This template creates a CloudFront distribution with specified cache behaviors, default cache behavior, IPV6 enabled, origins, and tags.

Configuration template to deploy a CloudFront distribution. A distribution tells CloudFront where you want content to be delivered from, and the details about how to track and manage content delivery.

Configuration template to deploy a CloudFront cache policy which determines which objects are served from the CloudFront cache when the viewer requests data over HTTP. 

Configuration template to deploy a CloudFront function. CloudFront functions are lightweight functions in JavaScript for high-scale, latency-sensitive CDN customizations.

Configuration template to define a CloudFront public key which can be used with signed URLs and signed cookies, or with field-level encryption. The template also supports defining CloudFront key groups which are a collection of public keys.

Configuration template to create a CloudFront Origin Access Control which can be added to an origin in a CloudFront distribution so that CloudFront sends authenticated (signed) requests to the origin. For an Amazon S3 origin, this makes it possible to block public access to the Amazon S3 bucket so that viewers (users) can access the content in the bucket only through CloudFront.

Configuration template to create a CloudFront Real-Time Logging Configuration. With real-time logging, you can get information about requests made to a distribution in real time (logs are delivered using Kinesis streams within seconds of receiving the requests). 

This template creates a new origin access identity (OAI) for CloudFront. An origin access identity is a special CloudFront user that can be associated with Amazon S3 origins to secure the content. The template specifies the comment for the origin access identity.

A config rule that checks whether your CloudFront Distribution has been configured to store logs on an authorized S3 bucket

A config rule that checks whether your Amazon CloudFront Distributions use HTTPS (directly or via a redirection).

A config rule that checks if an Amazon CloudFront distribution is configured to return a specific object that is the default root object. The rule is NON_COMPLIANT if CloudFront distribution does not have a default root object configured.

A config rule that checks that Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. This rule is NON_COMPLIANT if the CloudFront distribution is backed by Amazon S3 and any of Amazon S3 Origin type is not OAI configured.

A config rule that checks whether an origin group is configured for the distribution of at least 2 origins in the origin group for Amazon CloudFront. This rule is NON_COMPLIANT if there are no origin groups for the distribution.

A config rule that checks if Amazon CloudFront distributions are using a custom SSL certificate and are configured to use SNI to serve HTTPS requests. This rule is NON_COMPLIANT if a custom SSL certificate is associated but the SSL support method is using a dedicated IP address.

A Config rule that checks if the certificate associated with an Amazon CloudFront distribution is the default Secure Sockets Layer (SSL) certificate. This rule is NON_COMPLIANT if a CloudFront distribution uses the default SSL certificate.

A Config rule that checks if CloudFront distributions are using deprecated SSL protocols for HTTPS communication between CloudFront edge locations and custom origins. This rule is NON_COMPLIANT for a CloudFront distribution if any ‘OriginSslProtocols’ includes ‘SSLv3’.

A Config rule that checks if Amazon CloudFront distributions are encrypting traffic to custom origins. The rule is NON_COMPLIANT if OriginProtocolPolicy is http-only or if OriginProtocolPolicy is match-viewer and ViewerProtocolPolicy is allow-all.

Checks if Amazon CloudFront distributions are configured to deliver access logs to an Amazon S3 bucket. The rule is NON_COMPLIANT if a CloudFront distribution does not have logging configured.

Checks if Amazon CloudFront distributions are associated with either web application firewall (WAF) or WAFv2 web access control lists (ACLs). The rule is NON_COMPLIANT if a CloudFront distribution is not associated with a WAF web ACL.

Checks if an Amazon CloudFront distribution with an Amazon Simple Storage Service (Amazon S3) Origin type has origin access control (OAC) enabled. The rule is NON_COMPLIANT for CloudFront distributions with Amazon S3 origins that don't have OAC enabled.

Checks if Amazon CloudFront distributions point to a non-existent S3 bucket. The rule is NON_COMPLIANT if `S3OriginConfig` for a CloudFront distribution points to a non-existent S3 bucket. The rule does not evaluate S3 buckets with static website hosting.

Checks if Amazon CloudFront distributions are using a minimum security policy and cipher suite of TLSv1.2 or greater for viewer connections. This rule is NON_COMPLIANT for a CloudFront distribution if the minimumProtocolVersion is below TLSv1.2_2018.

A configuration package to create a custom CloudFormation Guard rules template. The package includes 150+ rules across most AWS services including EC2, S3, IAM, and many more.

CloudFormation guard rules template for IAM resources

CloudFormation guard rules template for EC2 resources

CloudFormation guard rules template for S3 resources

CloudFormation guard rules template for Security Groups

CloudFormation guard rules template for AWS Lambda resources

CloudFormation guard rules template for AWS OpenSearch resources

CloudFormation guard rules template for Amazon VPC resources

CloudFormation guard rules template for Amazon SageMaker resources

CloudFormation guard rules template for DynamoDB and DynamoDB Accelerator (DAX) resources

CloudFormation guard rules template for AWS Certificate Manager (ACM) resources

CloudFormation guard rules template for AWS Budget resources

CloudFormation guard rules template for AWS CloudFront resources

CloudFormation guard rules template for CloudWatch Log groups

CloudFormation guard rules template for CodeBuild resources

CloudFormation guard rules template for AWS Config

CloudFormation guard rules template for AWS DMS

CloudFormation guard rules template for AWS DocumentDB resources

CloudFormation guard rules template for EFS resources

CloudFormation guard rules template for ElastiCache resources

CloudFormation guard rules template for KMS resources

CloudFormation guard rules template for Network Firewall resources

CloudFormation guard rules template for SNS resources

CloudFormation guard rules template for SQS resources

CloudFormation guard rules template for WAF resources

CloudFormation guard rules template for API Gateway resources

CloudFormation guard rules template for AWS Backup resources

CloudFormation guard rules template for AWS CloudTrail resources

CloudFormation guard rules template for AWS CloudWatch Alarms

CloudFormation guard rules template for Amazon ECR resources

CloudFormation guard rules template for Amazon EKS resources

CloudFormation guard rules template for AWS Load Balancer resources

CloudFormation guard rules template for EMR resources

CloudFormation guard rules template for Amazon FSx resources

CloudFormation guard rules template for AWS Secrets Manager resources

CloudFormation guard rules template for Amazon Redshift resources

CloudFormation guard rules template for Amazon Route53 resources

CloudFormation guard rules template for Amazon MSK (Managed Apache Kafka) resources

CloudFormation guard rules template for Amazon Neptune resources

CloudFormation guard rules template for Auto Scaling Group resources