Exposure Scanner Scan My Account
Exposure Scanner / Amazon CloudFront

CloudFront Distribution Exposure

Are your CloudFront distributions exposing origin servers or sensitive content?

What this looks like in the scanner
securecompass.io/public-exposure-scanner
High
E1A2B3C4D5E6F7
CloudFront distribution serves S3 origin without Origin Access Control - bucket is directly accessible
High
E9F8E7D6C5B4A3
Distribution has no WAF web ACL associated for application-layer protection
Medium
E2B4D6F8A1C3E5
Custom origin uses HTTP-only protocol policy instead of HTTPS-only

What does Amazon CloudFront public exposure mean?

CloudFront distributions are designed to be public, but misconfigurations can expose origin servers directly, serve content without proper access controls, or cache sensitive responses that should be private.

Why it matters

An improperly configured CloudFront distribution can bypass your origin's security controls, serve cached sensitive data to unauthorized users, or expose the origin server's IP address - allowing attackers to bypass CloudFront entirely.

How to check manually

  1. 1Verify Origin Access Control or Origin Access Identity is configured for S3 origins
  2. 2Check that origin servers are not directly accessible (security groups should only allow CloudFront IPs)
  3. 3Review cache behaviors for sensitive paths that should not be cached
  4. 4Check for custom error pages that might expose internal details

Quick check with AWS CLI

List all CloudFront distributions and their origins
aws cloudfront list-distributions --query "DistributionList.Items[].{Id:Id,Domain:DomainName,Origins:Origins.Items[].DomainName}"
Check a distribution's origin access settings
aws cloudfront get-distribution --id YOUR_DISTRIBUTION_ID --query "Distribution.DistributionConfig.Origins.Items[].{Domain:DomainName,OAC:OriginAccessControlId}"
Check for distributions without WAF
aws cloudfront list-distributions --query "DistributionList.Items[?WebACLId==''].{Id:Id,Domain:DomainName}"

Common misconfigurations

S3 origin accessible directly without Origin Access Control
Origin server security group allowing 0.0.0.0/0 instead of CloudFront-only
No geo-restriction when content should be region-locked
Caching headers not set correctly for authenticated content

Check all 22 resource types at once

Instead of checking each service manually, scan your entire AWS account and see every public exposure ranked by risk.

Scan My Account

Related exposure types

Amazon S3
Are your S3 buckets accessible from the internet?
Elastic Load Balancer
Are your load balancers exposing internal services to the internet?
AWS WAF
Are your web applications missing WAF protection?