CloudFront Security Controls Repository

My Saved Presets

A collection of AWS Security controls for Amazon CloudFront. Controls include templates for CloudFront distributions and resources, AWS Config rules for monitoring compliance, and CloudWatch Alarms. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

CloudFront

This template creates a CloudFront distribution with specified cache behaviors, default cache behavior, IPV6 enabled, origins, and tags.

CloudFormationTerraform

Configuration template to deploy a CloudFront distribution. A distribution tells CloudFront where you want content to be delivered from, and the details about how to track and manage content delivery.

Configuration template to deploy a CloudFront cache policy which determines which objects are served from the CloudFront cache when the viewer requests data over HTTP.

Configuration template to deploy a CloudFront function. CloudFront functions are lightweight functions in JavaScript for high-scale, latency-sensitive CDN customizations.

Configuration template to define a CloudFront public key which can be used with signed URLs and signed cookies, or with field-level encryption. The template also supports defining CloudFront key groups which are a collection of public keys.

Configuration template to create a CloudFront Origin Access Control which can be added to an origin in a CloudFront distribution so that CloudFront sends authenticated (signed) requests to the origin. For an Amazon S3 origin, this makes it possible to block public access to the Amazon S3 bucket so that viewers (users) can access the content in the bucket only through CloudFront.

Configuration template to create a CloudFront Real-Time Logging Configuration. With real-time logging, you can get information about requests made to a distribution in real time (logs are delivered using Kinesis streams within seconds of receiving the requests).

This template creates a new origin access identity (OAI) for CloudFront. An origin access identity is a special CloudFront user that can be associated with Amazon S3 origins to secure the content. The template specifies the comment for the origin access identity.

CloudFormationTerraform

Sets up a basic continuous deployment policy for AWS CloudFront with separate staging and production distributions.

Terraform

Configures a CloudFront continuous deployment policy with single weight traffic routing and session stickiness settings.

Terraform

Implements a CloudFront continuous deployment policy using a single header configuration for traffic routing.

Terraform

Creates a CloudFront distribution with an origin group for failover routing, handling different origin configurations and failover criteria.

Terraform

Creates a CloudFront distribution using an AWS managed caching policy, specifically configured for disabled caching.

Terraform

Creates a CloudFront field-level encryption configuration that specifies how to handle encrypted content for both content types and query arguments.

Terraform

Creates a CloudFront public key and a field-level encryption profile using that key, specifically encrypting the 'DateOfBirth' field.

Terraform

This template creates a CloudFront public key and a key group that includes the public key.

Terraform

Creates a CloudFront origin request policy with specific configurations for cookies, headers, and query strings.

Terraform

Creates a basic CloudFront response headers policy with CORS configuration.

Terraform

Creates a CloudFront response headers policy with custom headers configuration.

Terraform

Creates a CloudFront response headers policy with both custom headers and server timing headers configurations.

Terraform

Config Rule

A config rule that checks whether your CloudFront Distribution has been configured to store logs on an authorized S3 bucket

CloudFormationTerraformAWS CLI

A config rule that checks whether your Amazon CloudFront Distributions use HTTPS (directly or via a redirection).

CloudFormationTerraformAWS CLI

A config rule that checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The rule is NON_COMPLIANT if CloudFront distribution does not have a default root object configured.

CloudFormationTerraformAWS CLI

A config rule that checks that Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. This rule is NON_COMPLIANT if the CloudFront distribution is backed by Amazon S3 and any of Amazon S3 Origin type is not OAI configured.

CloudFormationTerraformAWS CLI

A config rule that checks whether an origin group is configured for the distribution of at least 2 origins in the origin group for Amazon CloudFront. This rule is NON_COMPLIANT if there are no origin groups for the distribution.

CloudFormationTerraformAWS CLI

A config rule that checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests. This rule is NON_COMPLIANT if a custom SSL certificate is associated but the SSL support method is using a dedicated IP address.

CloudFormationTerraformAWS CLI

A Config rule that checks if the certificate associated with an Amazon CloudFront distribution is the default Secure Sockets Layer (SSL) certificate. This rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.

CloudFormationTerraformAWS CLI

A Config rule that checks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins. This rule is NON_COMPLIANT for a CloudFront distribution if any ‘OriginSslProtocols’ includes ‘SSLv3’.

CloudFormationTerraformAWS CLI

A Config rule that checks if Amazon CloudFront distributions are encrypting traffic to custom origins. The rule is NON_COMPLIANT if OriginProtocolPolicy is http-only or if OriginProtocolPolicy is match-viewer and ViewerProtocolPolicy is allow-all.

CloudFormationTerraformAWS CLI

Checks if Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured.

CloudFormationTerraform

Checks if Amazon CloudFront distributions are associated with either web application firewall (WAF) or WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT if a CloudFront distribution is not associated with a WAF web ACL.

CloudFormationTerraform

Checks if an Amazon CloudFront distribution with an Amazon Simple Storage Service (Amazon S3) Origin type has origin access control (OAC) enabled. The rule is NON_COMPLIANT for CloudFront distributions with Amazon S3 origins that don't have OAC enabled.

CloudFormationTerraform

Checks if Amazon CloudFront distributions point to a non-existent S3 bucket. The rule is NON_COMPLIANT if `S3OriginConfig` for a CloudFront distribution points to a non-existent S3 bucket. The rule does not evaluate S3 buckets with static website hosting.

CloudFormationTerraform

Checks if Amazon CloudFront distributions are using a minimum security policy and cipher suite of TLSv1.2 or greater for viewer connections. This rule is NON_COMPLIANT for a CloudFront distribution if the minimumProtocolVersion is below TLSv1.2_2018.

CloudFormationTerraform

Configuration Package

A configuration package to create a custom CloudFormation Guard rules template. The package includes 150+ rules across most AWS services including EC2, S3, IAM, and many more.

Premium Only

CloudFormation Guard

CloudFormation guard rules template for IAM resources