Table: aws_cloudfront_distribution - Query AWS CloudFront Distributions using SQL
The AWS CloudFront Distributions is a part of Amazon's content delivery network (CDN) services. It speeds up the distribution of your static and dynamic web content, such as .html, .css, .js, and image files, to your users. CloudFront delivers your content through a worldwide network of data centers called edge locations and ensures that end-user requests are served by the closest edge location.
Table Usage Guide
The aws_cloudfront_distribution
table in Steampipe provides you with information about distributions within AWS CloudFront. This table allows you, as a DevOps engineer, to query distribution-specific details, including distribution configuration, status, and associated metadata. You can utilize this table to gather insights on distributions, such as viewing all distributions, checking if logging is enabled, verifying if a distribution is configured to use a custom SSL certificate, and more. The schema outlines the various attributes of the CloudFront distribution for you, including the ARN, domain name, status, and associated tags.
Examples
Basic info
Analyze the settings of your AWS Cloudfront distributions to understand their current status and configuration. This can help you to identify potential issues or areas for improvement, such as outdated HTTP versions or disabled IPv6.
select id, arn, status, domain_name, enabled, e_tag, http_version, is_ipv6_enabledfrom aws_cloudfront_distribution;
select id, arn, status, domain_name, enabled, e_tag, http_version, is_ipv6_enabledfrom aws_cloudfront_distribution;
List distributions with logging disabled
Determine the areas in your AWS Cloudfront distribution settings where logging is disabled. This is useful for identifying potential gaps in your logging strategy, which could impact security and troubleshooting capabilities.
select id, logging ->> 'Bucket' as bucket, logging ->> 'Enabled' as logging_enabled, logging ->> 'IncludeCookies' as include_cookiesfrom aws_cloudfront_distributionwhere logging ->> 'Enabled' = 'false';
select id, json_extract(logging, '$.Bucket') as bucket, json_extract(logging, '$.Enabled') as logging_enabled, json_extract(logging, '$.IncludeCookies') as include_cookiesfrom aws_cloudfront_distributionwhere json_extract(logging, '$.Enabled') = 'false';
List distributions with IPv6 DNS requests not enabled
Identify instances where IPv6 DNS requests are not enabled within your AWS CloudFront distributions. This can help in improving network performance and future-proofing your system as IPv6 becomes more prevalent.
select id, arn, status, is_ipv6_enabledfrom aws_cloudfront_distributionwhere is_ipv6_enabled = 'false';
select id, arn, status, is_ipv6_enabledfrom aws_cloudfront_distributionwhere is_ipv6_enabled = 'false';
List distributions that enforce field-level encryption
Determine the areas in which field-level encryption is enforced within your distributions. This can be handy for improving security by ensuring sensitive data fields are encrypted.
select id, arn, default_cache_behavior ->> 'FieldLevelEncryptionId' as field_level_encryption_id, default_cache_behavior ->> 'DefaultTTL' as default_ttlfrom aws_cloudfront_distributionwhere default_cache_behavior ->> 'FieldLevelEncryptionId' <> '';
select id, arn, json_extract( default_cache_behavior, '$.FieldLevelEncryptionId' ) as field_level_encryption_id, json_extract(default_cache_behavior, '$.DefaultTTL') as default_ttlfrom aws_cloudfront_distributionwhere json_extract( default_cache_behavior, '$.FieldLevelEncryptionId' ) <> '';
List distributions whose origins use encrypted traffic
Determine the areas in which your AWS Cloudfront distributions are utilizing encrypted traffic. This can be beneficial to ensure data security and compliance with industry standards and regulations.
select id, arn, p -> 'CustomOriginConfig' -> 'HTTPPort' as http_port, p -> 'CustomOriginConfig' -> 'HTTPSPort' as https_port, p -> 'CustomOriginConfig' -> 'OriginKeepaliveTimeout' as origin_keepalive_timeout, p -> 'CustomOriginConfig' -> 'OriginProtocolPolicy' as origin_protocol_policyfrom aws_cloudfront_distribution, jsonb_array_elements(origins) as pwhere p -> 'CustomOriginConfig' ->> 'OriginProtocolPolicy' = 'https-only';
select 'id', arn, json_extract(p.value, '$.CustomOriginConfig.HTTPPort') as http_port, json_extract(p.value, '$.CustomOriginConfig.HTTPSPort') as https_port, json_extract( p.value, '$.CustomOriginConfig.OriginKeepaliveTimeout' ) as origin_keepalive_timeout, json_extract( p.value, '$.CustomOriginConfig.OriginProtocolPolicy' ) as origin_protocol_policyfrom aws_cloudfront_distribution, json_each(origins) as pwhere json_extract( p.value, '$.CustomOriginConfig.OriginProtocolPolicy' ) = 'https-only';
List distributions whose origins use insecure SSL protocols
Discover the segments of your Cloudfront distributions where origins are using insecure SSL protocols. This is useful for identifying potential security vulnerabilities in your network.
