CloudFront Distribution Has Geo Restrictions Enabled
Overview
This check verifies that your Amazon CloudFront distributions have geographic restrictions enabled. Geographic restrictions (also called geo-blocking) allow you to control which countries can access your content by using either an allowlist (permit only specific countries) or a blocklist (block specific countries).
Risk
Without geographic restrictions on your CloudFront distributions, your content is accessible from anywhere in the world. This creates several security and compliance concerns:
- Compliance violations: Content may be accessible from sanctioned countries or regions where you are not licensed to distribute
- Increased attack surface: Your distribution is open to bot abuse, web scraping, and DDoS staging activities from any location
- Fraud exposure: Higher risk of credential stuffing, payment fraud, and other malicious activities originating from regions you do not serve
- Regulatory issues: May violate data sovereignty requirements or export control regulations
Severity: Low
Remediation Steps
Prerequisites
- Access to the AWS Console with permissions to modify CloudFront distributions
- A list of countries you want to allow or block
Choosing between allowlist and blocklist
Allowlist (recommended when possible):
- Use when you know exactly which countries your users should come from
- More secure: only explicitly permitted countries can access content
- Example: A US-only service would allowlist just "US"
Blocklist:
- Use when you need broad access but must block specific countries
- Useful for blocking sanctioned countries or known threat origins
- Example: Block countries on OFAC sanctions lists
Common countries to consider blocking for compliance:
- North Korea (KP)
- Iran (IR)
- Syria (SY)
- Cuba (CU)
- Russia (RU) - depending on your requirements
AWS Console Method
- Sign in to the AWS Console
- Navigate to CloudFront (search for it in the search bar)
- Click on the distribution you want to configure
- Click the Security tab
- Scroll down to Geographic restrictions and click Edit
- Under Restriction type, choose one of:
- Allow list: Select countries that CAN access your content
- Block list: Select countries that CANNOT access your content
- Select the countries from the list (you can search by country name)
- Click Save changes
- Wait for the distribution status to change from "Deploying" to the last modified date (this typically takes a few minutes)
AWS CLI (optional)
Updating geo restrictions via CLI requires modifying the full distribution configuration. Follow these steps:
Step 1: Get the current distribution configuration
aws cloudfront get-distribution-config \
--id E1EXAMPLE12345 \
--region us-east-1 \
--output json > /tmp/dist-config.json
Step 2: Note the ETag value
ETAG=$(jq -r '.ETag' /tmp/dist-config.json)
echo "ETag: $ETAG"
Step 3: Modify the geo restrictions
Extract the DistributionConfig and update the Restrictions block:
For an allowlist (allow only US and Canada):
jq '.DistributionConfig.Restrictions.GeoRestriction = {
"RestrictionType": "whitelist",
"Quantity": 2,
"Items": ["US", "CA"]
} | .DistributionConfig' /tmp/dist-config.json > /tmp/updated-config.json
For a blocklist (block specific countries):
jq '.DistributionConfig.Restrictions.GeoRestriction = {
"RestrictionType": "blacklist",
"Quantity": 5,
"Items": ["KP", "IR", "SY", "CU", "RU"]
} | .DistributionConfig' /tmp/dist-config.json > /tmp/updated-config.json
Step 4: Update the distribution
aws cloudfront update-distribution \
--id E1EXAMPLE12345 \
--if-match "$ETAG" \
--distribution-config file:///tmp/updated-config.json \
--region us-east-1
Replace:
E1EXAMPLE12345with your actual distribution ID- Country codes with your desired allowlist or blocklist
List All Distributions to Find IDs
aws cloudfront list-distributions \
--region us-east-1 \
--query 'DistributionList.Items[*].[Id,DomainName,Comment]' \
--output table
CloudFormation (optional)
CloudFormation Template
This template creates a CloudFront distribution with geographic restrictions enabled.
Example with allowlist (US and Canada only):
AWSTemplateFormatVersion: '2010-09-09'
Description: CloudFront distribution with geographic restrictions
Parameters:
OriginDomainName:
Type: String
Description: Domain name of your origin (e.g., my-bucket.s3.amazonaws.com)
Resources:
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Enabled: true
Comment: CloudFront distribution with geo restrictions
Origins:
- Id: myOrigin
DomainName: !Ref OriginDomainName
CustomOriginConfig:
OriginProtocolPolicy: https-only
DefaultCacheBehavior:
TargetOriginId: myOrigin
ViewerProtocolPolicy: redirect-to-https
CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6
Restrictions:
GeoRestriction:
RestrictionType: whitelist
Locations:
- US
- CA
Outputs:
DistributionId:
Description: CloudFront distribution ID
Value: !Ref CloudFrontDistribution
DistributionDomainName:
Description: CloudFront distribution domain name
Value: !GetAtt CloudFrontDistribution.DomainName
Example with blocklist:
Restrictions:
GeoRestriction:
RestrictionType: blacklist
Locations:
- KP
- IR
- SY
- CU
- RU
Deploy the Stack
aws cloudformation create-stack \
--stack-name cloudfront-geo-restricted \
--template-body file://cloudfront-geo.yaml \
--parameters ParameterKey=OriginDomainName,ParameterValue=my-origin.example.com \
--region us-east-1
Updating an Existing Distribution
If your CloudFront distribution is already managed by CloudFormation, add or update the Restrictions block within DistributionConfig:
ExistingDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
# ... existing configuration ...
Restrictions:
GeoRestriction:
RestrictionType: whitelist
Locations:
- US
- CA
- GB
Terraform (optional)
Terraform Configuration
variable "allowed_countries" {
description = "List of country codes allowed to access the distribution"
type = list(string)
default = ["US", "CA"]
}
variable "origin_domain_name" {
description = "Domain name of the origin server"
type = string
}
# CloudFront distribution with geo restrictions (allowlist)
resource "aws_cloudfront_distribution" "geo_restricted" {
enabled = true
comment = "CloudFront distribution with geo restrictions"
origin {
domain_name = var.origin_domain_name
origin_id = "myOrigin"
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = "https-only"
origin_ssl_protocols = ["TLSv1.2"]
}
}
default_cache_behavior {
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "myOrigin"
viewer_protocol_policy = "redirect-to-https"
forwarded_values {
query_string = false
cookies {
forward = "none"
}
}
}
# Geographic restrictions - allowlist example
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = var.allowed_countries
}
}
viewer_certificate {
cloudfront_default_certificate = true
}
tags = {
Name = "geo-restricted-distribution"
Environment = "production"
ManagedBy = "terraform"
}
}
output "distribution_id" {
description = "CloudFront distribution ID"
value = aws_cloudfront_distribution.geo_restricted.id
}
output "distribution_domain_name" {
description = "CloudFront distribution domain name"
value = aws_cloudfront_distribution.geo_restricted.domain_name
}
Blocklist Example
To use a blocklist instead, change the restrictions block:
variable "blocked_countries" {
description = "List of country codes blocked from accessing the distribution"
type = list(string)
default = ["KP", "IR", "SY", "CU", "RU"]
}
restrictions {
geo_restriction {
restriction_type = "blacklist"
locations = var.blocked_countries
}
}
Apply the Configuration
terraform init
terraform plan -var="origin_domain_name=my-origin.example.com"
terraform apply -var="origin_domain_name=my-origin.example.com"
Verification
After enabling geo restrictions, verify the configuration:
- Open the CloudFront console
- Select your distribution
- Click the Security tab
- Under Geographic restrictions, confirm:
- Restriction type shows "Allow list" or "Block list" (not "No restrictions")
- The correct countries are listed
CLI verification commands
Check geo restrictions on a specific distribution:
aws cloudfront get-distribution \
--id E1EXAMPLE12345 \
--region us-east-1 \
--query 'Distribution.DistributionConfig.Restrictions.GeoRestriction'
Expected output when geo restrictions are enabled:
{
"RestrictionType": "whitelist",
"Quantity": 2,
"Items": [
"CA",
"US"
]
}
If restrictions are NOT enabled, you will see:
{
"RestrictionType": "none",
"Quantity": 0
}
Re-run Prowler to confirm the check passes:
prowler aws --check cloudfront_distributions_geo_restrictions_enabled
Additional Resources
- Restricting the geographic distribution of your content - Amazon CloudFront Developer Guide
- ISO 3166-1 alpha-2 country codes - List of valid country codes
- OFAC Sanctions Programs - US Treasury sanctions information
- AWS CloudFront Pricing
Notes
-
Country codes: Use ISO 3166-1 alpha-2 two-letter country codes (e.g., US, CA, GB, DE). The full list is available in the AWS Console dropdown or the ISO 3166-1 standard.
-
Geo-IP accuracy: CloudFront uses third-party geo-IP databases that are generally accurate but not perfect. In rare cases, a user's location may be incorrectly identified.
-
User experience: Blocked users receive an HTTP 403 (Forbidden) error. Consider customizing your CloudFront error pages to provide a friendly message explaining why access is restricted.
-
Propagation time: Changes to geographic restrictions propagate to all CloudFront edge locations. This typically takes a few minutes to complete.
-
Layered security: Geo restrictions should be part of a defense-in-depth strategy. Consider combining with:
- AWS WAF for additional request filtering
- Signed URLs or cookies for authenticated content delivery
- Origin access control (OAC) to secure your origin
-
Compliance review: If implementing geo restrictions for legal or regulatory compliance, consult with your legal team to ensure the country list meets your obligations.
-
Cost: Geographic restrictions do not add any additional cost to your CloudFront distribution.