Configure HTTPS for CloudFront distribution ViewerProtocolPolicy High

HTTPS is not configured in the ViewerProtocolPolicy of CloudFront distribution. Make sure that CloudFront distribution ViewerProtocolPolicy is configured to HTTPS

Detector ID
terraform/conf-https-cloudfront-policy-terraform@v1.0
Category
Common Weakness Enumeration (CWE) external icon

Noncompliant example

1resource "aws_cloudfront_distribution" "cf" {
2  origin_group {
3    origin_id = "groupS3"
4
5    failover_criteria {
6      status_codes = [403, 404, 500, 502]
7    }
8
9    member {
10      origin_id = "primaryS3"
11    }
12
13    member {
14      origin_id = "failoverS3"
15    }
16  }
17  origin {
18    domain_name = aws_s3_bucket.statics.bucket_regional_domain_name
19    origin_id   = local.s3_origin_id
20  }
21
22  enabled             = true
23  is_ipv6_enabled     = true
24  default_root_object = "index.html"
25  price_class         = "PriceClass_100"
26
27  aliases = [data.aws_route53_zone.selected.name]
28  default_cache_behavior {
29    allowed_methods        = []
30    cached_methods         = []
31    target_origin_id       = ""
32    # Noncompliant: `viewer_protocol_policy` is set to `allow-all`.
33    viewer_protocol_policy = "allow-all"
34  }
35  restrictions {
36    geo_restriction {
37      restriction_type = ""
38    }
39  }
40  viewer_certificate {
41    acm_certificate_arn = "aws_acm_certificate_arn"
42    minimum_protocol_version = "TLSv1.2_2018"
43  }
44  default_cache_behavior {
45    response_headers_policy_id = data.aws_cloudfront_response_headers_policy.simple_cors.id
46  }
47  web_acl_id = aws_wafv2_web_acl.waf_cloudfront
48  logging_config {
49    include_cookies = false
50    bucket          = "mylogs.s3.amazonaws.com"
51    prefix          = "myprefix"
52  }
53  origin {
54    domain_name = aws_s3_bucket.primary.bucket_regional_domain_name
55    origin_id   = "primaryS3"
56
57    s3_origin_config {
58      origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path
59    }
60  }
61}
62resource "aws_wafv2_web_acl_logging_configuration" "pike" {
63  resource_arn            = aws_wafv2_web_acl.waf_cloudfront.arn
64  log_destination_configs = ["arn:aws:logs:eu-west-2:680235478471:log-group:pike/"]
65}
66resource "aws_wafv2_web_acl" "waf_cloudfront" {
67  name        = "managed-rule-example"
68  description = "Example of a managed rule."
69  scope       = "REGIONAL"
70
71  default_action {
72    allow {}
73  }
74
75  rule {
76    name     = "rule-1"
77    priority = 1
78
79    override_action {
80      none {}
81    }
82
83    statement {
84      managed_rule_group_statement {
85        name        = "AWSManagedRulesAnonymousIpList"
86        vendor_name = "AWS"
87
88        excluded_rule {
89          name = "rule-1"
90        }
91
92        scope_down_statement {
93          geo_match_statement {
94            country_codes = ["US", "NL"]
95          }
96        }
97      }
98    }
99
100    visibility_config {
101      cloudwatch_metrics_enabled = false
102      metric_name                = "friendly-rule-metric-name"
103      sampled_requests_enabled   = false
104    }
105  }
106
107  rule {
108    name     = "rule-2"
109    priority = 2
110
111    override_action {
112      none {}
113    }
114
115    statement {
116      managed_rule_group_statement {
117        name        = "AWSManagedRulesKnownBadInputsRuleSet"
118        vendor_name = "AWS"
119
120        excluded_rule {
121          name = "SizeRestrictions_QUERYSTRING"
122        }
123
124        scope_down_statement {
125          geo_match_statement {
126            country_codes = ["US", "NL"]
127          }
128        }
129      }
130    }
131
132    visibility_config {
133      cloudwatch_metrics_enabled = false
134      metric_name                = "friendly-rule-metric-name"
135      sampled_requests_enabled   = false
136    }
137  }
138
139
140  tags = {
141    Tag1 = "Value1"
142    Tag2 = "Value2"
143  }
144
145  visibility_config {
146    cloudwatch_metrics_enabled = false
147    metric_name                = "friendly-metric-name"
148    sampled_requests_enabled   = false
149  }
150}
151data "aws_cloudfront_response_headers_policy" "simple_cors" {
152  name = "SimpleCORS"
153}

