aws.distribution

Filters

distribution-config

Check for Cloudfront distribution config values

example:

policies:
  - name: logging-enabled
    resource: distribution
    filters:
      - type: distribution-config
        key: Logging.Enabled
        value: False
properties:
  default:
    type: object
  key:
    type: string
  op:
    enum:
    - eq
    - equal
    - ne
    - not-equal
    - gt
    - greater-than
    - ge
    - gte
    - le
    - lte
    - lt
    - less-than
    - glob
    - regex
    - regex-case
    - in
    - ni
    - not-in
    - contains
    - difference
    - intersect
    - mod
  type:
    enum:
    - distribution-config
  value:
    oneOf:
    - type: array
    - type: string
    - type: boolean
    - type: number
    - type: 'null'
  value_from:
    additionalProperties: 'False'
    properties:
      expr:
        oneOf:
        - type: integer
        - type: string
      format:
        enum:
        - csv
        - json
        - txt
        - csv2dict
      headers:
        patternProperties:
          ? ''
          : type: string
        type: object
      query:
        type: string
      url:
        type: string
    required:
    - url
    type: object
  value_path:
    type: string
  value_regex:
    type: string
  value_type:
    enum:
    - age
    - integer
    - expiration
    - normalize
    - size
    - cidr
    - cidr_size
    - swap
    - resource_count
    - expr
    - unique_size
    - date
    - version
    - float
required:
- type

Permissions - cloudfront:GetDistributionConfig

json-diff

Compute the diff from the current resource to a previous version.

A resource matches the filter if a diff exists between the current resource and the selected revision.

Utilizes config as a resource revision database.

Revisions can be selected by date, against the previous version, and against a locked version (requires use of is-locked filter).

properties:
  selector:
    enum:
    - previous
    - date
    - locked
  selector_value:
    type: string
  type:
    enum:
    - json-diff
required:
- type

Permissions - config:GetResourceConfigHistory

mismatch-s3-origin

Check for existence of S3 bucket referenced by Cloudfront,

and verify whether owner is different from Cloudfront account owner.

example:

policies:
  - name: mismatch-s3-origin
    resource: distribution
    filters:
      - type: mismatch-s3-origin
        check_custom_origins: true
properties:
  check_custom_origins:
    type: boolean
  type:
    enum:
    - mismatch-s3-origin
required:
- type

Permissions - s3:ListAllMyBuckets

shield-enabled

Base class with helper methods for dealing with ARNs of resources protected by Shield

properties:
  state:
    type: boolean
  type:
    enum:
    - shield-enabled
required:
- type

Permissions - shield:ListProtections

waf-enabled

Filter CloudFront distribution by waf-regional web-acl

example:

policies:
  - name: filter-distribution-waf
    resource: distribution
    filters:
      - type: waf-enabled
        state: false
        web-acl: test
properties:
  state:
    type: boolean
  type:
    enum:
    - waf-enabled
  web-acl:
    type: string
required:
- type

Permissions - waf:ListWebACLs

Actions

disable

Action to disable a Distribution

example:

policies:
  - name: distribution-delete
    resource: distribution
    filters:
      - type: value
        key: CacheBehaviors.Items[].ViewerProtocolPolicy
        value: allow-all
        op: contains
    actions:
      - type: disable
properties:
  type:
    enum:
    - disable
required:
- type

Permissions - cloudfront:GetDistributionConfig, cloudfront:UpdateDistribution

rename-tag

Rename an existing tag key to a new value.

example:

rename Application, and Bap to App, if a resource has both of the old keys then we’ll use the value specified by Application, which is based on the order of values of old_keys.

policies:
- name: rename-tags-example
  resource: aws.log-group
  filters:
    - or:
      - "tag:Bap": present
      - "tag:Application": present
  actions:
    - type: rename-tag
      old_keys: [Application, Bap]
      new_key: App
properties:
  new_key:
    type: string
  old_key:
    type: string
  old_keys:
    items:
      type: string
    type: array
  type:
    enum:
    - rename-tag
required:
- type

