CloudFront distribution does not have a WAF in front.
Default Severity: high
Explanation
You should configure a Web Application Firewall in front of your CloudFront distribution. This will mitigate many types of attacks on your web application.
Possible Impact
Complex web application attacks can more easily be performed without a WAF
Suggested Resolution
Enable WAF for the CloudFront distribution
Insecure Example
The following example will fail the aws-cloudfront-enable-waf check.
resource "aws_cloudfront_distribution" "bad_example" {
origin_group {
origin_id = "groupS3"
failover_criteria {
status_codes = [403, 404, 500, 502]
}
member {
origin_id = "primaryS3"
}
}
origin {
domain_name = aws_s3_bucket.primary.bucket_regional_domain_name
origin_id = "primaryS3"
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path
}
}
origin {
domain_name = aws_s3_bucket.failover.bucket_regional_domain_name
origin_id = "failoverS3"
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path
}
}
default_cache_behavior {
target_origin_id = "groupS3"
}
}
Secure Example
The following example will pass the aws-cloudfront-enable-waf check.
resource "aws_cloudfront_distribution" "good_example" {
origin {
domain_name = aws_s3_bucket.primary.bucket_regional_domain_name
origin_id = "primaryS3"
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path
}
}
origin {
domain_name = aws_s3_bucket.failover.bucket_regional_domain_name
origin_id = "failoverS3"
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity.default.cloudfront_access_identity_path
}
}
default_cache_behavior {
target_origin_id = "groupS3"
}
web_acl_id = "waf_id"
}