select id, arn, p -> 'CustomOriginConfig' -> 'OriginSslProtocols' -> 'Items' as items, p -> 'CustomOriginConfig' -> 'OriginSslProtocols' -> 'Quantity' as quantityfrom aws_cloudfront_distribution, jsonb_array_elements(origins) as pwhere p -> 'CustomOriginConfig' -> 'OriginSslProtocols' -> 'Items' ? & array [ 'SSLv3' ];
select 'id', arn, json_extract( p.value, '$.CustomOriginConfig.OriginSslProtocols.Items' ) as items, json_extract( p.value, '$.CustomOriginConfig.OriginSslProtocols.Quantity' ) as quantityfrom aws_cloudfront_distribution, json_each(origins) as pwhere json_extract( p.value, '$.CustomOriginConfig.OriginSslProtocols.Items' ) LIKE '%SSLv3%';
Schema for aws_cloudfront_distribution
Name | Type | Operators | Description |
---|---|---|---|
_ctx | jsonb | Steampipe context in JSON form. | |
account_id | text | =, !=, ~~, ~~*, !~~, !~~* | The AWS Account ID in which the resource is located. |
active_trusted_key_groups | jsonb | CloudFront automatically adds this field to the response if you’ve configured a cache behavior in this distribution to serve private content using key groups. | |
active_trusted_signers | jsonb | A list of AWS accounts and the identifiers of active CloudFront key pairs in each account that CloudFront can use to verify the signatures of signed URLs and signed cookies. | |
akas | jsonb | Array of globally unique identifier strings (also known as) for the resource. | |
alias_icp_recordals | jsonb | AWS services in China customers must file for an Internet Content Provider (ICP) recordal if they want to serve content publicly on an alternate domain name, also known as a CNAME, that they've added to CloudFront. AliasICPRecordal provides the ICP recordal status for CNAMEs associated with distributions. | |
aliases | jsonb | A complex type that contains information about CNAMEs (alternate domain names),if any, for this distribution. | |
arn | text | The ARN (Amazon Resource Name) for the distribution. | |
cache_behaviors | jsonb | The number of cache behaviors for this Distribution. | |
caller_reference | text | A unique value that ensures that the request can't be replayed. | |
comment | text | The comment originally specified when this Distribution was created. | |
custom_error_responses | jsonb | A complex type that contains zero or more CustomErrorResponses elements. | |
default_cache_behavior | jsonb | A complex type that describes the default cache behavior if you don't specify a CacheBehavior element or if files don't match any of the values of PathPattern in CacheBehavior elements. You must create exactly one default cache behavior. | |
default_root_object | text | The object that you want CloudFront to request from your origin. | |
domain_name | text | The domain name that corresponds to the Distribution. | |
e_tag | text | The current version of the configuration. | |
enabled | boolean | Whether the Distribution is enabled to accept user requests for content. | |
http_version | text | Specify the maximum HTTP version that you want viewers to use to communicate with CloudFront. The default value for new web Distributions is http2. Viewers that don't support HTTP/2 will automatically use an earlier version. | |
id | text | = | The identifier for the Distribution. |
in_progress_invalidation_batches | bigint | The number of invalidation batches currently in progress. | |
is_ipv6_enabled | boolean | Whether CloudFront responds to IPv6 DNS requests with an IPv6 address for your Distribution. | |
last_modified_time | timestamp with time zone | The date and time the Distribution was last modified. | |
logging | jsonb | A complex type that controls whether access logs are written for the distribution. | |
origin_groups | jsonb | A complex type that contains information about origin groups for this distribution. | |
origins | jsonb | A complex type that contains information about origins for this distribution. | |
partition | text | The AWS partition in which the resource is located (aws, aws-cn, or aws-us-gov). | |
price_class | text | A complex type that contains information about price class for this streaming Distribution. | |
region | text | The AWS Region in which the resource is located. | |
restrictions | jsonb | A complex type that identifies ways in which you want to restrict distribution of your content. | |
sp_connection_name | text | =, !=, ~~, ~~*, !~~, !~~* | Steampipe connection name. |
sp_ctx | jsonb | Steampipe context in JSON form. | |
status | text | The current status of the Distribution. | |
tags | jsonb | A map of tags for the resource. | |
tags_src | jsonb | A list of tags assigned to the Maintenance Window | |
title | text | Title of the resource. | |
viewer_certificate | jsonb | A complex type that determines the distribution's SSL/TLS configuration for communicating with viewers. | |
web_acl_id | text | The Web ACL Id (if any) associated with the distribution. |
Export
This table is available as a standalone Exporter CLI. Steampipe exporters are stand-alone binaries that allow you to extract data using Steampipe plugins without a database.
You can download the tarball for your platform from the Releases page, but it is simplest to install them with the steampipe_export_installer.sh
script:
/bin/sh -c "$(curl -fsSL https://steampipe.io/install/export.sh)" -- aws
You can pass the configuration to the command with the --config
argument:
steampipe_export_aws --config '<your_config>' aws_cloudfront_distribution