CloudFront distributions should have geo-restrictions specified


CloudFront distributions should enable geo-restriction when an organization needs to prevent users in specific geographic locations from accessing content. For example, if an organization has rights to distribute content in only one country, geo restriction should be enabled to allow access only from users in the whitelisted country. Or if the organization cannot distribute content in a particular country, geo restriction should deny access from users in the blacklisted country.

Remediation Steps

AWS Console

  • Navigate to CloudFront.

  • Select the distribution that you want to update.

  • In the Distribution Settings pane, select the Restrictions tab > Edit.

  • Enter the applicable values. For more information, refer to Restrictions.

  • Choose Yes, Edit.


  • Submit a GetDistributionConfig request to get the current configuration and an Etag header for the distribution.

    • get-distribution-config --id <value>

  • Update the returned XML to include the CloudFront should have geo-restrictions specified.

  • Submit an UpdateDistribution request to update the configuration for your distribution. Refer to here for more information.


  • Ensure that the aws_cloudfront_distribution restrictions block includes a geo_restriction block with a restriction_type field that specifies either “whitelist” or “blacklist” for restricting content by country.

Example Configuration

resource "aws_cloudfront_distribution" "example" {
  restrictions {
    geo_restriction {
      restriction_type = "whitelist"
      locations        = ["US", "CA"]
  # other required fields here