AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
CloudFront Distributions Should Have Geo Restriction Enabled
More Info:
Geo restriction should be enabled for your Amazon CloudFront CDN distribution to whitelist or blacklist a country in order to allow or restrict users in specific locations from accessing web application content.
Risk Level
Low
Address
Security
Compliance Standards
SOC2, GDPR
Triage and Remediation
Remediation
To remediate the misconfiguration “CloudFront Distributions Should Have Geo Restriction Enabled” for AWS using AWS console, follow the below steps:
- Log in to your AWS console.
- Navigate to the CloudFront service.
- Click on the name of the distribution that you want to remediate.
- Click on the “Behaviors” tab.
- Click on the “Create Behavior” button.
- In the “Create Behavior” screen, scroll down to the “Restrict Viewer Access (Use Signed URLs or Signed Cookies)” section.
- Click on the “Yes” radio button for “Restrict Viewer Access”.
- In the “Geo Restriction” section, click on the “Yes” radio button for “Restrict access to your content by country/region”.
- In the “Whitelist” section, select the countries/regions that you want to allow access to your content.
- Click on the “Create” button to save the behavior.
Once completed, the CloudFront distribution will have geo restriction enabled.
To remediate the misconfiguration of CloudFront distributions not having Geo Restriction enabled in AWS using AWS CLI, follow these steps:
-
Open your terminal and ensure you have AWS CLI installed and configured with the necessary permissions to modify CloudFront distributions.
-
Identify the CloudFront distribution that needs Geo Restriction enabled. You can use the following command to list all the CloudFront distributions in your AWS account:
aws cloudfront list-distributionsThis command will return a JSON object containing information about all the CloudFront distributions in your account.
-
Once you have identified the distribution that needs Geo Restriction enabled, you can use the following command to enable Geo Restriction:
aws cloudfront update-distribution --id <distribution-id> --distribution-config '{"GeoRestriction":{"RestrictionType":"whitelist","Quantity":0}}'Replace
<distribution-id>with the ID of the distribution that needs Geo Restriction enabled. -
After running the above command, you should receive a JSON object containing information about the updated CloudFront distribution.
-
Verify that Geo Restriction has been enabled for the distribution by running the following command:
aws cloudfront get-distribution-config --id <distribution-id>This command will return a JSON object containing the configuration of the specified CloudFront distribution. Verify that the
GeoRestrictionobject is present and contains the correct configuration.
That’s it! You have successfully remediated the misconfiguration of CloudFront distributions not having Geo Restriction enabled in AWS using AWS CLI.
To remediate the CloudFront Distributions should have Geo Restriction enabled misconfiguration in AWS using Python, follow the below steps:
- Import the required libraries:
import boto3
- Initialize AWS credentials:
aws_access_key_id = 'YOUR_AWS_ACCESS_KEY_ID'
aws_secret_access_key = 'YOUR_AWS_SECRET_ACCESS_KEY'
region_name = 'YOUR_AWS_REGION_NAME'
session = boto3.Session(
aws_access_key_id=aws_access_key_id,
aws_secret_access_key=aws_secret_access_key,
region_name=region_name
)
cloudfront = session.client('cloudfront')
- Get the list of CloudFront distributions:
distributions = cloudfront.list_distributions()
- Loop through the distributions and check if Geo Restriction is enabled:
for distribution in distributions['DistributionList']['Items']:
distribution_id = distribution['Id']
distribution_config = cloudfront.get_distribution_config(Id=distribution_id)
geo_restriction = distribution_config['DistributionConfig']['Restrictions']['GeoRestriction']['RestrictionType']
if geo_restriction != 'whitelist':
# Geo Restriction is not enabled, remediate the misconfiguration
- Remediate the misconfiguration by enabling Geo Restriction:
distribution_config['DistributionConfig']['Restrictions']['GeoRestriction']['RestrictionType'] = 'whitelist'
cloudfront.update_distribution(
DistributionConfig=distribution_config['DistributionConfig'],
Id=distribution_id,
IfMatch=distribution_config['ETag']
)
Note: This code assumes that you have the necessary AWS credentials and permissions to access and modify CloudFront distributions.