AWS Config Rule: CloudFront HTTPS Viewer Policy
CLOUDFRONT_VIEWER_POLICY_HTTPS
Ryan Ware
Last Update 9 months ago
Description: Checks whether your Amazon CloudFront distributions use HTTPS (directly or via a redirection). The rule is NON_COMPLIANT if the value of ViewerProtocolPolicy is set to 'allow-all' for the defaultCacheBehavior or for the cacheBehaviors.
Trigger type: Configuration changes
AWS Region: Only available in US East (N. Virginia) Region
How to Resolve Manually
In order to be COMPLIANT with this AWS Config Rule, you will need to ensure that your CloudFront Distribution cache behaviour's viewer protocol policy does not accept HTTP and is limited to HTTPS only.
There are three options when it comes to viewer protocol policy. If you use HTTPS Only or Redirect HTTP to HTTPS, then this will be considered COMPLAINT in the remit of this AWS Config Rule.
How to Resolve with StackZone
StackZone can automatically resolve your non-compliant CloudFront Distribution cache behaviour's viewer protocol policy by running an automation script to change the protocol policy from HTTP and HTTPS to HTTPS only or Redirect to HTTPS, depending on your needs.
To enable this remediation, within the StackZone console head on over to Provisioning > Baseline Services > AWS Config Rules Regional > AWS CloudFront, enable CloudFront HTTPS Viewer Policy Remediation and select your desired Protocol Policy. Check the following screenshot as a reference:
Want to know more about StackZone and how to make your cloud management simple and secure?
Check our how it works section with easy to follow videos or just create your own StackZone Account here