CloudFront Geo Restriction

Risk level: Low (generally tolerable level of risk)

Rule ID: CF-008

Ensure that geo restriction is enabled for your Amazon CloudFront CDN distribution to safelist or blocklist a country in order to allow or restrict users in specific locations from accessing web application content.

This rule can help you with the following compliance standards:

GDPR

For further details on compliance standards supported by Conformity, see here.

This rule resolution is part of the Conformity Security & Compliance tool for AWS.

Security

With AWS CloudFront geo restriction you have the ability to block IP addresses based on Geo IP from reaching your CDN distribution and your web application content delivered by the distribution. The feature can also be used to assist in mitigation of Distributed Denial of Service (DDoS) attacks.

Audit

To determine if CloudFront geo restriction feature is enabled within your CDN distribution configuration, perform the following:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudFront dashboard at https://console.aws.amazon.com/cloudfront/.

03 In the left navigation panel, click Distributions.

04 On CloudFront Distribution page, under the main menu, select Web and Enabled from Viewing dropdown menus to list all active web distributions available in your account.

05 Select the CDN distribution that you want to examine.

06 Click the Distribution Settings button from the dashboard top menu to access the resource configuration page.

07 Choose the Restrictions tab and check the Geo Restriction status available in the Status column. If the status is set to Disabled, the geo restriction feature is not enabled for the selected CloudFront distribution, therefore the distribution configuration is not compliant.

08 Repeat steps no. 5 – 7 to verify the geo restriction feature status for other Amazon CloudFront CDN distributions available in your AWS account.

Using AWS CLI

01 Run list-distributions command (OSX/Linux/UNIX) using custom query filters to list the IDs of all CloudFront web distributions provisioned in your account:

aws cloudfront list-distributions
    --output table
    --query 'DistributionList.Items[*].Id'

02 The command output should return a table with the requested IDs:

---------------------
| ListDistributions |
+-------------------+
|  AAAABBBBCCCCDD   |
+-------------------+

03 Run get-distribution command (OSX/Linux/UNIX) using the ID of the distribution that you want to examine as identifier and custom query filters, to describe the geo restriction type configured for the selected CloudFront CDN distribution:

aws cloudfront get-distribution-config
    --id AAAABBBBCCCCDD
    --query "DistributionConfig.Restrictions.GeoRestriction.RestrictionType"

04 The command output should return the requested configuration information:

"none"

If the get-distribution command output returns "none", as shown in the example above, the geo restriction feature is not enabled for the selected Amazon CloudFront distribution, meaning that the access to your web application content is not restricted by client geo location.

05 Repeat step no. 3 and 4 to verify the geo restriction feature status for other AWS CloudFront CDN distributions available within your AWS account.

Remediation / Resolution

To enable and configure Amazon CloudFront geo restriction feature for your CDN distributions, perform the following actions:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to CloudFront dashboard at https://console.aws.amazon.com/cloudfront/.

03 In the left navigation panel, click Distributions.

04 On CloudFront Distribution page, under dashboard main menu, select the CDN distribution that you want to reconfigure.

05 Click the Distribution Settings button from the dashboard top menu to access the CloudFront resource configuration page.

06 Choose the Restrictions tab, select Geo Restriction then click the Edit button to access the feature configuration settings.

07 On the Edit Geo-Restrictions page, under Geo-Restriction Settings, perform the following:

Select Yes next to Enable Geo-Restriction to turn on the feature.
For Restriction Type, choose Whitelist to allow viewers in specific countries to access your web distribution content or Blacklist to restrict users in specific countries from accessing your web content.
For Countries, use Add >> and << Remove buttons to create your own list of countries that you want to safelist or blocklist, based on your requirements.
Click Yes, Edit to apply the configuration changes and turn on geo restriction.

08 Repeat steps no. 5 – 7 to enable geo restriction feature for other AWS CloudFront CDN distributions available in your AWS account.

Using AWS CLI

01 Run get-distribution-config command (OSX/Linux/UNIX) to retrieve the configuration metadata from the CloudFront web distribution that you want to reconfigure (see Audit section part II to identify the right resource):

aws cloudfront get-distribution-config
    --id AAAABBBBCCCCDD

02 The command output should return the requested configuration information:

{
    "ETag": "ABCDABCDABCDAB",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Quantity": 0
        },

        ...

