Links

AWS CloudFront

Best practices and references below are based on published guidance from the cloud service provider and may reference native capabilities the cloud service provider offers. If you are not using the native security capabilities, the same security requirement can be met using other security capabilities your organization utilizes

Cache Management

Design Guidance:

AWS::CloudFront::CachePolicy

Cache Policy Config-Default Ttl
Terraform
Cache Policy Config-Max Ttl
Terraform
Cache Policy Config-Min Ttl
Terraform
Cache Policy Config-Name
Terraform

AWS::CloudFront::Distribution

Default Cache Behavior-Cache Policy Id
Terraform
Cache Behaviors-Cache Policy Id
Terraform

Secure Browser Cookies

Design Guidance:

AWS::CloudFront::CachePolicy

Cookies Config-Cookie Behavior
Terraform
Cookies Config-Cookies
Terraform

AWS::CloudFront::OriginRequestPolicy

Cookies Config-Cookie Behavior
Terraform

Secure Response Headers

Design Guidance:

AWS::CloudFront::CachePolicy

Headers Config-Header Behavior
Terraform
Headers Config-Headers
Terraform

AWS::CloudFront::Distribution

Origins-Origin Custom Headers
Terraform
Origin Custom Headers-Header Value
Terraform
Origin Custom Headers-Header Name
Terraform
Default Cache Behavior-Allowed Methods
Terraform
Default Cache Behavior-Cached Methods
Terraform
Cache Behaviors-Allowed Methods
Terraform
Cache Behaviors-Cached Methods
Terraform

AWS::CloudFront::OriginRequestPolicy

Headers Config-Header Behavior
Terraform
Headers Config-Headers
Terraform

Input Validation

Design Guidance:

AWS::CloudFront::CachePolicy

Query Strings Config-Query String Behavior
Terraform

AWS::CloudFront::Distribution

Default Cache Behavior-Origin Request Policy Id
Terraform
Cache Behaviors-Origin Request Policy Id
Terraform

AWS::CloudFront::OriginRequestPolicy

Query Strings Config-Query String Behavior
Terraform

Logging

Design Guidance:

AWS::CloudFront::Distribution

Logging-Include Cookies
Terraform
Default Cache Behavior-Realtime Log Config Arn
Terraform
Logging-Bucket
Terraform

AWS::CloudFront::StreamingDistribution

Logging-Enabled
Logging-Prefix
Logging-Bucket

Session Limits

AWS::CloudFront::Distribution

Origins-Connection Timeout
Terraform

Transaction Rate-limiting

AWS::CloudFront::Distribution

Origins-Connection Attempts
Terraform

Network Isolation and Segregation

Design Guidance:

AWS::CloudFront::Distribution

S3origin Config-Origin Access Identity
Terraform

Identification and Authentication

Design Guidance:

AWS::CloudFront::Distribution

Origins-Id
Terraform
Lambda Function Associations-Lambda Function Arn
Terraform
Default Cache Behavior-Target Origin Id
Terraform
Default Cache Behavior-Trusted Signers
Terraform
Cache Behaviors-Target Origin Id
Terraform

AWS::CloudFront::StreamingDistribution

Trusted Signers-Enabled
Trusted Signers-AWS Account Numbers

Deny-all Communications and Only Allow-by-Exception

AWS::CloudFront::Distribution

Custom Origin Config-HTTPSport
Terraform
Custom Origin Config-HTTPport
Terraform

TLS

Design Guidance:

AWS::CloudFront::Distribution

Custom Origin Config-Origin SSLprotocols
Terraform
Viewer Certificate-Minimum Protocol Version
Terraform
Custom Origin Config-Origin Protocol Policy
Terraform
Default Cache Behavior-Viewer Protocol Policy
Terraform
Default Cache Behavior-Field Level Encryption Id
Terraform
Cache Behaviors-Viewer Protocol Policy
Terraform

Destination Authentication

Design Guidance:

AWS::CloudFront::Distribution

Viewer Certificate-SSL Support Method
Terraform
Viewer Certificate-Acm Certificate Arn
Terraform
Lambda Function Associations-Lambda Function Arn
Terraform

AWS::CloudFront::RealtimeLogConfig

Kinesis Stream Config-Role Arn
Kinesis Stream Config-Stream Arn

Design for High Availability

Design Guidance:

AWS::CloudFront::Distribution

Origin Groups-Quantity
Terraform
Origin Groups-Items
Terraform
Items-Id
Terraform
Status Codes-Quantity
Terraform
Status Codes-Items
Terraform

Firewalls

AWS::CloudFront::Distribution

Distribution Config-Web Aclid
Terraform

Payload Inspection

AWS::CloudFront::Distribution

Geo Restriction-Locations
Terraform
Geo Restriction-Restriction Type
Terraform

Asset Inventory

Design Guidance:

AWS::CloudFront::Distribution

Tags
Terraform

AWS::CloudFront::StreamingDistribution

Tags