AWS Config Rule: CloudFront HTTPS Viewer Policy

CLOUDFRONT_VIEWER_POLICY_HTTPS

Ryan Ware

Last Update 9 months ago

Description: Checks whether your Amazon CloudFront distributions use HTTPS (directly or via a redirection). The rule is NON_COMPLIANT if the value of ViewerProtocolPolicy is set to 'allow-all' for the defaultCacheBehavior or for the cacheBehaviors.


Trigger type: Configuration changes


AWS Region: Only available in US East (N. Virginia) Region


How to Resolve Manually

In order to be COMPLIANT with this AWS Config Rule, you will need to ensure that your CloudFront Distribution cache behaviour's viewer protocol policy does not accept HTTP and is limited to HTTPS only.


There are three options when it comes to viewer protocol policy. If you use HTTPS Only or Redirect HTTP to HTTPS, then this will be considered COMPLAINT in the remit of this AWS Config Rule.


How to Resolve with StackZone

StackZone can automatically resolve your non-compliant CloudFront Distribution cache behaviour's viewer protocol policy by running an automation script to change the protocol policy from HTTP and HTTPS to HTTPS only or Redirect to HTTPS, depending on your needs.


To enable this remediation, within the StackZone console head on over to Provisioning > Baseline Services > AWS Config Rules Regional > AWS CloudFront, enable CloudFront HTTPS Viewer Policy Remediation and select your desired Protocol Policy. Check the following screenshot as a reference:


Want to know more about StackZone and how to make your cloud management simple and secure?

Check our how it works section with easy to follow videos or just create your own StackZone Account here

Was this article helpful?

0 out of 0 liked this article

Still need help? Message Us