π§ AWS CloudFront Web Distribution does not encrypt traffic to Custom Origins - prod.logic.yaml π’
- Contextual name: π§ prod.logic.yaml π’
- ID:
/ce/ca/aws/cloudfront/distribution-traffic-encryption-to-custom-origins/prod.logic.yaml - Located in: π AWS CloudFront Web Distribution does not encrypt traffic to Custom Origins π’
Flagsβ
- π’ Logic test success
- π’ Logic with extracts
- π’ Logic with test data
Input Typeβ
| Type | API Name | Extracts | Extract Files | Logic Files | |
|---|---|---|---|---|---|
| π | π AWS CloudFront Distribution | CA10__CaAwsDistribution__c | 4 | 1 | 7 |
Usesβ
- π AWS CloudFront Cache Behavior - object.extracts.yaml
- π AWS CloudFront Origin - object.extracts.yaml
- π§ͺ test-data.json
Test Results π’β
Generated at: 2025-07-08T23:23:03.694894804Z Open
| Result | Id | Condition Index | Condition Text | Runtime Error |
|---|---|---|---|---|
| π’ | test1 | βοΈ 99 | βοΈ isDisappeared(CA10__disappearanceTime__c) | βοΈ null |
| π’ | test2 | βοΈ 199 | βοΈ not(setOfText(['caWebDistribution']).contains(RecordType.DeveloperName)) | βοΈ null |
| π’ | test3 | βοΈ 299 | βοΈ CA10__AWS_CloudFront_Origins__r.has(INCOMPLIANT) | βοΈ null |
| π’ | test4 | βοΈ 599 | βοΈ CA10__AWS_CloudFront_Origins__r.has(COMPLIANT) && CA10__AWS_CloudFront_Cache_Behaviors__r.has(INCOMPLIANT) | βοΈ null |
| π’ | test5 | βοΈ 499 | βοΈ CA10__AWS_CloudFront_Origins__r.has(COMPLIANT) && extract('CA10__defaultCacheBehavior__r.CA10__viewerProtocolPolicy__c') == 'allow-all' | βοΈ null |
| π’ | test6 | βοΈ 700 | βοΈ otherwise | βοΈ null |
| π’ | test7 | βοΈ 699 | βοΈ CA10__AWS_CloudFront_Origins__r.hasNo(INAPPLICABLE) && CA10__AWS_CloudFront_Origins__r.hasNo(UNDETERMINED) && CA10__AWS_CloudFront_Origins__r.hasNo(COMPLIANT) | βοΈ null |
| π’ | test8 | βοΈ 700 | βοΈ otherwise | βοΈ null |
| π’ | test9 | βοΈ 399 | βοΈ isEmptyLookup('CA10__defaultCacheBehavior__r') | βοΈ null |
| π’ | test10 | βοΈ 699 | βοΈ CA10__AWS_CloudFront_Origins__r.hasNo(INAPPLICABLE) && CA10__AWS_CloudFront_Origins__r.hasNo(UNDETERMINED) && CA10__AWS_CloudFront_Origins__r.hasNo(COMPLIANT) | βοΈ null |
Generationβ
| File | MD5 | |
|---|---|---|
| Open | /ce/ca/aws/cloudfront/distribution-traffic-encryption-to-custom-origins/policy.yaml | 30DBBDAE30867E248F1CCDC696DA0FA7 |
| Open | /ce/ca/aws/cloudfront/distribution-traffic-encryption-to-custom-origins/prod.logic.yaml | 4E35383A31E8A0CF298A264638FFFC01 |
| Open | /types/CA10__CaAwsCacheBehavior2__c/object.extracts.yaml | 9FCFD18140FB8C38265EB37003668054 |
| Open | /ce/ca/aws/cloudfront/distribution-traffic-encryption-to-custom-origins/test-data.json | EFD068FD5F22ADB0C47C3D2898F784DE |
| Open | /types/CA10__CaAwsOrigin2__c/object.extracts.yaml | 6B8CD26CEA48D96F7C7123252B2102AF |
Generate FULL scriptβ
java -jar repo-manager.jar policies generate FULL /ce/ca/aws/cloudfront/distribution-traffic-encryption-to-custom-origins/prod.logic.yaml
Generate DEBUG scriptβ
java -jar repo-manager.jar policies generate DEBUG /ce/ca/aws/cloudfront/distribution-traffic-encryption-to-custom-origins/prod.logic.yaml
Generate CAPTURE_TEST_DATA scriptβ
java -jar repo-manager.jar policies generate CAPTURE_TEST_DATA /ce/ca/aws/cloudfront/distribution-traffic-encryption-to-custom-origins/prod.logic.yaml
Generate TESTS scriptβ
java -jar repo-manager.jar policies generate TESTS /ce/ca/aws/cloudfront/distribution-traffic-encryption-to-custom-origins/prod.logic.yaml
Execute testsβ
java -jar repo-manager.jar policies test /ce/ca/aws/cloudfront/distribution-traffic-encryption-to-custom-origins/prod.logic.yaml
Contentβ
---
inputType: "CA10__CaAwsDistribution__c"
importExtracts:
- file: "/types/CA10__CaAwsCacheBehavior2__c/object.extracts.yaml"
testData:
- file: "test-data.json"
recordTypes:
- "caWebDistribution"
conditions:
- status: "INCOMPLIANT"
currentStateMessage: "The Distribution has at least one custom origin that is set to HTTP Only."
