-
Notifications
You must be signed in to change notification settings - Fork 843
/
Security-Best-Practices-for-CloudFront.yaml
108 lines (107 loc) · 3.44 KB
/
Security-Best-Practices-for-CloudFront.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
##################################################################################
#
# Conformance Pack:
# Operational Best Practices for CloudFront
#
##################################################################################
Resources:
CloudfrontAccesslogsEnabled:
Properties:
ConfigRuleName: cloudfront-accesslogs-enabled
Scope:
ComplianceResourceTypes:
- AWS::CloudFront::Distribution
Source:
Owner: AWS
SourceIdentifier: CLOUDFRONT_ACCESSLOGS_ENABLED
Type: AWS::Config::ConfigRule
CloudfrontAssociatedWithWaf:
Properties:
ConfigRuleName: cloudfront-associated-with-waf
Scope:
ComplianceResourceTypes:
- AWS::CloudFront::Distribution
Source:
Owner: AWS
SourceIdentifier: CLOUDFRONT_ASSOCIATED_WITH_WAF
Type: AWS::Config::ConfigRule
CloudfrontCustomSslCertificate:
Properties:
ConfigRuleName: cloudfront-custom-ssl-certificate
Scope:
ComplianceResourceTypes:
- AWS::CloudFront::Distribution
Source:
Owner: AWS
SourceIdentifier: CLOUDFRONT_CUSTOM_SSL_CERTIFICATE
Type: AWS::Config::ConfigRule
CloudfrontDefaultRootObjectConfigured:
Properties:
ConfigRuleName: cloudfront-default-root-object-configured
Scope:
ComplianceResourceTypes:
- AWS::CloudFront::Distribution
Source:
Owner: AWS
SourceIdentifier: CLOUDFRONT_DEFAULT_ROOT_OBJECT_CONFIGURED
Type: AWS::Config::ConfigRule
CloudfrontNoDeprecatedSslProtocols:
Properties:
ConfigRuleName: cloudfront-no-deprecated-ssl-protocols
Scope:
ComplianceResourceTypes:
- AWS::CloudFront::Distribution
Source:
Owner: AWS
SourceIdentifier: CLOUDFRONT_NO_DEPRECATED_SSL_PROTOCOLS
Type: AWS::Config::ConfigRule
CloudfrontOriginAccessIdentityEnabled:
Properties:
ConfigRuleName: cloudfront-origin-access-identity-enabled
Scope:
ComplianceResourceTypes:
- AWS::CloudFront::Distribution
Source:
Owner: AWS
SourceIdentifier: CLOUDFRONT_ORIGIN_ACCESS_IDENTITY_ENABLED
Type: AWS::Config::ConfigRule
CloudfrontOriginFailoverEnabled:
Properties:
ConfigRuleName: cloudfront-origin-failover-enabled
Scope:
ComplianceResourceTypes:
- AWS::CloudFront::Distribution
Source:
Owner: AWS
SourceIdentifier: CLOUDFRONT_ORIGIN_FAILOVER_ENABLED
Type: AWS::Config::ConfigRule
CloudfrontSniEnabled:
Properties:
ConfigRuleName: cloudfront-sni-enabled
Scope:
ComplianceResourceTypes:
- AWS::CloudFront::Distribution
Source:
Owner: AWS
SourceIdentifier: CLOUDFRONT_SNI_ENABLED
Type: AWS::Config::ConfigRule
CloudfrontTrafficToOriginEncrypted:
Properties:
ConfigRuleName: cloudfront-traffic-to-origin-encrypted
Scope:
ComplianceResourceTypes:
- AWS::CloudFront::Distribution
Source:
Owner: AWS
SourceIdentifier: CLOUDFRONT_TRAFFIC_TO_ORIGIN_ENCRYPTED
Type: AWS::Config::ConfigRule
CloudfrontViewerPolicyHttps:
Properties:
ConfigRuleName: cloudfront-viewer-policy-https
Scope:
ComplianceResourceTypes:
- AWS::CloudFront::Distribution
Source:
Owner: AWS
SourceIdentifier: CLOUDFRONT_VIEWER_POLICY_HTTPS
Type: AWS::Config::ConfigRule