A collection of AWS Security controls for Amazon CloudFront. Controls include templates for CloudFront distributions and resources, AWS Config rules for monitoring compliance, and CloudWatch Alarms. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

CloudFront
CloudFront Distribution for Static S3 Website

This template creates a CloudFront distribution with specified cache behaviors, default cache behavior, IPV6 enabled, origins, and tags.

CloudFormationTerraform
CloudFront Distribution

Configuration template to deploy a CloudFront distribution. A distribution tells CloudFront where you want content to be delivered from, and the details about how to track and manage content delivery.

CloudFront Cache Policy

Configuration template to deploy a CloudFront cache policy which determines which objects are served from the CloudFront cache when the viewer requests data over HTTP. 

CloudFront Function

Configuration template to deploy a CloudFront function. CloudFront functions are lightweight functions in JavaScript for high-scale, latency-sensitive CDN customizations.

CloudFront Public Key (and Key Group)

Configuration template to define a CloudFront public key which can be used with signed URLs and signed cookies, or with field-level encryption. The template also supports defining CloudFront key groups which are a collection of public keys.

CloudFront Origin Access Control

Configuration template to create a CloudFront Origin Access Control which can be added to an origin in a CloudFront distribution so that CloudFront sends authenticated (signed) requests to the origin. For an Amazon S3 origin, this makes it possible to block public access to the Amazon S3 bucket so that viewers (users) can access the content in the bucket only through CloudFront.

CloudFront Real-Time Log Configuration

Configuration template to create a CloudFront Real-Time Logging Configuration. With real-time logging, you can get information about requests made to a distribution in real time (logs are delivered using Kinesis streams within seconds of receiving the requests). 

CloudFront Origin Access Identity

This template creates a new origin access identity (OAI) for CloudFront. An origin access identity is a special CloudFront user that can be associated with Amazon S3 origins to secure the content. The template specifies the comment for the origin access identity.

CloudFormationTerraform
Basic Continuous Deployment Policy for AWS CloudFront

Sets up a basic continuous deployment policy for AWS CloudFront with separate staging and production distributions.

Terraform
Single Weight Config with Session Stickiness for AWS CloudFront

Configures a CloudFront continuous deployment policy with single weight traffic routing and session stickiness settings.

Terraform
Single Header Config for AWS CloudFront

Implements a CloudFront continuous deployment policy using a single header configuration for traffic routing.

Terraform
CloudFront Distribution with Failover Routing

Creates a CloudFront distribution with an origin group for failover routing, handling different origin configurations and failover criteria.

Terraform
CloudFront Distribution with Managed Caching Policy

Creates a CloudFront distribution using an AWS managed caching policy, specifically configured for disabled caching.

Terraform
AWS CloudFront Field-Level Encryption Configuration

Creates a CloudFront field-level encryption configuration that specifies how to handle encrypted content for both content types and query arguments.

Terraform
CloudFront Field-level Encryption Profile Setup

Creates a CloudFront public key and a field-level encryption profile using that key, specifically encrypting the 'DateOfBirth' field.

Terraform
Create a CloudFront Key Group with Public Key

This template creates a CloudFront public key and a key group that includes the public key.

Terraform
AWS CloudFront Origin Request Policy Creation

Creates a CloudFront origin request policy with specific configurations for cookies, headers, and query strings.

Terraform
Basic CloudFront Response Headers Policy

Creates a basic CloudFront response headers policy with CORS configuration.

Terraform
CloudFront Response Headers Policy with Custom Headers

Creates a CloudFront response headers policy with custom headers configuration.

Terraform
CloudFront Response Headers Policy with Custom and Server Timing Headers

Creates a CloudFront response headers policy with both custom headers and server timing headers configurations.

Terraform
Config Rule
CloudFront Logging Enabled

A config rule that checks whether your CloudFront Distribution has been configured to store logs on an authorized S3 bucket

CloudFormationTerraformAWS CLI
CloudFront Viwer Policy Set to HTTPS

A config rule that checks whether your Amazon CloudFront Distributions use HTTPS (directly or via a redirection).

CloudFormationTerraformAWS CLI
CloudFront Default Root Object Configured

A config rule that checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The rule is NON_COMPLIANT if CloudFront distribution does not have a default root object configured.

