AWS AWSCloudFormation documentation change
Summary
Expanded CloudFront distribution documentation with multi-tenant configuration examples, including security configurations for S3 origins
Security assessment
The changes add examples demonstrating security best practices like enforcing HTTPS transport (aws:SecureTransport condition), KMS bucket encryption, and public access restrictions. However, these are general security recommendations rather than fixes for specific vulnerabilities.
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.md index 6985a6467..02de396bc 100644 --- a//AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.md +++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-cloudfront-distribution.md @@ -90 +90 @@ The distribution's identifier. For example: `E1U5RQF7T870K0`. -### Create a distribution +###### @@ -92 +92,12 @@ The distribution's identifier. For example: `E1U5RQF7T870K0`. -The following example specifies a distribution and assigns it a single tag. + * Create a standard distribution + + * Create a multi-tenant distribution without a certificate + + * Create a multi-tenant distribution with a wildcard certificate + + + + +### Create a standard distribution + +The following example specifies a standard distribution and assigns it a single tag. @@ -168,0 +180,331 @@ The following example specifies a distribution and assigns it a single tag. +### Create a multi-tenant distribution without a certificate + +The following example specifies a basic multi-tenant distribution without a certificate. + +#### JSON + + + { + "Resources": { + "MyMultiTenantDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "ConnectionMode": "tenant-only", + "TenantConfig": { + "ParameterDefinitions": [ + { + "Name": "tenantName", + "Definition": { + "StringSchema": { + "Comment": "Tenant name", + "DefaultValue": "root", + "Required": false + } + } + } + ] + }, + "DefaultCacheBehavior": { + "TargetOriginId": "MyBucket.Arn", + "ViewerProtocolPolicy": "allow-all", + "AllowedMethods": [ + "GET", + "HEAD" + ], + "CachePolicyId": "658327ea-f89d-4fab-a63d-7e88639e58f6" + }, + "Enabled": true, + "Origins": [ + { + "DomainName": "MyBucket.RegionalDomainName", + "Id": "MyBucket.Arn", + "OriginPath": "/{{tenantName}}", + "S3OriginConfig": { + "OriginAccessIdentity": "" + } + } + ] + } + } + }, + "MyBucket": { + "Type": "AWS::S3::Bucket", + "Properties": { + "BucketName": "amzn-s3-demo-bucket", + "BucketEncryption": { + "ServerSideEncryptionConfiguration": [ + { + "ServerSideEncryptionByDefault": { + "SSEAlgorithm": "aws:kms", + "KMSMasterKeyID": "alias/aws/s3" + } + } + ] + }, + "PublicAccessBlockConfiguration": { + "IgnorePublicAcls": true, + "RestrictPublicBuckets": true + } + } + }, + "MyBucketBucketPolicy": { + "Type": "AWS::S3::BucketPolicy", + "Properties": { + "Bucket": "MyBucket", + "PolicyDocument": { + "Id": "RequireEncryptionInTransit", + "Version": "2012-10-17", + "Statement": [ + { + "Principal": "*", + "Action": "*", + "Effect": "Deny", + "Resource": [ + "MyBucket.Arn", + "${MyBucket.Arn}/*" + ], + "Condition": { + "Bool": { + "aws:SecureTransport": "false" + } + } + } + ] + } + } + } + } + } + +#### YAML + + + Resources: + MyMultiTenantDistribution: + Type: AWS::CloudFront::Distribution + Properties: + DistributionConfig: + ConnectionMode: tenant-only + TenantConfig: + ParameterDefinitions: + - Name: tenantName + Definition: + StringSchema: + Comment: "Tenant name" + DefaultValue: "root" + Required: false + DefaultCacheBehavior: + TargetOriginId: !GetAtt MyBucket.Arn + ViewerProtocolPolicy: allow-all + AllowedMethods: + - GET + - HEAD + CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # CachingOptimized PolicyId + Enabled: true + Origins: + - DomainName: !GetAtt MyBucket.RegionalDomainName + Id: !GetAtt MyBucket.Arn + OriginPath: "/{{tenantName}}" + S3OriginConfig: + OriginAccessIdentity: "" + + MyBucket: + Type: AWS::S3::Bucket + Properties: + BucketName: amzn-s3-demo-bucket + BucketEncryption: + ServerSideEncryptionConfiguration: + - ServerSideEncryptionByDefault: + SSEAlgorithm: aws:kms + KMSMasterKeyID: alias/aws/s3 + PublicAccessBlockConfiguration: + IgnorePublicAcls: true + RestrictPublicBuckets: true + MyBucketBucketPolicy: + Type: AWS::S3::BucketPolicy + Properties: + Bucket: !Ref MyBucket + PolicyDocument: + Id: RequireEncryptionInTransit + Version: '2012-10-17' + Statement: + - Principal: '*' + Action: '*' + Effect: Deny + Resource: + - !GetAtt MyBucket.Arn + - !Sub ${MyBucket.Arn}/* + Condition: + Bool: + aws:SecureTransport: 'false' + +### Create a multi-tenant distribution with a wildcard certificate + +The following example specifies a basic multi-tenant distribution with a wildcard certificate. + +#### JSON + + + { + "Resources": { + "MyMultiTenantDistribution": { + "Type": "AWS::CloudFront::Distribution", + "Properties": { + "DistributionConfig": { + "ConnectionMode": "tenant-only", + "ViewerCertificate": { + "AcmCertificateArn": "arn:aws:acm:us-east-1:123456789012:certificate/1954f095-11b6-4daf-9952-0c308a00944d",