[Cloudfront] Are there security implications to the ALL_VIEWER origin request policy?

0

What is the scenario where you wouldn't want to use the ALL_VIEWER managed origin request policy? Are there any security implications to using that for all distributions (S3 origins and ALB origins)?

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-managed-origin-request-policies.html

Topics

Networking & Content Delivery AWS Well-Architected Framework

Tags

Amazon CloudFront Security

Language

English

asked 2 years ago640 views

1 Answer

Newest
Most votes
Most comments

Are these answers helpful? Upvote the correct answer to help the community benefit from your knowledge.

0

Accepted Answer

The ALL_VIEWER origin request policy will forward all headers, cookies and query strings to requests that reach the origin but caching will not defined based on the headers, cookies and query strings being forwarded. In terms of best practices, you should only forward the exact headers, cookies or query strings which your application needs

SUPPORT ENGINEER

answered 2 years ago

vasco
a year ago
I don't think you really answered the question here; Like why is this is best practise? Does it have any security implications for example? Perhaps based on those best practises?
vasco
a year ago
For example my assumption would be that it in general makes sense to include all headers because;

As you pointed out, cloudfront doesn't use all of them for caching, so no adverse effects there

The origin will mostly likely only parse the headers it needs to function

Lastly, in terms of logging request from your server to debug failed request or even detect malicious requests, it would be more helpfull to have more headers as you have more information from the request made.

I am probably wrong as you pointed out it's better to only select the ones needed, so I would live to know why!

Relevant content

Cloudfront S3 origin response 403 for the Options request
Accepted Answer
AWS-User-3427223
asked 2 years ago
[Cloudfront]The Request are failing with error code 403 after enabling ALL_viewer origin request policy
rePost-User-3719927
asked 2 years ago
What new "Cache and origin request policy" matches our legacy cache settings?
Accepted Answer
enuvo
asked 2 years ago
Cloudfront Distributions - General "The security token included in the request is invalid"
bgbs
asked 7 months ago
How do I resolve the error "CloudFront wasn't able to connect to the origin"?
AWS OFFICIALUpdated 2 years ago
How do I configure CloudFront to forward the host header to the origin?
AWS OFFICIALUpdated 8 months ago
How can I configure CloudFront to forward the Authorization header to the origin?
AWS OFFICIALUpdated 2 years ago
How do I resolve the "No 'Access-Control-Allow-Origin' header is present on the requested resource" error from CloudFront?
AWS OFFICIALUpdated 2 years ago
Why doesn't S3 respect the TLS settings in my IAM policy?
EXPERT
Brettski-AWS
published 2 years ago
Why do I get an error "The snapshot is currently in use by AMI" when I try to delete an EBS snapshot, even though there is no AMI on the account?
EXPERT
dnyanesh-db
published 4 months ago