AI CloudAdvisor (Beta)

My Presets

You must be logged in to save or view your saved configuration templates

Security Controls

Service Control PoliciesConfig RulesCloudWatch Alarms and Event RulesCloudFormation Guard RulesLogging & Monitoring ConfigurationsBackups & DRAuto Remediation RulesConformance PacksBilling and Cost ManagementS3 Bucket PoliciesSecurity Groups & NACLsIAM PoliciesVPC Endpoint Policies

AWS Services

Guided Walkthroughs

Configuration Packages

Reference Guides

Other

AI CloudAdvisor (Beta)

Configuration Stack
0

My Presets

Security Controls

AWS Services

Guided Walkthroughs

Configuration Packages

Reference Guides

Other

CloudFront Security

A collection of AWS Security controls for Amazon CloudFront. Controls include templates for CloudFront distributions and resources, AWS Config rules for monitoring compliance, and CloudWatch Alarms. Configuration templates are available in AWS CloudFormation, AWS CLI and Terraform

CloudFront

This template creates a CloudFront distribution with specified cache behaviors, default cache behavior, IPV6 enabled, origins, and tags.

CloudFormation

Configuration template to deploy a CloudFront distribution. A distribution tells CloudFront where you want content to be delivered from, and the details about how to track and manage content delivery.

Configuration template to deploy a CloudFront cache policy which determines which objects are served from the CloudFront cache when the viewer requests data over HTTP. 

Configuration template to deploy a CloudFront function. CloudFront functions are lightweight functions in JavaScript for high-scale, latency-sensitive CDN customizations.

Configuration template to define a CloudFront public key which can be used with signed URLs and signed cookies, or with field-level encryption. The template also supports defining CloudFront key groups which are a collection of public keys.

Configuration template to create a CloudFront Origin Access Control which can be added to an origin in a CloudFront distribution so that CloudFront sends authenticated (signed) requests to the origin. For an Amazon S3 origin, this makes it possible to block public access to the Amazon S3 bucket so that viewers (users) can access the content in the bucket only through CloudFront.

Configuration template to create a CloudFront Real-Time Logging Configuration. With real-time logging, you can get information about requests made to a distribution in real time (logs are delivered using Kinesis streams within seconds of receiving the requests). 

This template creates a new origin access identity (OAI) for CloudFront. An origin access identity is a special CloudFront user that can be associated with Amazon S3 origins to secure the content. The template specifies the comment for the origin access identity.

CloudFormation
Config Rule

A config rule that checks whether your CloudFront Distribution has been configured to store logs on an authorized S3 bucket

CloudFormationTerraformAWS CLI

A config rule that checks whether your Amazon CloudFront Distributions use HTTPS (directly or via a redirection).

CloudFormationTerraformAWS CLI

A config rule that checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The rule is NON_COMPLIANT if CloudFront distribution does not have a default root object configured.

CloudFormationTerraformAWS CLI

A config rule that checks that Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. This rule is NON_COMPLIANT if the CloudFront distribution is backed by Amazon S3 and any of Amazon S3 Origin type is not OAI configured.

CloudFormationTerraformAWS CLI

A config rule that checks whether an origin group is configured for the distribution of at least 2 origins in the origin group for Amazon CloudFront. This rule is NON_COMPLIANT if there are no origin groups for the distribution.

CloudFormationTerraformAWS CLI

A config rule that checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests. This rule is NON_COMPLIANT if a custom SSL certificate is associated but the SSL support method is using a dedicated IP address.

CloudFormationTerraformAWS CLI

A Config rule that checks if the certificate associated with an Amazon CloudFront distribution is the default Secure Sockets Layer (SSL) certificate. This rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.

CloudFormationTerraformAWS CLI

A Config rule that checks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins. This rule is NON_COMPLIANT for a CloudFront distribution if any ‘OriginSslProtocols’ includes ‘SSLv3’.

CloudFormationTerraformAWS CLI

A Config rule that checks if Amazon CloudFront distributions are encrypting traffic to custom origins. The rule is NON_COMPLIANT if OriginProtocolPolicy is http-only or if OriginProtocolPolicy is match-viewer and ViewerProtocolPolicy is allow-all.

CloudFormationTerraformAWS CLI

Checks if Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured.

CloudFormation

Checks if Amazon CloudFront distributions are associated with either web application firewall (WAF) or WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT if a CloudFront distribution is not associated with a WAF web ACL.

