Ensure CloudFront distribution ViewerProtocolPolicy is set to HTTPS

Error: CloudFront distribution ViewerProtocolPolicy is not set to HTTPS

Bridgecrew Policy ID: BC_AWS_NETWORKING_32
Checkov ID: CKV_AWS_34
Severity: HIGH

CloudFront distribution ViewerProtocolPolicy is not set to HTTPS

Description

AWS::CloudFront::Distribution ViewerCertificate determines the distribution’s SSL/TLS configuration for communicating with viewers.

We recommend you use the ViewerProtocolPolicy parameter to enable secure HTTPS communication between clients and your CloudForamtion templates. Most browsers and clients released after 2010 support server name indication.

AWS recommends to accept HTTPS connections only from viewers that support SNI and advises against receiving HTTPS connections from all viewers, including those that do not support SNI, set SslSupportMethod. This also results in additional monthly charges from CloudFront.

Fix - Runtime

Procedure

Use ViewerProtocolPolicy in the CacheBehavior or DefaultCacheBehavior, and select Redirect HTTP to HTTPS or HTTPS Only.

To specify how CloudFront should use SSL/TLS to communicate with your custom origin, use CustomOriginConfig.

Fix - Buildtime

Terraform

  • Resource: aws_cloudfront_distribution
  • Argument: viewer_protocol_policy under default_cache_behavior or ordered_cache_behavior must not be allow-all. Acceptable values are redirect-to-https or https-only.
resource "aws_cloudfront_distribution" "cloudfront" {
  ...
  default_cache_behavior {
    ...
    target_origin_id       = "my-origin"
 -  viewer_protocol_policy = "allow-all"
 +  viewer_protocol_policy = "redirect-to-https"
  }
}

CloudFormation

  • Resource: AWS::CloudFront::Distribution
  • Argument: ViewerProtocolPolicy under Properties.DefaultCacheBehavior or Properties.CacheBehaviors must not be allow-all. Acceptable values are redirect-to-https or https-only.
Resources:
	CloudFrontDistribution:
    Type: 'AWS::CloudFront::Distribution'
    Properties:
      DistributionConfig:
        ...
        DefaultCacheBehavior:
          ...
-         ViewerProtocolPolicy: 'allow-all'
+         ViewerProtocolPolicy: 'https-only' # or 'redirect-to-https'

        CacheBehaviors:
          - TargetOriginId: customorigin
						...
-           ViewerProtocolPolicy: allow-all
+           ViewerProtocolPolicy: https-only # or redirect-to-https