A config rule that checks whether your Amazon CloudFront Distributions use HTTPS (directly or via a redirection). The rule returns NON_COMPLIANT if the ViewerProtocolPolicy is set to 'allow-all' in the defaultCacheBehavior or in the cacheBehaviors (i.e Viewers can use HTTP or HTTPS).
Note: This config rule is supported in us-east-1 only.
AWSTemplateFormatVersion: '2010-09-09'
Description: ''
Resources:
CustomConfigRule:
Type: 'AWS::Config::ConfigRule'
Properties:
ConfigRuleName: cloudfront_viewer_policy_https
Description: >-
A config rule that checks whether your Amazon CloudFront Distributions
use HTTPS (directly or via a redirection). The rule returns
NON_COMPLIANT if the ViewerProtocolPolicy is set to 'allow-all' in the
defaultCacheBehavior or in the cacheBehaviors (i.e...
Scope:
ComplianceResourceTypes:
- 'AWS::CloudFront::Distribution'
Source:
Owner: CUSTOM_LAMBDA
SourceIdentifier:
'Fn::GetAtt':
- LambdaFunction
- Arn
SourceDetails:
- EventSource: aws.config
MessageType: ConfigurationItemChangeNotification
- EventSource: aws.config
MessageType: OversizedConfigurationItemChangeNotification
DependsOn: LambdaInvokePermissions
LambdaInvokePermissions:
Type: 'AWS::Lambda::Permission'
Properties:
FunctionName:
'Fn::GetAtt':
- LambdaFunction
- Arn
Action: 'lambda:InvokeFunction'
Principal: config.amazonaws.com
LambdaFunction:
Type: 'AWS::Lambda::Function'
Properties:
FunctionName: LambdaForcloudfront_viewer_policy_https
Handler: index.lambda_handler
Role:
'Fn::GetAtt':
- LambdaIamRole
- Arn
Runtime: python3.6
Code:
S3Bucket:
'Fn::Sub':
- 'asecure-cloud-cf-aux-${Region}'
- Region:
Ref: 'AWS::Region'
S3Key: CLOUDFRONT_VIEWER_POLICY_HTTPS.zip
Timeout: 300
DependsOn: LambdaIamRole
LambdaIamRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service:
- lambda.amazonaws.com
Action:
- 'sts:AssumeRole'
ManagedPolicyArns:
- 'arn:aws:iam::aws:policy/CloudFrontReadOnlyAccess'
- 'arn:aws:iam::aws:policy/service-role/AWSConfigRulesExecutionRole'
- 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
Policies: []
RoleName: IAMRoleForcloudfront_viewer_policy_httpsrxa
Parameters: {}
Metadata: {}
Conditions: {}
Configuration Source: AWS Config Rule Repository
Additional Documentation: