This pattern checks an Amazon CloudFront distribution to make sure that it uses HTTPS, uses Transport Layer Security (TLS) version 1.2 or later, and has access logging enabled. CloudFront is a service provided by Amazon Web Services (AWS) that speeds up the distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations. When a user requests content that you're serving with CloudFront, the request is routed to the edge location that provides the lowest latency (time delay), so that content is delivered with the best possible performance.
This pattern provides an AWS Lambda function that is initiated when Amazon CloudWatch Events detects the CloudFront API call CreateDistribution, CreateDistributionWithTags, or UpdateDistribution. The custom logic in the Lambda function evaluates all CloudFront distributions that were created or updated in the AWS account. It sends a violation notification by using Amazon Simple Notification Service (Amazon SNS) if it detects the following violations:
Global checks:
Custom certificate doesn't use TLS version 1.2
Logging is disabled for distribution
Origin checks:
Origin isn't configured with TLS version 1.2
Communication with origin is allowed on a protocol other than HTTPS
Behavior checks:
Default behavior communication is allowed on a protocol other than HTTPS
Custom behavior communication is allowed on a protocol other than HTTPS
