CloudFront distributions should have geo-restrictions specified¶
Description¶
CloudFront distributions should enable geo-restriction when an organization needs to prevent users in specific geographic locations from accessing content. For example, if an organization has rights to distribute content in only one country, geo restriction should be enabled to allow access only from users in the whitelisted country. Or if the organization cannot distribute content in a particular country, geo restriction should deny access from users in the blacklisted country.
Remediation Steps¶
AWS Console¶
Navigate to CloudFront.
Select the distribution that you want to update.
In the Distribution Settings pane, select the Restrictions tab > Edit.
Enter the applicable values. For more information, refer to Restrictions.
Choose Yes, Edit.
AWS CLI¶
Submit a GetDistributionConfig request to get the current configuration and an Etag header for the distribution.
get-distribution-config
--id <value>
Update the returned XML to include the CloudFront should have geo-restrictions specified.
Submit an UpdateDistribution request to update the configuration for your distribution. Refer to here for more information.
CloudFormation¶
JSON¶
Ensure that the AWS::CloudFront::Distribution includes
GeoRestriction
block with:A
RestrictionType
field that specifies either “whitelist” or “blacklist” for restricting content by country.A
Locations
field that specifies the country.
{
"Properties": {
"DistributionConfig": {
"Restrictions": {
"GeoRestriction" : {
"Locations" : ["US", "CA"],
"RestrictionType" : "whitelist"
}
}
}
}
}
JSON Example Configuration¶
{
"Type": "AWS::CloudFront::Distribution",
"Properties": {
"DistributionConfig": {
"Restrictions": {
"GeoRestriction" : {
"Locations" : ["US", "CA"],
"RestrictionType" : "whitelist"
}
}
}
}
# other required fields here
}
YAML¶
Ensure that the AWS::CloudFront::Distribution includes
GeoRestriction
block with:A
RestrictionType
field that specifies either “whitelist” or “blacklist” for restricting content by country.A
Locations
field that specifies the country.
Properties:
DistributionConfig:
Restrictions:
GeoRestriction:
Locations:
- US
- CA
RestrictionType: whitelist
YAML Example Configuration¶
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Restrictions:
GeoRestriction:
Locations:
- US
- CA
RestrictionType: whitelist
# other required fields here
Terraform¶
Ensure that the aws_cloudfront_distribution
restrictions
block includes ageo_restriction
block with arestriction_type
field that specifies either “whitelist” or “blacklist” for restricting content by country.
Example Configuration¶
resource "aws_cloudfront_distribution" "example" {
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = ["US", "CA"]
}
}
# other required fields here
}