Terraform AWS CloudFront
CloudFront distributions with origins, origin access control, TLS certificates, cache behaviors, WAF association, logging, geo restrictions, and HTTPS only content delivery.
Controls Enforced
The following compliance controls are enforced by this module at terraform plan time.
- CloudFront distributions should have a default root object configured low effort
- CloudFront distributions should require encryption in transit low effort
- CloudFront distributions should have field level encryption enabled high effort
- CloudFront distributions should have geo restriction enabled low effort
- CloudFront distributions should have latest TLS version low effort
- CloudFront distributions access logs should be enabled low effort
- CloudFront distributions should use SNI to serve HTTPS requests low effort
- CloudFront distributions should use custom SSL/TLS certificates low effort
- CloudFront distributions should use the recommended TLS security policy low effort
- CloudFront distributions should have AWS WAF enabled medium effort
Quick Start
module "cloudfront" {
source = "acscessentialeight.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "acscism2023.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "awscontroltower.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "awsgenai.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "awswellarchitected.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "cccsmedium.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "cfrpart11.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "cisv140.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "cisv500.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "cis.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "cisv80ig1.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "cisacyberessentials.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "eugmpannex11.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "fedramplow.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "fedrampmoderate.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "ffiec.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "gdpr.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "hipaa.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "iso27001.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "nis2.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "nist800171.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "nist80053.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "nistcsf.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "nydfs23.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "pcidss.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "rbicybersecurity.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "rbiitfnbfc.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
module "cloudfront" {
source = "soc2.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "<version>"
# ... your arguments here
}
See the Get Started guide to get started and read the Features section for more details on how to customize the module for your requirements.
Migration from Upstream
Already using terraform-aws-modules? Change only the source URL:
module "cloudfront" {
source = "terraform-aws-modules/cloudfront/aws"
version = "1.0"
}
module "cloudfront" {
source = "soc2.compliance.tf/terraform-aws-modules/cloudfront/aws"
version = "1.0"
}
Same arguments. Same outputs. Compliance controls are enforced automatically at terraform plan. If a required value is missing, you get a clear validation error telling you what to set.
See the Migration Guide for step-by-step instructions.
Reversibility
No lock-in. Switch back by reverting the source URL to the upstream path:
module "cloudfront" {
source = "terraform-aws-modules/cloudfront/aws"
}
Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.
Mapped compliance frameworks
ACSC-EE-ML2-7.7: Multi-factor authentication ML2
Data protection
- CloudFront distributions should require encryption in transit
- CloudFront distributions should have field level encryption enabled
Detection
Infrastructure protection
8.2 Collect Audit Logs
Article 32 Security of processing
164.308(a)(1)(ii)(D): Administrative Safeguards
164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions
164.312(e)(1) Transmission security
A.8.11 Data masking
A.8.15 Logging
A.8.16 Monitoring activities
A.8.24 Use of cryptography
3 Incident handling
- CloudFront distributions should require encryption in transit
- CloudFront distributions access logs should be enabled
5 Supply chain security
PR.DS-02
PR.DS-2
PR.PS-04
PR.PT-4
1.2.5: Network security controls (NSCs) are configured and maintained.
- CloudFront distributions should require encryption in transit
- CloudFront distributions should use SNI to serve HTTPS requests
1.2.8: Network security controls (NSCs) are configured and maintained.
- CloudFront distributions should use custom SSL/TLS certificates
- CloudFront distributions should have AWS WAF enabled
1.3.1: Network access to and from the cardholder data environment is restricted.
- CloudFront distributions should use custom SSL/TLS certificates
- CloudFront distributions should have AWS WAF enabled
1.3.2: Network access to and from the cardholder data environment is restricted.
- CloudFront distributions should use custom SSL/TLS certificates
- CloudFront distributions should have AWS WAF enabled
1.4.2: Network connections between trusted and untrusted networks are controlled.
- CloudFront distributions should use custom SSL/TLS certificates
- CloudFront distributions should have AWS WAF enabled
1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks
- CloudFront distributions should use custom SSL/TLS certificates
- CloudFront distributions should have AWS WAF enabled
1.5.1: Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.
- CloudFront distributions should use custom SSL/TLS certificates
- CloudFront distributions should have AWS WAF enabled
2.2.5: System components are configured and managed securely.
- CloudFront distributions should require encryption in transit
- CloudFront distributions should use SNI to serve HTTPS requests
2.2.5: System components cannot be compromised by exploiting insecure services, protocols, or daemons
- CloudFront distributions should require encryption in transit
- CloudFront distributions should use SNI to serve HTTPS requests
2.2.7: System components are configured and managed securely.
