Feature Request: AWS CloudFront Support

Open kunaals opened this issue 1 week ago • 0 comments

Feature Request: AWS CloudFront Support

Description

Add support for ingesting AWS CloudFront distributions and their related resources into the cartography graph. CloudFront is AWS's content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency and high transfer speeds.

The implementation should include:

CloudFrontDistribution - The main distribution node containing configuration details
CloudFrontOrigin - Origin servers (S3 buckets, custom HTTP servers, MediaStore, etc.)
Relationships to existing cartography nodes (S3Bucket, AWSLambda for Lambda@Edge, ACMCertificate, WAFWebACL)

Proposed Schema

CloudFrontDistribution Node

Field	Description
id	The distribution ID
arn	The ARN of the distribution
domain_name	The CloudFront domain name (e.g., d111111abcdef8.cloudfront.net)
status	Distribution status (Deployed, InProgress)
enabled	Whether the distribution is enabled
comment	Description of the distribution
price_class	Price class (PriceClass_100, PriceClass_200, PriceClass_All)
http_version	HTTP version (http1.1, http2, http2and3, http3)
is_ipv6_enabled	Whether IPv6 is enabled
default_root_object	Default root object (e.g., index.html)
web_acl_id	Associated WAF Web ACL ARN
aliases	List of CNAMEs (alternate domain names)
viewer_protocol_policy	Default viewer protocol policy (allow-all, https-only, redirect-to-https)
minimum_protocol_version	Minimum TLS version (TLSv1.2_2021, etc.)
ssl_support_method	SSL support method (sni-only, vip)
acm_certificate_arn	ACM certificate ARN for HTTPS
logging_enabled	Whether access logging is enabled
logging_bucket	S3 bucket for access logs
logging_prefix	Prefix for log files
geo_restriction_type	Geographic restriction type (none, whitelist, blacklist)
geo_restriction_locations	List of country codes for geo-restriction
lastupdated	Timestamp of last sync
region	Always 'global' for CloudFront

CloudFrontOrigin Node

Field	Description
id	Unique identifier (distribution_id + origin_id)
origin_id	The origin ID within the distribution
domain_name	Origin domain name
origin_path	Optional path for the origin
origin_type	Type of origin (s3, custom, mediastore, etc.)
s3_origin_access_identity	OAI for S3 origins
origin_access_control_id	OAC ID for S3 origins
protocol_policy	Origin protocol policy (http-only, https-only, match-viewer)
http_port	HTTP port for custom origins
https_port	HTTPS port for custom origins
connection_attempts	Number of connection attempts
connection_timeout	Connection timeout in seconds
origin_shield_enabled	Whether Origin Shield is enabled
origin_shield_region	Origin Shield region
lastupdated	Timestamp of last sync

Proposed Relationships

(:AWSAccount)-[:RESOURCE]->(:CloudFrontDistribution)
(:CloudFrontDistribution)-[:HAS_ORIGIN]->(:CloudFrontOrigin)
(:CloudFrontOrigin)-[:SERVES_FROM]->(:S3Bucket)  // When origin is an S3 bucket
(:CloudFrontDistribution)-[:USES_CERTIFICATE]->(:ACMCertificate)  // When using ACM cert
(:CloudFrontDistribution)-[:PROTECTED_BY]->(:WAFWebACL)  // When WAF is attached
(:CloudFrontDistribution)-[:LOGS_TO]->(:S3Bucket)  // Access logging bucket
(:CloudFrontDistribution)-[:USES_LAMBDA_EDGE]->(:AWSLambda)  // Lambda@Edge functions
(:CloudFrontDistribution)-[:USES_CLOUDFRONT_FUNCTION]->(:CloudFrontFunction)  // Optional: CloudFront Functions

Example Cypher Queries

Find all CloudFront distributions without WAF protection:

MATCH (a:AWSAccount)-[:RESOURCE]->(d:CloudFrontDistribution)
WHERE NOT EXISTS { MATCH (d)-[:PROTECTED_BY]->(:WAFWebACL) }
RETURN a.name, d.id, d.domain_name, d.aliases

Find distributions using outdated TLS versions:

MATCH (d:CloudFrontDistribution)
WHERE d.minimum_protocol_version IN ['SSLv3', 'TLSv1', 'TLSv1_2016', 'TLSv1.1_2016']
RETURN d.id, d.domain_name, d.minimum_protocol_version

Find S3 buckets exposed via CloudFront:

MATCH (d:CloudFrontDistribution)-[:HAS_ORIGIN]->(o:CloudFrontOrigin)-[:SERVES_FROM]->(s:S3Bucket)
RETURN d.domain_name, d.aliases, s.name as bucket_name

Find distributions with Lambda@Edge functions:

MATCH (d:CloudFrontDistribution)-[:USES_LAMBDA_EDGE]->(l:AWSLambda)
RETURN d.id, d.domain_name, l.name as lambda_function, l.arn

Required IAM Permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "cloudfront:ListDistributions",
                "cloudfront:GetDistribution",
                "cloudfront:GetDistributionConfig",
                "cloudfront:ListTagsForResource"
            ],
            "Resource": "*"
        }
    ]
}

Motivation

CloudFront is a critical AWS service for many organizations, used to:

Deliver static and dynamic web content
Secure applications with HTTPS and WAF integration
Accelerate API responses
Distribute software and media

Adding CloudFront support enables important security and compliance use cases:

Security Posture Assessment - Identify distributions without WAF, using weak TLS, or missing geo-restrictions
Certificate Management - Track which distributions use which ACM certificates
Origin Security - Understand which S3 buckets are publicly accessible via CloudFront vs. direct access
Lambda@Edge Analysis - Map Lambda function associations for security review
Attack Surface Mapping - Enumerate all public-facing CloudFront endpoints and their origins

Alternatives Considered

Only modeling distributions without origins - Simpler but loses the rich relationship data between CloudFront and origin resources (S3, ALB, etc.)
Embedding cache behaviors in distribution node - Could reduce node count but would lose queryability for specific cache behavior configurations
Using AWS Config - AWS Config can track CloudFront but doesn't provide the graph relationships that cartography excels at

Relevant Links

Dec 15 '25 18:12 kunaals