity: ""