CloudFormation guard rules template for AWS CloudFront resources

The following rules are included: 

  • Logging Enabled 
  • WAF Protection Enabled 
  • Geo Restriction Enabled
  • No Deprecated SSL Protocols In-Use
  • ACM Certificates Used

let cloudfront_distributions = Resources.*[
	Type == "AWS::CloudFront::Distribution"
]

rule cloudfront_logging when %cloudfront_distributions !empty {
	%cloudfront_distributions {
		Properties {
			DistributionConfig {
				Logging exists <<Logging is disabled.>>
			}
		}
	}
}

rule cloudfront_waf when %cloudfront_distributions !empty {
	%cloudfront_distributions {
		Properties {
			DistributionConfig {
				WebACLId exists <<WAF protection is disabled.>>
			}
		}
	}
}

rule cloudfront_geo_restriction when %cloudfront_distributions !empty {
	%cloudfront_distributions {
		Properties {
			DistributionConfig {
				Restrictions exists <<Restrictions is not configured (i.e disabled).>>
				when Restrictions exists {
					Restrictions {
						GeoRestriction {
							RestrictionType != "none" <<Geo Restrictions are disabled.>>
						}
					}
				}
			}
		}
	}
}

rule cloudfront_deprecated_ssl_protocols when %cloudfront_distributions !empty {
	%cloudfront_distributions {
		Properties {
			DistributionConfig {
				Origins.* {
					when CustomOriginConfig exists {
						CustomOriginConfig {
							OriginSSLProtocols exists <<Deprecated SSL protocols are being used.>>
							when OriginSSLProtocols exists {
								OriginSSLProtocols.* != "SSLv3" <<Deprecated SSL protocols are being used.>>
							}
						}
					}
				}
			}
		}
	}
}

rule cloudfront_distribution_acm_certificates when %cloudfront_distributions !empty {
	%cloudfront_distributions {
		Properties {
			DistributionConfig {
				ViewerCertificate exists <<ViewerCertificate is not configured (i.e disabled).>>
				when ViewerCertificate exists {
					ViewerCertificate {
						AcmCertificateArn exists <<Acm Certificate not used.>>
					}
				}
			}
		}
	}
}


Actions



Customize Template

* Required field