aws.cloudfront resources¶
aws.distribution¶
Filters¶
mismatch-s3-origin¶
- Check for existence of S3 bucket referenced by Cloudfront,
and verify whether owner is different from Cloudfront account owner.
- example
policies:
- name: mismatch-s3-origin
resource: distribution
filters:
- type: mismatch-s3-origin
check_custom_origins: true
properties:
check_custom_origins:
type: boolean
type:
enum:
- mismatch-s3-origin
required:
- type
shield-enabled¶
properties:
state:
type: boolean
type:
enum:
- shield-enabled
required:
- type
waf-enabled¶
properties:
state:
type: boolean
type:
enum:
- waf-enabled
web-acl:
type: string
required:
- type
Actions¶
disable¶
Action to disable a Distribution
- example
policies:
- name: distribution-delete
resource: distribution
filters:
- type: value
key: CacheBehaviors.Items[].ViewerProtocolPolicy
value: allow-all
op: contains
actions:
- type: disable
properties:
type:
enum:
- disable
required:
- type
set-protocols¶
Action to set mandatory https-only on a Distribution
- example
policies:
- name: distribution-set-ssl
resource: distribution
filters:
- type: value
key: CacheBehaviors.Items[].ViewerProtocolPolicy
value: allow-all
op: contains
actions:
- type: set-protocols
ViewerProtocolPolicy: https-only
properties:
OriginProtocolPolicy:
enum:
- http-only
- match-viewer
- https-only
OriginSslProtocols:
items:
enum:
- SSLv3
- TLSv1
- TLSv1.1
- TLSv1.2
type: array
ViewerProtocolPolicy:
enum:
- allow-all
- https-only
- redirect-to-https
type:
enum:
- set-protocols
set-shield¶
Enable shield protection on applicable resource.
setting sync parameter will also clear out stale shield protections for resources that no longer exist.
properties:
state:
type: boolean
sync:
type: boolean
type:
enum:
- set-shield
required:
- type
set-waf¶
properties:
force:
type: boolean
state:
type: boolean
type:
enum:
- set-waf
web-acl:
type: string
required:
- web-acl
- type