Homepage
About Snyk

CloudFront distribution is not protected by WAF Affecting CloudFront service in AWS

0.0
medium
0
10
    Severity Framework Snyk CCSS
    Rule category General / Firewall

Is your enviroment affected by this misconfiguration?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
    Frameworks
    AWS-Well-Architected CIS-Controls CSA-CCM ISO-27001 NIST-800-53 PCI-DSS SOC-2
  • Snyk ID SNYK-CC-00026
  • credit Snyk Research Team
Report a new misconfiguration Found a mistake?

Description

WAF should be deployed on CloudFront distributions to protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.

How to fix?

Set the web_acl_id attribute to an existing AWS WAF web ACL ARN.

Example Configuration

resource "aws_cloudfront_distribution" "s3_distribution" {
  web_acl_id = "${aws_waf_web_acl.waf_acl.id}"
  
  origin {
    domain_name = "${aws_s3_bucket.http-monitor-origin.bucket_regional_domain_name}"
    origin_id   = "${aws_s3_bucket.http-monitor-origin.id}"
  }

  enabled = true
  
  restrictions {
    geo_restriction {
      restriction_type = "whitelist"
      locations        = ["US", "CA", "GB", "DE"]
    }
  }

  viewer_certificate {
    cloudfront_default_certificate = true
  }

  default_cache_behavior {
    allowed_methods  = ["DELETE", "GET", "HEAD", "OPTIONS", "PATCH", "POST", "PUT"]
    cached_methods   = ["GET", "HEAD"]
    target_origin_id = "${aws_s3_bucket.http-monitor-origin.id}"

    forwarded_values {
      query_string = false

      cookies {
        forward = "none"
      }
    }

    viewer_protocol_policy = "redirect-to-https"
    min_ttl                = 0
    default_ttl            = 3600
    max_ttl                = 86400
  }
}