Skip to main content

aws_cloudfront_distributions Resource

Use the aws_cloudfront_distributions InSpec audit resource to test the properties of a collection of an AWS CloudFront distributions.

For additional information, including details on parameters and properties, see the AWS API reference for CloudFront distributions.


This resource is available in the Chef InSpec AWS resource pack.

For information on configuring your AWS environment for Chef InSpec and creating an InSpec profile that uses the InSpec AWS resource pack, see the Chef InSpec documentation on the AWS cloud platform.


Ensure that a particular CloudFront distribution exists in aws_cloudfront_distributions:

describe aws_cloudfront_distributions do
  its('distribution_ids') { should include 'DISTRIBUTION_ID' }


This resource does not require any parameters.


The names of the CloudFront distributions.
The Amazon Resource Name (ARN) of the CloudFront distributions.
The statuses of the CloudFront distributions (InProgress or Deployed).
The domain names for the CloudFront distributions.
The domain names for the CloudFront distributions’ origins (an array for each distribution).
The viewer protocol policy for the default cache for each of the CloudFront distributions. Values: http-only, redirect-to-https or allow-all.
The viewer protocol policy for all non-default caches for each of the CloudFront distributions (an array for each distribution). Values: http-only, redirect-to-https or allow-all. There may be an empty array for a distribution if no non-default caches are present.
An array for each CloudFront distribution containing SSL/TLS protocols allowed by all of the custom origins in that distribution, empty where no custom origins exist for a distribution. Current SSL/TLS protocol identifiers: SSLv3, TLSv1, TLSv1_1026, TLSv1.1_2016, TLSv1.2_2018, TLSv1.2_2019 and TLSv1.2_2021.
Booleans indicating whether there are any S3 origin configs in a particular distribution (non-custom S3 bucket origins).
The price classes for distributions, which corresponds with the maximum price that you want to pay for CloudFront service. Valid Values: PriceClass_100, PriceClass_200, PriceClass_All.
Booleans indicating whether the distributions are enabled.
The SSL support methods for Viewer Certificates for the distributions, only set for distributions with aliases. Valid values: sni-only, vip or static-ip.
The minimum SSL/TLS protocol allowed by the Viewer Certificate in each distribution. Current valid values: SSLv3, TLSv1, TLSv1_2016, TLSv1.1_2016, TLSv1.2_2018, TLSv1.2_2019, TLSv1.2_2021.
The maximum HTTP versions that viewers may to use to communicate with CloudFront distributions. Valid values: http1.1 or http2.
Booleans indicating whether IPv6 is enabled for CloudFront distributions.


Test that a particular CloudFront distribution exists, and that no cache viewer protocol policies allow HTTP.

describe aws_cloudfront_distributions do
  its('distribution_ids') { should include 'DISTRIBUTION_ID' }
  its('default_cache_viewer_protocol_policies') { should_not include 'allow-all' }
  its('cache_viewer_protocol_policies') { should_not include 'allow-all' }


For a full list of available matchers, see our Universal Matchers page.

This resource has the following special matchers.


The control will pass if the describe returns at least one result.

Use should_not to test the entity should not exist.

describe aws_cloudfront_distributions do
  it { should exist }

AWS Permissions

Your Principal will need the CloudFront:Client:ListDistributionsResult action with Effect set to Allow.

You can find detailed documentation at Identity and Access Management (IAM) in CloudFront.

Edit this page on GitHub

Thank you for your feedback!


Search Results