CloudFormationTerraformAWS CLI
CloudFront Origin Access Identity Enabled

A config rule that checks that Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. This rule is NON_COMPLIANT if the CloudFront distribution is backed by Amazon S3 and any of Amazon S3 Origin type is not OAI configured.

CloudFormationTerraformAWS CLI
CloudFront Origin Failover Enabled

A config rule that checks whether an origin group is configured for the distribution of at least 2 origins in the origin group for Amazon CloudFront. This rule is NON_COMPLIANT if there are no origin groups for the distribution.

CloudFormationTerraformAWS CLI
CloudFront SNI Enabled

A config rule that checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests. This rule is NON_COMPLIANT if a custom SSL certificate is associated but the SSL support method is using a dedicated IP address.

CloudFormationTerraformAWS CLI
CloudFront Domain Uses Custom SSL Certificates

A Config rule that checks if the certificate associated with an Amazon CloudFront distribution is the default Secure Sockets Layer (SSL) certificate. This rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.

CloudFormationTerraformAWS CLI
CloudFront No Deprecated SSL Protocols

A Config rule that checks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins. This rule is NON_COMPLIANT for a CloudFront distribution if any ‘OriginSslProtocols’ includes ‘SSLv3’.

CloudFormationTerraformAWS CLI
CloudFront Traffic To Origin is Encrypted

A Config rule that checks if Amazon CloudFront distributions are encrypting traffic to custom origins. The rule is NON_COMPLIANT if OriginProtocolPolicy is http-only or if OriginProtocolPolicy is match-viewer and ViewerProtocolPolicy is allow-all.

CloudFormationTerraformAWS CLI
Check if CloudFront distributions are configured to deliver access logs to an S3 bucket

Checks if Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured.

CloudFormationTerraform
Check if CloudFront distributions are associated with WAF

Checks if Amazon CloudFront distributions are associated with either web application firewall (WAF) or WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT if a CloudFront distribution is not associated with a WAF web ACL.

CloudFormationTerraform
Check if CloudFront distribution with S3 Origin has OAC enabled

Checks if an Amazon CloudFront distribution with an Amazon Simple Storage Service (Amazon S3) Origin type has origin access control (OAC) enabled. The rule is NON_COMPLIANT for CloudFront distributions with Amazon S3 origins that don't have OAC enabled.

CloudFormationTerraform
Check if CloudFront distributions point to non-existent S3 bucket

Checks if Amazon CloudFront distributions point to a non-existent S3 bucket. The rule is NON_COMPLIANT if `S3OriginConfig` for a CloudFront distribution points to a non-existent S3 bucket. The rule does not evaluate S3 buckets with static website hosting.

CloudFormationTerraform
Check CloudFront Security Policy

Checks if Amazon CloudFront distributions are using a minimum security policy and cipher suite of TLSv1.2 or greater for viewer connections. This rule is NON_COMPLIANT for a CloudFront distribution if the minimumProtocolVersion is below TLSv1.2_2018.

CloudFormationTerraform
CloudFormation Guard
Cloudformation Guard Rules for AWS IAM

CloudFormation guard rules template for IAM resources

CloudFormation Guard Rules
Cloudformation Guard Rules for Amazon EC2

CloudFormation guard rules template for EC2 resources

CloudFormation Guard Rules
Cloudformation Guard Rules for Amazon S3

CloudFormation guard rules template for S3 resources

CloudFormation Guard Rules
Cloudformation Guard Rules for Security Groups

CloudFormation guard rules template for Security Groups

CloudFormation Guard Rules
Cloudformation Guard Rules for AWS Lambda

CloudFormation guard rules template for AWS Lambda resources

CloudFormation Guard Rules
Cloudformation Guard Rules for AWS OpenSearch

CloudFormation guard rules template for AWS OpenSearch resources

CloudFormation Guard Rules
Cloudformation Guard Rules for Amazon VPC

CloudFormation guard rules template for Amazon VPC resources

CloudFormation Guard Rules
Cloudformation Guard Rules for Amazon SageMaker

CloudFormation guard rules template for Amazon SageMaker resources

CloudFormation Guard Rules
Cloudformation Guard Rules for DynamoDB

CloudFormation guard rules template for DynamoDB and DynamoDB Accelerator (DAX) resources

CloudFormation Guard Rules
Cloudformation Guard Rules for ACM (AWS Certificate Manager)