        "HttpVersion": "http2",
        "Restrictions": {
            "GeoRestriction": {
                "RestrictionType": "none",
                "Quantity": 0
            }
        }
    }
}

03 Modify the configuration document returned at the previous step to enable geo restriction feature by changing the GeoRestriction configuration object values as shown in the example below, then save the new configuration in a JSON document named "enable-geo-restriction.json". The following example restrict all users within a country identified by the ID "UA" from accessing your web distribution content. Replace <domain_name> and other required configuration details with your own details:

{
    "ETag": "ABCDABCDABCDAB",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Quantity": 0
        },
        "IsIPV6Enabled": false,
        "Logging": {
            "Bucket": "",
            "Prefix": "",
            "Enabled": false,
            "IncludeCookies": false
        },
        "WebACLId": "",
        "Origins": {
            "Items": [
                {
                    "OriginPath": "/static/images",
                    "CustomOriginConfig": {
                        "OriginSslProtocols": {
                            "Items": [
                                "TLSv1.2"
                            ],
                            "Quantity": 1
                        },
                        "OriginProtocolPolicy": "https-only",
                        "OriginReadTimeout": 30,
                        "HTTPPort": 80,
                        "HTTPSPort": 443,
                        "OriginKeepaliveTimeout": 5
                    },
                    "CustomHeaders": {
                        "Quantity": 0
                    },
                    "Id": "Custom-<domain_name>/static/images",
                    "DomainName": "&ly;domain_name>"
                }
            ],
            "Quantity": 1
        },
        "DefaultRootObject": "",
        "PriceClass": "PriceClass_100",
        "Enabled": true,
        "DefaultCacheBehavior": {
            "TrustedSigners": {
                "Enabled": false,
                "Quantity": 0
            },
            "LambdaFunctionAssociations": {
                "Quantity": 0
            },
            "TargetOriginId": "Custom-<domain_name>/static/images",
            "ViewerProtocolPolicy": "https-only",
            "ForwardedValues": {
                "Headers": {
                    "Quantity": 0
                },
                "Cookies": {
                    "Forward": "none"
                },
                "QueryStringCacheKeys": {
                    "Quantity": 0
                },
                "QueryString": false
            },
            "MaxTTL": 31536000,
            "SmoothStreaming": false,
            "DefaultTTL": 86400,
            "AllowedMethods": {
                "Items": [
                    "HEAD",
                    "GET"
                ],
                "CachedMethods": {
                    "Items": [
                        "HEAD",
                        "GET"
                    ],
                    "Quantity": 2
                },
                "Quantity": 2
            },
            "MinTTL": 0,
            "Compress": false
        },
        "CallerReference": "12345678901234",
        "ViewerCertificate": {
            "CloudFrontDefaultCertificate": true,
            "MinimumProtocolVersion": "TLSv1",
            "CertificateSource": "cloudfront"
        },
        "CustomErrorResponses": {
            "Quantity": 0
        },
        "HttpVersion": "http2",
        "Restrictions": {
            "GeoRestriction": {
                "Items": [
                    "UA"
                ],
                "RestrictionType": "blacklist",
                "Quantity": 1
            }
        },
        "Aliases": {
            "Quantity": 0
        }
    }
}

04 Run update-distribution command (OSX/Linux/UNIX) to update the configuration for the selected Amazon CloudFront CDN distribution (see Audit section part II to identify the right distribution) in order to enable geo restriction. The following command example updates your CDN distribution using a JSON configuration document named "enable-geo-restriction.json":

aws cloudfront update-distribution
    --id AAAABBBBCCCCDD
    --distribution-config file://enable-geo-restriction.json
    --if-match ABCDABCDABCDAB

05 The command output should return the metadata for the reconfigured CloudFront CDN distribution:

{
    "Distribution": {
        "Status": "InProgress",

            ...

            "Restrictions": {
            "GeoRestriction": {
                "Items": [
                    "UA"
                ],
                "RestrictionType": "blacklist",
                "Quantity": 1
            }
        },

        ...

    "ETag": "ABCDABCDABCDAB"
}

06 Repeat steps no. 1 – 5 to enable and configure geo restriction for other AWS CloudFront CDN distributions available within your AWS account

References

AWS Command Line Interface (CLI) Documentation
cloudfront
list-distributions
get-distribution
get-distribution-config
update-distribution

Publication date Apr 20, 2018

Unlock the Remediation Steps

Free 30-day Trial

Automatically audit your configurations with Conformity
and gain access to our cloud security platform.

No thanks, back to article

You are auditing:

CloudFront Geo Restriction

Risk level: Low

Audit

Using AWS Console

Using AWS CLI

Remediation / Resolution

Using AWS Console

Using AWS CLI

References

Related CloudFront rules