CloudFront distribution ViewerProtocolPolicy is not set to HTTPS
Description
AWS::CloudFront::Distribution ViewerCertificate determines the distribution’s SSL/TLS configuration for communicating with viewers.
We recommend you use the ViewerProtocolPolicy parameter to enable secure HTTPS communication between clients and your CloudForamtion templates. Most browsers and clients released after 2010 support server name indication.
AWS recommends to accept HTTPS connections only from viewers that support SNI and advises against receiving HTTPS connections from all viewers, including those that do not support SNI, set SslSupportMethod. This also results in additional monthly charges from CloudFront.
Fix - Runtime
Procedure
Use ViewerProtocolPolicy in the CacheBehavior or DefaultCacheBehavior, and select Redirect HTTP to HTTPS or HTTPS Only.
To specify how CloudFront should use SSL/TLS to communicate with your custom origin, use CustomOriginConfig.
Fix - Buildtime
Terraform
- **Resource: ** aws_cloudfront_distribution
- Argument:
viewer_protocol_policyunderdefault_cache_behaviororordered_cache_behaviormust not beallow-all. Acceptable values areredirect-to-httpsorhttps-only.
resource "aws_cloudfront_distribution" "cloudfront" {
...
default_cache_behavior {
...
target_origin_id = "my-origin"
- viewer_protocol_policy = "allow-all"
+ viewer_protocol_policy = "redirect-to-https"
}
}
CloudFormation
- **Resource: ** AWS::CloudFront::Distribution
- Argument:
ViewerProtocolPolicyunder Properties.DefaultCacheBehavior or Properties.CacheBehaviors must not beallow-all. Acceptable values areredirect-to-httpsorhttps-only.
Resources:
CloudFrontDistribution:
Type: 'AWS::CloudFront::Distribution'
Properties:
DistributionConfig:
...
DefaultCacheBehavior:
...
- ViewerProtocolPolicy: 'allow-all'
+ ViewerProtocolPolicy: 'https-only' # or 'redirect-to-https'
CacheBehaviors:
- TargetOriginId: customorigin
...
- ViewerProtocolPolicy: allow-all
+ ViewerProtocolPolicy: https-only # or redirect-to-https