Skip to content

CloudFront distributions should have geo restriction enabled

Geographic restriction is used to restrict access to all of the files that are associated with a distribution at the country level.

How to fix

Attribute restrictions[0].geo_restriction[0].restriction_type of aws_cloudfront_distribution must be one of: "whitelist", "blacklist".

Implementation options

Choose the option that matches how you manage Terraform. All options satisfy this control.

Option 1: Open source module (terraform-aws-modules)

If you use terraform-aws-modules/cloudfront/aws, configure the required module inputs to satisfy this control. You can later migrate to the compliance.tf module with minimal changes because it is compatible by design.

module "cloudfront" {
  source  = "terraform-aws-modules/cloudfront/aws"
  version = ">=6.0.0,<7.0.0"

  comment = "My CloudFront distribution"
  default_cache_behavior = {
    target_origin_id       = "s3"
    viewer_protocol_policy = "redirect-to-https"
  }
  enabled = true
  origin = {
    s3 = {
      domain_name = "mybucket.s3.amazonaws.com"
    }
  }

  restrictions = {
    geo_restriction = {
      restriction_type = "whitelist"
    }
  }
}

Option 2: Terraform AWS provider resources

If you manage resources directly, configure the relevant Terraform AWS provider resources to meet this control. See docs for the resources involved: aws_cloudfront_distribution.

resource "aws_cloudfront_distribution" "this" {
  default_cache_behavior {
    allowed_methods           = ["GET", "HEAD"]
    cached_methods            = ["GET", "HEAD"]
    field_level_encryption_id = "E1EXAMPLE"

    forwarded_values {
      cookies {
        forward = "none"
      }
      query_string = false
    }

    target_origin_id       = "S3Origin"
    viewer_protocol_policy = "redirect-to-https"
  }
  default_root_object = "index.html"
  enabled             = true

  logging_config {
    bucket = "logging-bucket.s3.amazonaws.com"
  }

  origin {
    domain_name = "example.s3.amazonaws.com"
    origin_id   = "S3Origin"
  }

  viewer_certificate {
    acm_certificate_arn      = "arn:aws:acm:us-east-1:123456789012:certificate/example"
    minimum_protocol_version = "TLSv1.2_2021"
    ssl_support_method       = "sni-only"
  }

  web_acl_id = "arn:aws:wafv2:us-east-1:123456789012:global/webacl/example/id"

  restrictions {
    geo_restriction {
      locations        = ["US", "CA", "GB"]
      restriction_type = "whitelist"
    }
  }
}
Which option should I choose?
  • Compliance.tf module (recommended): controls enforced by default and mapped to frameworks.
  • Open source module (terraform-aws-modules): compatible by design with compliance.tf. Same variable names for an easy, low-change migration path when you are ready.
  • Terraform AWS provider resources: manage Terraform resources directly.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf (CTF) Control: cloudfront_distribution_geo_restrictions_enabled

  • Checkov Check: CKV_AWS_374

  • Powerpipe Control: aws_compliance.control.cloudfront_distribution_geo_restrictions_enabled