Compliant example

1resource "aws_cloudfront_distribution" "cf" {
2  origin_group {
3    origin_id = "groupS3"
4
5    failover_criteria {
6      status_codes = [403, 404, 500, 502]
7    }
8
9    member {
10      origin_id = "primaryS3"
11    }
12
13    member {
14      origin_id = "failoverS3"
15    }
16  }
17  origin {
18    domain_name = aws_s3_bucket.statics.bucket_regional_domain_name
19    origin_id   = local.s3_origin_id
20  }
21
22  enabled             = true
23  is_ipv6_enabled     = true
24  default_root_object = "index.html"
25  price_class         = "PriceClass_100"
26
27  aliases = [data.aws_route53_zone.selected.name]
28  default_cache_behavior {
29    allowed_methods        = []
30    cached_methods         = []
31    target_origin_id       = ""
32    # Compliant: `viewer_protocol_policy` is set to `redirect-to-https`.
33    viewer_protocol_policy = "redirect-to-https"
34  }
35  restrictions {
36    geo_restriction {
37      restriction_type = ""
38    }
39  }
40  viewer_certificate {
41    acm_certificate_arn = "aws_acm_certificate_arn"
42    minimum_protocol_version = "TLSv1.2_2018"
43  }
44  default_cache_behavior {
45    response_headers_policy_id = data.aws_cloudfront_response_headers_policy.simple_cors.id
46  }
47  web_acl_id = aws_wafv2_web_acl.waf_cloudfront
48  logging_config {
49    include_cookies = false
50    bucket          = "mylogs.s3.amazonaws.com"
51    prefix          = "myprefix"
52  }
53  origin {
54    domain_name = aws_s3_bucket.primary.bucket_regional_domain_name
55    origin_id   = "primaryS3"
56
57    s3_origin_config {
58      origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path
59    }
60  }
61}
62resource "aws_wafv2_web_acl_logging_configuration" "pike" {
63  resource_arn            = aws_wafv2_web_acl.waf_cloudfront.arn
64  log_destination_configs = ["arn:aws:logs:eu-west-2:680235478471:log-group:pike/"]
65}
66resource "aws_wafv2_web_acl" "waf_cloudfront" {
67  name        = "managed-rule-example"
68  description = "Example of a managed rule."
69  scope       = "REGIONAL"
70
71  default_action {
72    allow {}
73  }
74
75  rule {
76    name     = "rule-1"
77    priority = 1
78
79    override_action {
80      none {}
81    }
82
83    statement {
84      managed_rule_group_statement {
85        name        = "AWSManagedRulesAnonymousIpList"
86        vendor_name = "AWS"
87
88        excluded_rule {
89          name = "rule-1"
90        }
91
92        scope_down_statement {
93          geo_match_statement {
94            country_codes = ["US", "NL"]
95          }
96        }
97      }
98    }
99
100    visibility_config {
101      cloudwatch_metrics_enabled = false
102      metric_name                = "friendly-rule-metric-name"
103      sampled_requests_enabled   = false
104    }
105  }
106
107  rule {
108    name     = "rule-2"
109    priority = 2
110
111    override_action {
112      none {}
113    }
114
115    statement {
116      managed_rule_group_statement {
117        name        = "AWSManagedRulesKnownBadInputsRuleSet"
118        vendor_name = "AWS"
119
120        excluded_rule {
121          name = "SizeRestrictions_QUERYSTRING"
122        }
123
124        scope_down_statement {
125          geo_match_statement {
126            country_codes = ["US", "NL"]
127          }
128        }
129      }
130    }
131
132    visibility_config {
133      cloudwatch_metrics_enabled = false
134      metric_name                = "friendly-rule-metric-name"
135      sampled_requests_enabled   = false
136    }
137  }
138
139
140  tags = {
141    Tag1 = "Value1"
142    Tag2 = "Value2"
143  }
144
145  visibility_config {
146    cloudwatch_metrics_enabled = false
147    metric_name                = "friendly-metric-name"
148    sampled_requests_enabled   = false
149  }
150}
151data "aws_cloudfront_response_headers_policy" "simple_cors" {
152  name = "SimpleCORS"
153}