fix cloudfront_distribution_use_secure_cipher protocol filter #827
Conversation
misraved
added
the
hacktoberfest-accepted
conformance_pack/cloudfront.sp
Outdated
| ) | ||
| select | ||
| b.arn as resource, | ||
| distinct b.arn as resource, |
There was a problem hiding this comment.
@ sbldevnet Is this really required as we are using distinct in above CTE origin_protocols. ?
There was a problem hiding this comment.
@khushboo9024 when there are two or more origins in the same distribution using the SSLv3 and TLSv1 protocols, the CTE origin_protocols returns the same distribution twice.
As the origin_protocols value is not used in the parent query I think it can be removed from the CTE select to avoid using the distinct in the parent query. I tested it locally and seems to work as expected.
There was a problem hiding this comment.
Is it OK the current fix or should I remove the origin_protocols from the parent query to avoid the distinct? @khushboo9024
There was a problem hiding this comment.
@sbldevnet I am OK with the current fix. 👍
…b.com:sbldevnet/steampipe-mod-aws-compliance into fix_cloudfront_distribution_use_secure_cipher
Issue
The query
cloudfront_distribution_use_secure_cipheruses a where clause that does not match with resources that should be correct.From AWS docs allowed values are
SSLv3,TLSv1,TLSv1.1andTLSv1.2. The chosen value is the minimum SSL protocol that CloudFront uses with the origin. TheCustomOriginConfig.OriginSslProtocols.Itemsvalue will contain all allowed protocols, so choosingSSLv3will result in["SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2"].Valid origins are those that contain neither
SSLv3norTLSv1.I have added the
distinctstatement as a distribution using two or more origins, one withSSLv3and one withTLSv1, would return two results.Checklist