cloudfront-viewer-policy: CloudFront Viewer Protocol Policy

日期: 2025-08-01 | 影响软件: CloudFront Viewer Policy | POC: 已公开

漏洞描述

Ensure that the communication between your Amazon CloudFront distribution and its viewers is encrypted using HTTPS in order to secure the delivery of your web content.

PoC代码[已公开]

id: cloudfront-viewer-policy

info:
  name: CloudFront Viewer Protocol Policy
  author: DhiyaneshDK
  severity: medium
  description: |
    Ensure that the communication between your Amazon CloudFront distribution and its viewers is encrypted using HTTPS in order to secure the delivery of your web content.
  impact: |
    Failing to enforce HTTPS for viewer connections in CloudFront can expose web content to interception and manipulation, compromising the security and integrity of sensitive data transmitted between users and the distribution
  remediation: |
    Configure your Amazon CloudFront distribution's viewer protocol policy to either redirect HTTP requests to HTTPS or require HTTPS connections exclusively, ensuring secure delivery of web content and protecting against potential data breaches.
  reference:
    - https://www.trendmicro.com/cloudoneconformity-staging/knowledge-base/aws/CloudFront/viewer-protocol-policy.html
    - https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html
  tags: cloud,devops,aws,amazon,cloudfront,aws-cloud-config

variables:
  region: "us-west-2"

flow: |
  code(1)
  for(let DistributionListItemsId of iterate(template.distributions)){
    set("distribution", DistributionListItemsId)
    code(2)
  }

self-contained: true

code:
  - engine:
      - sh
      - bash

    source: |
      aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id' --region $region --output json

    extractors:
      - type: json
        name: distributions
        internal: true
        json:
          - '.[]'

  - engine:
      - sh
      - bash

    source: |
        aws cloudfront get-distribution-config --id $distribution --query 'DistributionConfig.CacheBehaviors.Items[*].ViewerProtocolPolicy' --output json --region $region

    matchers:
      - type: word
        words:
          - '"allow-all"'

    extractors:
      - type: dsl
        dsl:
          - '"CloudFront Viewer Policy " + distribution + " allows all"'
# digest: 490a004630440220768d2a4c15a0516365ef4fe8d25f47e5c0f96c483617c859a77548cfe800ff5202204ab9615b2800dec6a7b7118656bad06d1f33ec1a43040081e0fc53d622215b36:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/./cloud/aws/cloudfront/cloudfront-viewer-policy.yaml