Detections
Analytics

Ensure geo-restriction is enabled for AWS CloudFront

LOW

Description

Geographic restrictions are common in enterprise environments as they are often employed to protect websites from DDOS attacks and malicious behaviors originating from specific parts of the world. For more information on how geo-restrictions can be utilized, see Amazon's CloudFront documentation.
References:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html

Remediation

In AWS Console -

  1. Sign in to AWS Console and open the CloudFront Console.
  2. Choose the ID for the distribution that you want to update.
  3. In the Geographic restrictions Tab, select Edit.
  4. Select either Allow list or Block list.
  5. Select the countries you wish to allow or block from the list.
  6. Select Save changes.

In Terraform -

  1. In the aws_cloudfront_distribution resource, configure the restrictions.geo_restriction block.
  2. Set the fields restriction_type and locations appropriately.

References:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/georestrictions.html
https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudfront_distribution

Policy Details

Rule Reference ID: AC_AWS_0549
CSP: AWS
Remediation Available: Yes
Domain: Infrastructure Security
Resource: aws_cloudfront_distribution
Resource Category: Virtual Network
Resource Type: CloudFront

Frameworks