3.5.1.1: Primary account number (PAN) is secured wherever it is stored.
3.5.1.3: Primary account number (PAN) is secured wherever it is stored.
3.6.1: Cryptographic keys used to protect stored account data are secured.
3.6.1.2: Cryptographic keys used to protect stored account data are secured.
3.6.1.3: Cryptographic keys used to protect stored account data are secured.
3.6.1.4: Cryptographic keys used to protect stored account data are secured.
3.7.1: Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.
3.7.2: Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.
3.7.4: Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.
3.7.6: Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.
3.7.7: Where cryptography is used to protect stored account data, key management processes and procedures covering all aspects of the key lifecycle are defined and implemented.
4.2.1: PAN is protected with strong cryptography during transmission.
4.2.1.1: An inventory of the entity's trusted keys and certificates used to protect PAN during transmission is maintained
- CloudFront distributions should require encryption in transit
- CloudFront distributions should use custom SSL/TLS certificates
4.2.1.1: PAN is protected with strong cryptography during transmission.
- CloudFront distributions should require encryption in transit
- CloudFront distributions should use custom SSL/TLS certificates
5.3.4: Anti-malware mechanisms and processes are active, maintained, and monitored.
6.4.1: Public-facing web applications are protected against attacks.
6.4.2: For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks
6.4.2: Public-facing web applications are protected against attacks.
8.3.2: Strong authentication for users and administrators is established and managed.
8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components
10.2.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.3: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.4: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.5: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.6: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.1.7: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.2.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.
10.3.1: Audit logs are protected from destruction and unauthorized modifications.
10.6.3: Time-synchronization mechanisms support consistent time settings across all systems.
A1.1.2: Multi-tenant service providers protect and separate all customer environments and data.
- CloudFront distributions should use custom SSL/TLS certificates
- CloudFront distributions should have AWS WAF enabled
A1.1.3: Multi-tenant service providers protect and separate all customer environments and data.
- CloudFront distributions should use custom SSL/TLS certificates
- CloudFront distributions should have AWS WAF enabled
A1.2.1: Multi-tenant service providers facilitate logging and incident response for all customers.
A1.2.3: Processes or mechanisms are implemented for reporting and addressing suspected or confirmed security incidents and vulnerabilities
A1.2 The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives
CC6.7 The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity's objectives
PI1.2 System inputs are measured and recorded completely, accurately, and timely to meet the entity's processing integrity commitments and system requirements
PI1.4 System outputs are complete, accurate, distributed only to intended parties, and retained to meet the entity's processing integrity commitments and system requirements
Framework Coverage
Which controls from this module are active under each framework endpoint. ● enforced by default · ○ not activated by this endpoint
| Control | PCI DSS v4.0 | AWS Well-Architected Framework v10 | ISO/IEC 27001:2022 | NIST Cybersecurity Framework v2.0 | SOC 2 | HIPAA Omnibus Rule 2013 | NIS2 Directive (EU 2022/2555) | ACSC Essential Eight |
|---|---|---|---|---|---|---|---|---|
| CloudFront distributions should have a default root object configured | ○ | ○ | ○ | ○ | ○ | ○ | ○ | ○ |
| CloudFront distributions should require encryption in transit | ● | ● | ● | ● | ● | ● | ● | ○ |
| CloudFront distributions should have field level encryption enabled | ○ | ● | ● | ○ | ● | ○ | ○ | ○ |
| CloudFront distributions should have geo restriction enabled | ○ | ○ | ○ | ○ | ○ | ○ | ○ | ○ |
| CloudFront distributions should have latest TLS version | ○ | ○ | ○ | ○ | ○ | ○ | ○ | ○ |
| CloudFront distributions access logs should be enabled | ● | ● | ● | ● | ● | ● | ● | ● |
| CloudFront distributions should use SNI to serve HTTPS requests | ● | ○ | ○ | ○ | ○ | ○ | ○ | ○ |
| CloudFront distributions should use custom SSL/TLS certificates | ● | ○ | ○ | ● | ○ | ○ | ○ | ○ |
| CloudFront distributions should use the recommended TLS security policy | ○ | ○ | ○ | ○ | ○ | ○ | ○ | ○ |
| CloudFront distributions should have AWS WAF enabled | ● | ● | ○ | ○ | ○ | ○ | ○ | ○ |
Showing top 8 frameworks by coverage. All framework endpoints →