Permissions - tag:TagResources, tag:UntagResources

set-attributes

Action to update the attributes of a distribution

example:

policies:
- name: enforce-distribution-logging
  resource: distribution
  filters:
    - type: value
      key: "Logging.Enabled"
      value: null
  actions:
    - type: set-attributes
      attributes:
        Comment: ""
        Enabled: true
        Logging:
            Enabled: true
            IncludeCookies: false
            Bucket: 'test-enable-logging-c7n.s3.amazonaws.com'
            Prefix: ''
properties:
  attributes:
    type: object
  type:
    enum:
    - set-attributes
required:
- attributes

Permissions - cloudfront:UpdateDistribution, cloudfront:GetDistributionConfig

set-protocols

Action to set mandatory https-only on a Distribution

example:

policies:
  - name: distribution-set-ssl
    resource: distribution
    filters:
      - type: value
        key: CacheBehaviors.Items[].ViewerProtocolPolicy
        value: allow-all
        op: contains
    actions:
      - type: set-protocols
        ViewerProtocolPolicy: https-only
properties:
  OriginProtocolPolicy:
    enum:
    - http-only
    - match-viewer
    - https-only
  OriginSslProtocols:
    items:
      enum:
      - SSLv3
      - TLSv1
      - TLSv1.1
      - TLSv1.2
    type: array
  ViewerProtocolPolicy:
    enum:
    - allow-all
    - https-only
    - redirect-to-https
  type:
    enum:
    - set-protocols

Permissions - cloudfront:GetDistributionConfig, cloudfront:UpdateDistribution

set-shield

Enable shield protection on applicable resource.

setting sync parameter will also clear out stale shield protections for resources that no longer exist.

properties:
  state:
    type: boolean
  sync:
    type: boolean
  type:
    enum:
    - set-shield
required:
- type

Permissions - shield:CreateProtection, shield:ListProtections

set-waf

Enable waf protection on CloudFront distribution.

example:

policies:
  - name: set-waf-for-cloudfront
    resource: distribution
    filters:
      - type: waf-enabled
        state: false
        web-acl: test
    actions:
      - type: set-waf
        state: true
        force: true
        web-acl: test

  - name: disassociate-waf-associate-wafv2-cf
    resource: distribution
    filters:
      - type: waf-enabled
        state: true
    actions:
      - type: set-wafv2
        state: true
        force: true
        web-acl: testv2
properties:
  force:
    type: boolean
  state:
    type: boolean
  type:
    enum:
    - set-waf
  web-acl:
    type: string
required:
- web-acl
- type

Permissions - cloudfront:UpdateDistribution, waf:ListWebACLs

set-wafv2

Enable wafv2 protection on CloudFront distribution.

example:

policies:
  - name: set-wafv2-for-cloudfront
    resource: distribution
    filters:
      - type: wafv2-enabled
        state: false
        web-acl: testv2
    actions:
      - type: set-wafv2
        state: true
        force: true
        web-acl: testv2

  - name: disassociate-wafv2-associate-waf-cf
    resource: distribution
    filters:
      - type: wafv2-enabled
        state: true
    actions:
      - type: set-waf
        state: true
        force: true
        web-acl: test

policies:
  - name: set-wafv2-for-cloudfront-regex
    resource: distribution
    filters:
      - type: wafv2-enabled
        state: false
        web-acl: .*FMManagedWebACLV2-?FMS-.*
    actions:
      - type: set-wafv2
        state: true
        web-acl: FMManagedWebACLV2-?FMS-TestWebACL
properties:
  force:
    type: boolean
  state:
    type: boolean
  type:
    enum:
    - set-wafv2
  web-acl:
    type: string
required:
- type

Permissions - cloudfront:UpdateDistribution, wafv2:ListWebACLs