Pattern: Viewer Protocol Policy in Cloudfront Distribution Cache should always be set to HTTPS
Issue: -
CloudFront connections should be encrypted during transmission over networks that can be accessed by malicious individuals. A CloudFront distribution should only use HTTPS or Redirect HTTP to HTTPS for communication between viewers and CloudFront.
Resolution: Only use HTTPS in the Viewer Protocol Policy.
Example of incorrect code:
resource "aws_cloudfront_distribution" "bad_example" {
// other cloudfront distribution config
default_cache_behavior {
// other cache config
viewer_protocol_policy = "allow-all" // including HTTP
}
}
resource "aws_cloudfront_distribution" "bad_example" {
// other cloudfront distribution config
default_cache_behavior {
// other cache config
viewer_protocol_policy = "https-only" // HTTPS by default...
}
ordered_cache_behavior {
// other cache config
viewer_protocol_policy = "allow-all" // ...but HTTP for some other resources
}
}Example of correct code:
resource "aws_cloudfront_distribution" "good_example" {
// other cloudfront distribution config
default_cache_behavior {
// other cache config
viewer_protocol_policy = "https-only"
}
ordered_cache_behavior {
// other cache config
viewer_protocol_policy = "redirect-to-https"
}
}