CloudFormation guard rules template for AWS Certificate Manager (ACM) resources

CloudFormation Guard Rules
Cloudformation Guard Rules for AWS Budgets

CloudFormation guard rules template for AWS Budget resources

CloudFormation Guard Rules
Cloudformation Guard Rules for AWS CloudFront

CloudFormation guard rules template for AWS CloudFront resources

CloudFormation Guard Rules
Cloudformation Guard Rules for CloudWatch Logs

CloudFormation guard rules template for CloudWatch Log groups

CloudFormation Guard Rules
Cloudformation Guard Rules for CodeBuild

CloudFormation guard rules template for CodeBuild resources

CloudFormation Guard Rules
Cloudformation Guard Rules for AWS Config

CloudFormation guard rules template for AWS Config

CloudFormation Guard Rules
Cloudformation Guard Rules for AWS Database Migration Service (DMS)

CloudFormation guard rules template for AWS DMS

CloudFormation Guard Rules
Cloudformation Guard Rules for AWS DocumentDB

CloudFormation guard rules template for AWS DocumentDB resources

CloudFormation Guard Rules
Cloudformation Guard Rules for Amazon EFS (Elastic File System)

CloudFormation guard rules template for EFS resources

CloudFormation Guard Rules
Cloudformation Guard Rules for ElastiCache (Redis)

CloudFormation guard rules template for ElastiCache resources

CloudFormation Guard Rules
Cloudformation Guard Rules for AWS KMS

CloudFormation guard rules template for KMS resources

CloudFormation Guard Rules
Cloudformation Guard Rules for AWS Network Firewall

CloudFormation guard rules template for Network Firewall resources

CloudFormation Guard Rules
Cloudformation Guard Rules for SNS

CloudFormation guard rules template for SNS resources

CloudFormation Guard Rules
Cloudformation Guard Rules for SQS

CloudFormation guard rules template for SQS resources

CloudFormation Guard Rules
Cloudformation Guard Rules for AWS WAF

CloudFormation guard rules template for WAF resources

CloudFormation Guard Rules
Cloudformation Guard Rules for API Gateway

CloudFormation guard rules template for API Gateway resources

CloudFormation Guard Rules
Cloudformation Guard Rules for AWS Backup

CloudFormation guard rules template for AWS Backup resources

CloudFormation Guard Rules
Cloudformation Guard Rules for AWS CloudTrail

CloudFormation guard rules template for AWS CloudTrail resources

CloudFormation Guard Rules
Cloudformation Guard Rules for AWS CloudWatch Alarms

CloudFormation guard rules template for AWS CloudWatch Alarms

CloudFormation Guard Rules
Cloudformation Guard Rules for Amazon ECR

CloudFormation guard rules template for Amazon ECR resources

CloudFormation Guard Rules
Cloudformation Guard Rules for Amazon EKS

CloudFormation guard rules template for Amazon EKS resources

CloudFormation Guard Rules
Cloudformation Guard Rules for AWS Load Balancers

CloudFormation guard rules template for AWS Load Balancer resources

CloudFormation Guard Rules
Cloudformation Guard Rules for EMR

CloudFormation guard rules template for EMR resources

CloudFormation Guard Rules
Cloudformation Guard Rules for Amazon FSx

CloudFormation guard rules template for Amazon FSx resources

CloudFormation Guard Rules
Cloudformation Guard Rules for AWS Secrets Manager

CloudFormation guard rules template for AWS Secrets Manager resources

CloudFormation Guard Rules
Cloudformation Guard Rules for Amazon Redshift

CloudFormation guard rules template for Amazon Redshift resources

CloudFormation Guard Rules
Cloudformation Guard Rules for Amazon Route53

CloudFormation guard rules template for Amazon Route53 resources

CloudFormation Guard Rules
Cloudformation Guard Rules for Amazon MSK

CloudFormation guard rules template for Amazon MSK (Managed Apache Kafka) resources

CloudFormation Guard Rules
Cloudformation Guard Rules for Amazon Neptune

CloudFormation guard rules template for Amazon Neptune resources

CloudFormation Guard Rules
Cloudformation Guard Rules for Auto Scaling Groups

CloudFormation guard rules template for Auto Scaling Group resources

CloudFormation Guard Rules