remediationMessage: "Update the Origin Protocol Policy for the custom origins to HTTPS Only."
check:
RELATED_LIST_HAS:
status: "INCOMPLIANT"
relationshipName: "CA10__AWS_CloudFront_Origins__r"
- status: "UNDETERMINED"
currentStateMessage: "The Distribution has at least one custom origin that is set to Match Viewer\
\ but the default cache behavior is not present in the CMDB."
check:
IS_EMPTY_LOOKUP: "CA10__defaultCacheBehavior__r"
- status: "INCOMPLIANT"
currentStateMessage: "The Distribution has at least one custom origin that is set to Match Viewer\
\ while Viewers can use both protocols."
remediationMessage: "Update the Origin Protocol Policy for the custom origins to HTTPS Only."
check:
AND:
args:
- RELATED_LIST_HAS:
status: "COMPLIANT"
relationshipName: "CA10__AWS_CloudFront_Origins__r"
- IS_EQUAL:
left:
EXTRACT: "CA10__defaultCacheBehavior__r.CA10__viewerProtocolPolicy__c"
right:
TEXT: "allow-all"
- status: "INCOMPLIANT"
currentStateMessage: "The Distribution has at least one custom origin that is set to Match Viewer\
\ while Viewers can use both protocols."
remediationMessage: "Update the Origin Protocol Policy for the custom origins to HTTPS Only."
check:
AND:
args:
- RELATED_LIST_HAS:
status: "COMPLIANT"
relationshipName: "CA10__AWS_CloudFront_Origins__r"
- RELATED_LIST_HAS:
status: "INCOMPLIANT"
relationshipName: "CA10__AWS_CloudFront_Cache_Behaviors__r"
- status: "UNDETERMINED"
currentStateMessage: "The Distribution doesn't have any Origins in the CMDB."
check:
AND:
args:
- RELATED_LIST_HAS_NO:
status: "INAPPLICABLE"
relationshipName: "CA10__AWS_CloudFront_Origins__r"
- RELATED_LIST_HAS_NO:
status: "UNDETERMINED"
relationshipName: "CA10__AWS_CloudFront_Origins__r"
- RELATED_LIST_HAS_NO:
status: "COMPLIANT"
relationshipName: "CA10__AWS_CloudFront_Origins__r"
otherwise:
status: "COMPLIANT"
currentStateMessage: "All custom Origins for this Distribution are configured to use\
\ encrypted traffic whenever applicable."
relatedLists:
- relationshipName: "CA10__AWS_CloudFront_Origins__r"
importExtracts:
- file: "/types/CA10__CaAwsOrigin2__c/object.extracts.yaml"
conditions:
- status: "INAPPLICABLE"
currentStateMessage: "This is not a custom origin."
check:
IS_EMPTY:
arg:
EXTRACT: "CA10__configProtocolPolicy__c"
- status: "INAPPLICABLE"
currentStateMessage: "This origin is an S3 bucket configured for static website hosting,\
\ which does not support HTTPS."
check:
CONTAINS:
arg:
EXTRACT: "CA10__domainName__c"
search:
TEXT: "s3-website"
- status: "INCOMPLIANT"
currentStateMessage: "The protocol policy for this custom origin is http-only,\
\ allowing unencrypted traffic."
check:
IS_EQUAL:
left:
EXTRACT: "CA10__configProtocolPolicy__c"
right:
TEXT: "http-only"
# match-viewer is set to COMPLIANT only to make it easier to distinguish from INCOMPLIANT in the main body of the policy
- status: "COMPLIANT"
currentStateMessage: "The protocol policy for this custom origin depends on\
\ the protocol of the viewer request."
check:
IS_EQUAL:
left:
EXTRACT: "CA10__configProtocolPolicy__c"
right:
TEXT: "match-viewer"
# This is set to UNDETERMINED since COMPLIANT status is already reserved for the purpose above
otherwise:
status: "UNDETERMINED"
currentStateMessage: "The protocol policy for this custom origin enforces encrypted traffic."
- relationshipName: "CA10__AWS_CloudFront_Cache_Behaviors__r"
conditions:
- status: "INCOMPLIANT"
currentStateMessage: "The viewer protocol policy for this cache behavior is set to allow-all."
check:
IS_EQUAL:
left:
EXTRACT: "CA10__viewerProtocolPolicy__c"
right:
TEXT: "allow-all"
otherwise:
status: "COMPLIANT"
currentStateMessage: "The viewer protocol policy for this cache behavior encrypts communications."