http-only origin finding improper for S3 origins

[dpantke]

Looking at this finding:

https://github.com/nccgroup/ScoutSuite/blob/4300fc0440db766fafb0db81de7c954534b0349c/ScoutSuite/providers/aws/rules/findings/cloudfront-distribution-cleartext-origin.json#L14

You actually can't set any setting other than "http-only" when S3 is used as the origin and have it work.

One may counter that this is still a finding because you could be sending data cleartext, but that's really a finding based on what data is in the S3 bucket: static site hosting doesn't have that problem at all, as the information isn't confidential at all, but if you host actual confidential data in that area then it is a problem. But that's not a CloudFront finding, that would be an S3 finding. Therefore, the "http-only" setting shouldn't be managed via exception but should be ignored when an S3 bucket is a target.

[robertjustjones]

The 5.12.0-rc1 release now supports OAI (Origin Access Identity), which is a CloudFront feature providing https-like path to S3. Using that, this error should properly go away. Not to be outdone, AWS has now marked OAI as legacy and rolled out OAC (Origin Access Control). It may not be recognized yet.