turbot/aws_compliance

Control: 2 CloudFront distributions should have origin access identity enabled

Description

This control checks whether an Amazon CloudFront distribution with Amazon S3 Origin type has Origin Access Identity (OAI) configured. The control fails if OAI is not configured.

CloudFront OAI prevents users from accessing S3 bucket content directly. When users access an S3 bucket directly, they effectively bypass the CloudFront distribution and any permissions that are applied to the underlying S3 bucket content.

Remediation

For detailed remediation instructions, see Creating a CloudFront OAI and adding it to your distribution.

Usage

steampipe check aws_compliance.control.foundational_security_cloudfront_2

SQL

This control uses a named query:

cloudfront_distribution_origin_access_identity_enabled

Tags