--- policy: /ce/ca/aws/cloudfront/distribution-security-policy logic: /ce/ca/aws/cloudfront/distribution-security-policy/prod.logic.yaml executionTime: 2026-06-06T12:02:32.86544508Z generationMs: 46 executionMs: 1276 rows: - id: '001' match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 299 actual: 299 conditionText: expected: extract('CA10__viewerCertificateMinimumProtocolVersion__c').isEmpty() actual: extract('CA10__viewerCertificateMinimumProtocolVersion__c').isEmpty() runtimeError: {} - id: '002' match: true status: expected: INCOMPLIANT actual: INCOMPLIANT conditionIndex: expected: 399 actual: 399 conditionText: expected: "setOfText(['SSLv3', 'TLSv1', 'TLSv1_2016', 'TLSv1.1_2016', 'TLSv1.2_2018',\ \ 'TLSv1.2_2019']).contains(extract('CA10__viewerCertificateMinimumProtocolVersion__c'))" actual: "setOfText(['SSLv3', 'TLSv1', 'TLSv1_2016', 'TLSv1.1_2016', 'TLSv1.2_2018',\ \ 'TLSv1.2_2019']).contains(extract('CA10__viewerCertificateMinimumProtocolVersion__c'))" runtimeError: {} - id: '003' match: true status: expected: COMPLIANT actual: COMPLIANT conditionIndex: expected: 400 actual: 400 conditionText: expected: otherwise actual: otherwise runtimeError: {} usedFiles: - path: /ce/ca/aws/cloudfront/distribution-security-policy/policy.yaml md5Hash: 1B78CD3DF86A61261C0BF5D6045E29FE content: "---\nnames:\n full: AWS CloudFront Web Distribution uses legacy Security\ \ Policy\n contextual: Web Distribution uses legacy Security Policy\ndescription:\ \ >\n Ensure that AWS CloudFront Web Distributions are configured to use a\ \ current \n Security Policy (at least TLSv1.2_2021) that enforces the use\ \ of TLS 1.2 or later. \n Legacy policies support outdated protocols and ciphers\ \ that may expose traffic \n to vulnerabilities.\ncategories:\n - \"SECURITY\"\ \ntype: \"COMPLIANCE_POLICY\"\nframeworkMappings:\n - \"/frameworks/cloudaware/secret-and-certificate-governance/cryptographic-configuration\"\ \n - \"/frameworks/aws-well-architected/sec/09/01\"\n - \"/frameworks/aws-fsbp-v1.0.0/cloudfront/15\"\ \nsimilarPolicies:\n awsSecurityHub:\n - name: \"[CloudFront.15] CloudFront\ \ distributions should use the recommended TLS security policy\"\n url:\ \ \"https://docs.aws.amazon.com/securityhub/latest/userguide/cloudfront-controls.html#cloudfront-15\"\ \n" - path: /ce/ca/aws/cloudfront/distribution-security-policy/prod.logic.yaml md5Hash: B283C25B3A9DF7BE7D655D2460A722FD content: "---\ninputType: \"CA10__CaAwsDistribution__c\"\nimportExtracts:\n -\ \ file: \"/types/CA10__CaAwsDistribution__c/object.extracts.yaml\"\ntestData:\n\ \ - file: \"test-data.json\" \nrecordTypes:\n - \"caWebDistribution\"\nconditions:\n\ \ - status: \"INCOMPLIANT\"\n currentStateMessage: \"The minimum protocol\ \ version is not set.\"\n remediationMessage: \"Configure a security policy.\"\ \n check:\n IS_EMPTY:\n arg:\n EXTRACT: \"CA10__viewerCertificateMinimumProtocolVersion__c\"\ \ \n - status: \"INCOMPLIANT\"\n currentStateMessage: \"The CloudFront\ \ distribution uses a legacy security policy.\"\n remediationMessage: \"\ Update the security policy to enforce at least TLSv1.2_2021.\"\n check:\n\ \ CONTAINS:\n arg:\n SET:\n itemType: TEXT\n\ \ items: \n - \"SSLv3\"\n - \"TLSv1\"\n\ \ - \"TLSv1_2016\"\n - \"TLSv1.1_2016\"\n \ \ - \"TLSv1.2_2018\"\n - \"TLSv1.2_2019\"\n search:\n\ \ EXTRACT: \"CA10__viewerCertificateMinimumProtocolVersion__c\" \n\ otherwise:\n status: \"COMPLIANT\"\n currentStateMessage: \"The CloudFront\ \ distribution uses a current security policy.