You must be logged in to view saved presets
Cloudformation Guard Rules for CloudFront
CloudFormation guard rules template for AWS CloudFront resources
The following rules are included:
- Logging Enabled
- WAF Protection Enabled
- Geo Restriction Enabled
- No Deprecated SSL Protocols In-Use
- ACM Certificates Used
let cloudfront_distributions = Resources.*[
Type == "AWS::CloudFront::Distribution"
]
rule cloudfront_logging when %cloudfront_distributions !empty {
%cloudfront_distributions {
Properties {
DistributionConfig {
Logging exists <<Logging is disabled.>>
}
}
}
}
rule cloudfront_waf when %cloudfront_distributions !empty {
%cloudfront_distributions {
Properties {
DistributionConfig {
WebACLId exists <<WAF protection is disabled.>>
}
}
}
}
rule cloudfront_geo_restriction when %cloudfront_distributions !empty {
%cloudfront_distributions {
Properties {
DistributionConfig {
Restrictions exists <<Restrictions is not configured (i.e disabled).>>
when Restrictions exists {
Restrictions {
GeoRestriction {
RestrictionType != "none" <<Geo Restrictions are disabled.>>
}
}
}
}
}
}
}
rule cloudfront_deprecated_ssl_protocols when %cloudfront_distributions !empty {
%cloudfront_distributions {
Properties {
DistributionConfig {
Origins.* {
when CustomOriginConfig exists {
CustomOriginConfig {
OriginSSLProtocols exists <<Deprecated SSL protocols are being used.>>
when OriginSSLProtocols exists {
OriginSSLProtocols.* != "SSLv3" <<Deprecated SSL protocols are being used.>>
}
}
}
}
}
}
}
}
rule cloudfront_distribution_acm_certificates when %cloudfront_distributions !empty {
%cloudfront_distributions {
Properties {
DistributionConfig {
ViewerCertificate exists <<ViewerCertificate is not configured (i.e disabled).>>
when ViewerCertificate exists {
ViewerCertificate {
AcmCertificateArn exists <<Acm Certificate not used.>>
}
}
}
}
}
}
Actions
Customize Template
* Required field
© 2024 asecurecloud. All rights reserved.