[Cloudfront] Are there security implications to the ALL_VIEWER origin request policy?

What is the scenario where you wouldn't want to use the ALL_VIEWER managed origin request policy? Are there any security implications to using that for all distributions (S3 origins and ALB origins)?

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html

Sujets

Réseaux et diffusion de contenu Framework AWS Well-Architected

Balises

Amazon CloudFront Sécurité

Langue

English

NickHolden

demandé il y a 2 ans640 vues

1 réponse

Le plus récent
Le plus de votes
La plupart des commentaires

Ces réponses sont-elles utiles ? Votez pour la bonne réponse pour aider la communauté à bénéficier de vos connaissances.

Réponse acceptée

The ALL_VIEWER origin request policy will forward all headers, cookies and query strings to requests that reach the origin but caching will not defined based on the headers, cookies and query strings being forwarded. In terms of best practices, you should only forward the exact headers, cookies or query strings which your application needs

INGÉNIEUR EN ASSISTANCE TECHNIQUE

Davin_G

répondu il y a 2 ans

vasco
il y a un an
I don't think you really answered the question here; Like why is this is best practise? Does it have any security implications for example? Perhaps based on those best practises?
vasco
il y a un an
For example my assumption would be that it in general makes sense to include all headers because;

As you pointed out, cloudfront doesn't use all of them for caching, so no adverse effects there

The origin will mostly likely only parse the headers it needs to function

Lastly, in terms of logging request from your server to debug failed request or even detect malicious requests, it would be more helpfull to have more headers as you have more information from the request made.

I am probably wrong as you pointed out it's better to only select the ones needed, so I would live to know why!

Contenus pertinents

My account is not recognized
juan ortega
demandé il y a un an
[ACTION REQUIRED] Update your TLS connections to 1.2 : quelles applications sont concernées ?
rePost-User-7550145
demandé il y a un an
the logon attempt failed
rePost-User-7377810
demandé il y a un an
error 403 / cloud front
nico-HPF
demandé il y a un mois
Comment corriger l’erreur « No "Access-Control-Allow-Origin" header is present on the requested resource » provenant de CloudFront ?
AWS OFFICIELA mis à jour il y a 2 ans
Comment résoudre l'erreur « CloudFront wasn't able to connect to the origin » (« CloudFront n'a pas pu se connecter à l'origine ») ?
AWS OFFICIELA mis à jour il y a 2 ans
Comment résoudre l'erreur « The final policy size is bigger than the limit » de Lambda ?
AWS OFFICIELA mis à jour il y a 2 ans
Comment résoudre « 403 Error - The request could not be satisfied. Request Blocked » dans CloudFront ?
AWS OFFICIELA mis à jour il y a un an