\"\n" - path: /ce/ca/aws/cloudfront/distribution-security-policy/test-data.json md5Hash: BB7A373679CB77721ADAD7D7732EFFED content: | [ { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "299", "conditionText": "extract('CA10__viewerCertificateMinimumProtocolVersion__c').isEmpty()", "runtimeError": null }, "context": { "snapshotTime": "2025-12-01T00:50:53Z" }, "CA10__disappearanceTime__c": null, "CA10__viewerCertificateMinimumProtocolVersion__c": null, "Id": "001", "RecordTypeId": "rt000", "RecordType": { "Id": "rt000", "DeveloperName": "caWebDistribution" } }, { "expectedResult": { "status": "INCOMPLIANT", "conditionIndex": "399", "conditionText": "setOfText(['SSLv3', 'TLSv1', 'TLSv1_2016', 'TLSv1.1_2016', 'TLSv1.2_2018', 'TLSv1.2_2019']).contains(extract('CA10__viewerCertificateMinimumProtocolVersion__c'))", "runtimeError": null }, "context": { "snapshotTime": "2025-12-01T00:50:53Z" }, "CA10__disappearanceTime__c": null, "CA10__viewerCertificateMinimumProtocolVersion__c": "TLSv1.1_2016", "Id": "002", "RecordTypeId": "rt000", "RecordType": { "Id": "rt000", "DeveloperName": "caWebDistribution" } }, { "expectedResult": { "status": "COMPLIANT", "conditionIndex": "400", "conditionText": "otherwise", "runtimeError": null }, "context": { "snapshotTime": "2025-12-01T00:50:53Z" }, "CA10__disappearanceTime__c": null, "CA10__viewerCertificateMinimumProtocolVersion__c": "TLSv1.2_2021", "Id": "003", "RecordTypeId": "rt000", "RecordType": { "Id": "rt000", "DeveloperName": "caWebDistribution" } } ] - path: /types/CA10__CaAwsDistribution__c/object.extracts.yaml md5Hash: 9BBABDA14FE5FD983E28F77F5CC80BF9 content: |- --- extracts: # Nullable - name: "CA10__defaultRootObject__c" value: FIELD: path: CA10__defaultRootObject__c # undeterminedIf: # noAccessDelegate: # path: "CA10__defaultRootObject__c" # currentStateMessage: "Unable to determine Default Root Object. Possible permission issue with cloudfront:GetDistribution." # Checkbox - name: "CA10__loggingEnabled__c" value: FIELD: path: "CA10__loggingEnabled__c" # Checkbox - name: "CA10__viewerCertificateCloudFrontDefaultCert__c" value: FIELD: path: "CA10__viewerCertificateCloudFrontDefaultCert__c" # Values: sni-only | vip | static-ip. Nullable - name: "CA10__viewerCertificateSslSupportMethod__c" value: FIELD: path: "CA10__viewerCertificateSslSupportMethod__c" # undeterminedIf: # noAccessDelegate: # path: "CA10__defaultRootObject__c" # currentStateMessage: "Unable to determine Viewer Certificate SSL Support Method. Possible permission issue with cloudfront:GetDistribution." # Text. Nullable - name: "CA10__viewerCertificateMinimumProtocolVersion__c" value: FIELD: path: "CA10__viewerCertificateMinimumProtocolVersion__c" # Text. Nullable - name: "CA10__s3OriginDomainName__c" value: FIELD: path: "CA10__s3OriginDomainName__c" # Text. Nullable - name: "CA10__s3OriginAccessIdentity__c" value: FIELD: path: "CA10__s3OriginAccessIdentity__c" script: |- CREATE TEMP FUNCTION mock_ExpectedResult() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "Id" : "001", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "299", "conditionText" : "extract('CA10__viewerCertificateMinimumProtocolVersion__c').isEmpty()", "runtimeError" : null } }, { "Id" : "002", "expectedResult" : { "status" : "INCOMPLIANT", "conditionIndex" : "399", "conditionText" : "setOfText(['SSLv3', 'TLSv1', 'TLSv1_2016', 'TLSv1.1_2016', 'TLSv1.2_2018', 'TLSv1.2_2019']).contains(extract('CA10__viewerCertificateMinimumProtocolVersion__c'))", "runtimeError" : null } }, { "Id" : "003", "expectedResult" : { "status" : "COMPLIANT", "conditionIndex" : "400", "conditionText" : "otherwise", "runtimeError" : null } } ]; """; CREATE TEMP FUNCTION mock_CA10__CaAwsDistribution__c() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2025-12-01T00:50:53Z") }, "CA10__viewerCertificateMinimumProtocolVersion__c" : null, "Id" : "001", "RecordTypeId" : "rt000" }, { "context" : { "snapshotTime" : new Date("2025-12-01T00:50:53Z") }, "CA10__viewerCertificateMinimumProtocolVersion__c" : "TLSv1.1_2016", "Id" : "002", "RecordTypeId" : "rt000" }, { "context" : { "snapshotTime" : new Date("2025-12-01T00:50:53Z") }, "CA10__viewerCertificateMinimumProtocolVersion__c" : "TLSv1.2_2021", "Id" : "003", "RecordTypeId" : "rt000" } ]; """; CREATE TEMP FUNCTION mock_RecordType() RETURNS ARRAY >> DETERMINISTIC LANGUAGE js AS r""" return [ { "context" : { "snapshotTime" : new Date("2025-12-01T00:50:53Z") }, "DeveloperName" : "caWebDistribution", "Id" : "rt000" } ]; """; CREATE TEMP FUNCTION process_CA10__CaAwsDistribution__c( obj STRUCT< CA10__disappearanceTime__c TIMESTAMP, RecordType STRUCT< DeveloperName STRING, Id STRING >, CA10__viewerCertificateMinimumProtocolVersion__c STRING, Id STRING, RecordTypeId STRING >, snapshotTime TIMESTAMP ) RETURNS STRUCT DETERMINISTIC LANGUAGE js AS r""" var CollectionLib = new function () { this.parse = function(arg, separator, skipEmpty, skipDuplicates, sort, normalize) { if (arg == null) return []; let parts = arg.split(separator); return this.fromArray(parts, skipEmpty, skipDuplicates, sort, normalize); }; this.fromArray = function(arr, skipEmpty, skipDuplicates, sort, normalize) { if (arr == null) return []; let result = []; let seen = new Set(); arr.forEach(el => { let normalized = normalize ? TextLib.normalize(el) : BytesLib.normalize(el); if (!skipEmpty || (normalize ? TextLib.isNotEmpty(el) : BytesLib.isNotEmpty(el))) { if (!skipDuplicates || !seen.has(normalized)) { if (skipDuplicates) seen.add(normalized); result.push(normalized); } } }); if (sort) result.sort(); return result; }; this.equal = function(left, right) { left = left == null ? [] : left; right = right == null ? [] : right; if (left.length !== right.length) return false; for (let i = 0; i < left.length; i++) { if (left[i] !== right[i]) return false; } return true; }; this.notEqual = function(left, right) { return !this.equal(left, right); }; this.size = function(collection) { return collection == null ? 0 : collection.length; }; this.startsWith = function(collection, search, normalize) { if (collection == null || collection.length === 0) return false; let normalizedSearch = normalize ? TextLib.normalize(search) : BytesLib.normalize(search); return collection[0] === normalizedSearch; }; this.endsWith = function(collection, search, normalize) { if (collection == null || collection.length === 0) return false; let normalizedSearch = normalize ? TextLib.normalize(search) : BytesLib.normalize(search); return collection[collection.length - 1] === normalizedSearch; }; this.contains = function(collection, search, normalize) { if (collection == null || collection.length === 0) return false; return collection.includes(normalize ? TextLib.normalize(search) : BytesLib.normalize(search)); }; this.containsAll = function(collection, searchArray, normalize) { if (collection == null || collection.length === 0 || searchArray == null || searchArray.length === 0) return false; return searchArray.every(search => collection.includes(normalize ? TextLib.normalize(search) : BytesLib.normalize(search))); }; this.containsAny = function(collection, searchArray, normalize) { if (collection == null || collection.length === 0 || searchArray == null || searchArray.length === 0) return false; return searchArray.some(search => collection.includes(normalize ? TextLib.normalize(search) : BytesLib.normalize(search))); }; }(); var BytesLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg; }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var TextLib = new function () { this.normalize = function(arg) { return arg == null ? '' : arg.replace(/\s+/g, ' ').trim().toLowerCase(); }; this.isEmpty = function(arg) { return this.normalize(arg) == ''; }; this.isNotEmpty = function(arg) { return this.normalize(arg) != ''; }; this.equal = function(left, right) { return this.normalize(left) == this.normalize(right); }; this.notEqual = function(left, right) { return this.normalize(left) != this.normalize(right); }; this.startsWith = function(arg, substring) { return this.normalize(arg).startsWith(this.normalize(substring)); }; this.endsWith = function(arg, substring) { return this.normalize(arg).endsWith(this.normalize(substring)); }; this.contains = function(arg, substring) { return this.normalize(arg).includes(this.normalize(substring)); }; this.containsAll = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.every(sub => normalizedArg.includes(this.normalize(sub))); }; this.containsAny = function(arg, substrings) { if (substrings == null || substrings.length === 0) return false; let normalizedArg = this.normalize(arg); return substrings.some(sub => normalizedArg.includes(this.normalize(sub))); }; }(); var references1 = []; // condition[0], conditionIndex:[0..99] references1.push('Deleted From AWS [CA10__disappearanceTime__c]: ' + obj.CA10__disappearanceTime__c); if (obj.CA10__disappearanceTime__c != null) { return {status: 'DISAPPEARED', conditionIndex: 99, conditionText: "isDisappeared(CA10__disappearanceTime__c)", currentStateMessage: "Object is deleted in the source", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[1], conditionIndex:[100..199] references1.push('Record Type Name [obj.RecordType.DeveloperName]: ' + obj.RecordType.DeveloperName); if (!CollectionLib.contains(CollectionLib.fromArray(['caWebDistribution'], true, true, true, true), obj.RecordType.DeveloperName, true)) { return {status: 'INAPPLICABLE', conditionIndex: 199, conditionText: "not(setOfText(['caWebDistribution']).contains(RecordType.DeveloperName))", currentStateMessage: "Object record type is not applicable", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; } // condition[2], conditionIndex:[200..299] function extract4() { if (!this.out) { this.out = obj.CA10__viewerCertificateMinimumProtocolVersion__c; } return this.out; }; references1.push('Viewer Certificate Min Protocol Version [obj.CA10__viewerCertificateMinimumProtocolVersion__c]: ' + obj.CA10__viewerCertificateMinimumProtocolVersion__c); if (TextLib.isEmpty(extract4.call(extract4))) { return {status: 'INCOMPLIANT', conditionIndex: 299, conditionText: "extract('CA10__viewerCertificateMinimumProtocolVersion__c').isEmpty()", currentStateMessage: "The minimum protocol version is not set.", currentStateReferences: references1.join('\n'), remediation: "Configure a security policy.", runtimeError: null}; } // condition[3], conditionIndex:[300..399] function extract7() { if (!this.out) { this.out = obj.CA10__viewerCertificateMinimumProtocolVersion__c; } return this.out; }; if (CollectionLib.contains(CollectionLib.fromArray(['SSLv3', 'TLSv1', 'TLSv1_2016', 'TLSv1.1_2016', 'TLSv1.2_2018', 'TLSv1.2_2019'], true, true, true, true), extract7.call(extract7), true)) { return {status: 'INCOMPLIANT', conditionIndex: 399, conditionText: "setOfText(['SSLv3', 'TLSv1', 'TLSv1_2016', 'TLSv1.1_2016', 'TLSv1.2_2018', 'TLSv1.2_2019']).contains(extract('CA10__viewerCertificateMinimumProtocolVersion__c'))", currentStateMessage: "The CloudFront distribution uses a legacy security policy.", currentStateReferences: references1.join('\n'), remediation: "Update the security policy to enforce at least TLSv1.2_2021.", runtimeError: null}; } return {status: 'COMPLIANT', conditionIndex: 400, conditionText: "otherwise", currentStateMessage: "The CloudFront distribution uses a current security policy.", currentStateReferences: references1.join('\n'), remediation: null, runtimeError: null}; """; SELECT expectedResult.Id as Id, IF ( IFNULL(expectedResult.expectedResult.status, '') = IFNULL(sObject.result.status, '') AND IFNULL(expectedResult.expectedResult.conditionIndex, -1) = IFNULL(sObject.result.conditionIndex, -1) AND IFNULL(expectedResult.expectedResult.conditionText, '') = IFNULL(sObject.result.conditionText, '') AND IFNULL(expectedResult.expectedResult.runtimeError, '') = IFNULL(sObject.result.runtimeError, ''), "MATCH", "FAIL" ) as match, expectedResult.expectedResult.status as expectedStatus, sObject.result.status as actualStatus, expectedResult.expectedResult.conditionIndex as expectedConditionIndex, sObject.result.conditionIndex as actualConditionIndex, expectedResult.expectedResult.conditionText as expectedConditionText, sObject.result.conditionText as actualConditionText, expectedResult.expectedResult.runtimeError as expectedRuntimeError, sObject.result.runtimeError as actualRuntimeError FROM UNNEST(mock_ExpectedResult()) expectedResult LEFT JOIN ( SELECT sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, STRUCT ( `RecordType`.DeveloperName AS DeveloperName, `RecordType`.Id AS Id ) AS RecordType, sObject.CA10__viewerCertificateMinimumProtocolVersion__c AS CA10__viewerCertificateMinimumProtocolVersion__c, sObject.Id AS Id, sObject.RecordTypeId AS RecordTypeId, process_CA10__CaAwsDistribution__c( STRUCT( sObject.CA10__disappearanceTime__c AS CA10__disappearanceTime__c, STRUCT ( `RecordType`.DeveloperName AS DeveloperName, `RecordType`.Id AS Id ) AS RecordType, sObject.CA10__viewerCertificateMinimumProtocolVersion__c AS CA10__viewerCertificateMinimumProtocolVersion__c, sObject.Id AS Id, sObject.RecordTypeId AS RecordTypeId ), sObject.context.snapshotTime ) as result FROM UNNEST(mock_CA10__CaAwsDistribution__c()) AS sObject LEFT JOIN UNNEST(mock_RecordType()) AS `RecordType` ON sObject.RecordTypeId = `RecordType`.Id ) sObject ON sObject.Id = expectedResult.Id;