CloudFormation

Checks if an Amazon CloudFront distribution with an Amazon Simple Storage Service (Amazon S3) Origin type has origin access control (OAC) enabled. The rule is NON_COMPLIANT for CloudFront distributions with Amazon S3 origins that don't have OAC enabled.

CloudFormation

Checks if Amazon CloudFront distributions point to a non-existent S3 bucket. The rule is NON_COMPLIANT if `S3OriginConfig` for a CloudFront distribution points to a non-existent S3 bucket. The rule does not evaluate S3 buckets with static website hosting.

CloudFormation

Checks if Amazon CloudFront distributions are using a minimum security policy and cipher suite of TLSv1.2 or greater for viewer connections. This rule is NON_COMPLIANT for a CloudFront distribution if the minimumProtocolVersion is below TLSv1.2_2018.

CloudFormation
Configuration Package

A configuration package to create a custom CloudFormation Guard rules template. The package includes 150+ rules across most AWS services including EC2, S3, IAM, and many more.

CloudFormation Guard

CloudFormation guard rules template for IAM resources

CloudFormation Guard Rules

CloudFormation guard rules template for EC2 resources

CloudFormation Guard Rules

CloudFormation guard rules template for S3 resources

CloudFormation Guard Rules

CloudFormation guard rules template for Security Groups

CloudFormation Guard Rules

CloudFormation guard rules template for AWS Lambda resources

CloudFormation Guard Rules

CloudFormation guard rules template for AWS OpenSearch resources

CloudFormation Guard Rules

CloudFormation guard rules template for Amazon VPC resources

CloudFormation Guard Rules

CloudFormation guard rules template for Amazon SageMaker resources

CloudFormation Guard Rules

CloudFormation guard rules template for DynamoDB and DynamoDB Accelerator (DAX) resources

CloudFormation Guard Rules

CloudFormation guard rules template for AWS Certificate Manager (ACM) resources

CloudFormation Guard Rules

CloudFormation guard rules template for AWS Budget resources

CloudFormation Guard Rules

CloudFormation guard rules template for AWS CloudFront resources

CloudFormation Guard Rules

CloudFormation guard rules template for CloudWatch Log groups

CloudFormation Guard Rules

CloudFormation guard rules template for CodeBuild resources

CloudFormation Guard Rules

CloudFormation guard rules template for AWS Config

CloudFormation Guard Rules

CloudFormation guard rules template for AWS DMS

CloudFormation Guard Rules

CloudFormation guard rules template for AWS DocumentDB resources

CloudFormation Guard Rules

CloudFormation guard rules template for EFS resources

CloudFormation Guard Rules

CloudFormation guard rules template for ElastiCache resources

CloudFormation Guard Rules

CloudFormation guard rules template for KMS resources

CloudFormation Guard Rules

CloudFormation guard rules template for Network Firewall resources

CloudFormation Guard Rules

CloudFormation guard rules template for SNS resources

CloudFormation Guard Rules

CloudFormation guard rules template for SQS resources

CloudFormation Guard Rules

CloudFormation guard rules template for WAF resources

CloudFormation Guard Rules

CloudFormation guard rules template for API Gateway resources

CloudFormation Guard Rules

CloudFormation guard rules template for AWS Backup resources

CloudFormation Guard Rules

CloudFormation guard rules template for AWS CloudTrail resources

CloudFormation Guard Rules

CloudFormation guard rules template for AWS CloudWatch Alarms

CloudFormation Guard Rules

CloudFormation guard rules template for Amazon ECR resources

CloudFormation Guard Rules

CloudFormation guard rules template for Amazon EKS resources

CloudFormation Guard Rules

CloudFormation guard rules template for AWS Load Balancer resources

CloudFormation Guard Rules

CloudFormation guard rules template for EMR resources

CloudFormation Guard Rules

CloudFormation guard rules template for Amazon FSx resources

CloudFormation Guard Rules

CloudFormation guard rules template for AWS Secrets Manager resources

CloudFormation Guard Rules

CloudFormation guard rules template for Amazon Redshift resources

CloudFormation Guard Rules

CloudFormation guard rules template for Amazon Route53 resources

CloudFormation Guard Rules

CloudFormation guard rules template for Amazon MSK (Managed Apache Kafka) resources

CloudFormation Guard Rules

CloudFormation guard rules template for Amazon Neptune resources

CloudFormation Guard Rules

CloudFormation guard rules template for Auto Scaling Group resources

CloudFormation Guard Rules
Filter by source
 
CloudFront
Config Rule
Configuration Package
CloudFormation Guard