Best practice rules for Amazon CloudFront
- CloudFront Compress Objects Automatically
Ensure CloudFront distributions are configured to automatically compress content.
- CloudFront Geo Restriction
Ensure Geo Restriction is enabled for CloudFront CDN distributions.
- CloudFront In Use
Ensure CloudFront global content delivery network (CDN) service is in use.
- CloudFront Insecure Origin SSL Protocols
Ensure CloudFront origins don't use insecure SSL protocols.
- CloudFront Integrated With WAF
Ensure CloudFront is integrated with WAF to protect web applications from exploit attempts that can compromise security or place unnecessary load on your application.
- CloudFront Logging Enabled
Ensure CloudFront logging is enabled.
- CloudFront Security Policy
Ensure AWS CloudFront distributions are using improved security policies for HTTPS connections.
- CloudFront Traffic To Origin Unencrypted
Ensure traffic between a CloudFront distribution and the origin is encrypted.
- CloudFront Viewer Protocol Policy
Ensure CloudFront Viewer Protocol Policy enforces encryption.
- Configure Default Root Object
Ensure that CloudFront distributions are configured to use a default root object.
- Enable Origin Access Control for Distributions with S3 Origin
Ensure that CloudFront distributions are using an origin access control configuration for their origin S3 buckets.
- Enable Origin Failover
Ensure that CloudFront distributions are using the Origin Failover feature to maintain high availability.
- Enable Origin Shield
Ensure that Amazon CloudFront distributions are using the Origin Shield feature.
- Enable Real-Time Logging
Ensure that CloudFront distributions are using the Real-Time Logging feature.
- FieldLevel Encryption
Enable Field-Level Encryption for CloudFront Distributions.
- Missing S3 Bucket
Ensure that CloudFront distributions do not point to non-existent S3 origins.
- Use CloudFront Content Distribution Network
Use Amazon CloudFront Content Distribution Network for secure web content delivery.
- Use Custom SSL/TLS Certificates
Ensure that CloudFront distributions are configured to use a custom SSL/TLS certificate.
- Use SNI to Serve HTTPS Requests
Ensure that CloudFront distributions are configured to use Server Name Indication (SNI).