Cache all headers

[dylanratcliffe]

Cache all headers rather than just the few

[github-actions]

Expected Changes

cloudfront-response-headers-policy › 8ed09a88-177f-4f37-a844-66b7b54a7cda

--- current
+++ planned
@@ -3,11 +3,7 @@
     - access_control_allow_credentials: false
       access_control_allow_headers:
         - items:
-            - Accept
-            - Accept-Encoding
-            - Content-Encoding
-            - Content-Length
-            - Content-Type
+            - '*'
       access_control_allow_methods:
         - items:
             - GET

ec2-instance › i-0f24c04384c85df4c

--- current
+++ planned
@@ -1,87 +1,13 @@
-ami: ami-0f6ef532e80fd6438
-arn: arn:aws:ec2:eu-west-2:540044833068:instance/i-0f24c04384c85df4c
-associate_public_ip_address: true
-availability_zone: eu-west-2b
-capacity_reservation_specification:
-    - capacity_reservation_preference: open
-      capacity_reservation_target: []
-cpu_core_count: 1
-cpu_options:
-    - amd_sev_snp: ""
-      core_count: 1
-      threads_per_core: 2
-cpu_threads_per_core: 2
-credit_specification:
-    - cpu_credits: unlimited
-disable_api_stop: false
-disable_api_termination: false
-ebs_block_device: []
-ebs_optimized: false
-enclave_options:
-    - enabled: false
-ephemeral_block_device: []
+ami: ami-0660fb335a3d9fe6b
+credit_specification: []
 get_password_data: false
-hibernation: false
-host_id: ""
-iam_instance_profile: ""
-id: i-0f24c04384c85df4c
-instance_initiated_shutdown_behavior: stop
-instance_lifecycle: ""
-instance_market_options: []
-instance_state: running
 instance_type: t3.micro
-ipv6_address_count: 0
-ipv6_addresses: []
-key_name: ""
 launch_template: []
-maintenance_options:
-    - auto_recovery: default
-metadata_options:
-    - http_endpoint: enabled
-      http_protocol_ipv6: disabled
-      http_put_response_hop_limit: 1
-      http_tokens: optional
-      instance_metadata_tags: disabled
-monitoring: false
-network_interface: []
-outpost_arn: ""
-password_data: ""
-placement_group: ""
-placement_partition_number: 0
-primary_network_interface_id: eni-0a7cd7bf7f01cb6de
-private_dns: ip-172-31-33-16.eu-west-2.compute.internal
-private_dns_name_options:
-    - enable_resource_name_dns_a_record: false
-      enable_resource_name_dns_aaaa_record: false
-      hostname_type: ip-name
-private_ip: 172.31.33.16
-public_dns: ec2-18-169-19-105.eu-west-2.compute.amazonaws.com
-public_ip: 18.169.19.105
-root_block_device:
-    - delete_on_termination: true
-      device_name: /dev/xvda
-      encrypted: false
-      iops: 0
-      kms_key_id: ""
-      tags: {}
-      tags_all: {}
-      throughput: 0
-      volume_id: vol-0d62a85478c544066
-      volume_size: 8
-      volume_type: standard
-secondary_private_ips: []
-security_groups:
-    - default
 source_dest_check: true
-spot_instance_request_id: ""
-subnet_id: subnet-0ef2e7d283a63f71b
 tags:
     Name: SG Removal Example Instance 1
 tags_all:
     Name: SG Removal Example Instance 1
-tenancy: default
 terraform_address: module.scenarios[0].aws_instance.example_1
 terraform_name: module.scenarios[0].aws_instance.example_1
 user_data_replace_on_change: false
-vpc_security_group_ids:
-    - sg-0948cdc916d1efffd

ec2-instance › i-0309be06b8d1f7ccb

--- current
+++ planned
@@ -1,87 +1,13 @@
-ami: ami-0f6ef532e80fd6438
-arn: arn:aws:ec2:eu-west-2:540044833068:instance/i-0309be06b8d1f7ccb
-associate_public_ip_address: true
-availability_zone: eu-west-2b
-capacity_reservation_specification:
-    - capacity_reservation_preference: open
-      capacity_reservation_target: []
-cpu_core_count: 1
-cpu_options:
-    - amd_sev_snp: ""
-      core_count: 1
-      threads_per_core: 2
-cpu_threads_per_core: 2
-credit_specification:
-    - cpu_credits: unlimited
-disable_api_stop: false
-disable_api_termination: false
-ebs_block_device: []
-ebs_optimized: false
-enclave_options:
-    - enabled: false
-ephemeral_block_device: []
+ami: ami-0660fb335a3d9fe6b
+credit_specification: []
 get_password_data: false
-hibernation: false
-host_id: ""
-iam_instance_profile: ""
-id: i-0309be06b8d1f7ccb
-instance_initiated_shutdown_behavior: stop
-instance_lifecycle: ""
-instance_market_options: []
-instance_state: running
 instance_type: t3.micro
-ipv6_address_count: 0
-ipv6_addresses: []
-key_name: ""
 launch_template: []
-maintenance_options:
-    - auto_recovery: default
-metadata_options:
-    - http_endpoint: enabled
-      http_protocol_ipv6: disabled
-      http_put_response_hop_limit: 1
-      http_tokens: optional
-      instance_metadata_tags: disabled
-monitoring: false
-network_interface: []
-outpost_arn: ""
-password_data: ""
-placement_group: ""
-placement_partition_number: 0
-primary_network_interface_id: eni-0511c4aa016e947ce
-private_dns: ip-172-31-40-69.eu-west-2.compute.internal
-private_dns_name_options:
-    - enable_resource_name_dns_a_record: false
-      enable_resource_name_dns_aaaa_record: false
-      hostname_type: ip-name
-private_ip: 172.31.40.69
-public_dns: ec2-13-40-88-32.eu-west-2.compute.amazonaws.com
-public_ip: 13.40.88.32
-root_block_device:
-    - delete_on_termination: true
-      device_name: /dev/xvda
-      encrypted: false
-      iops: 0
-      kms_key_id: ""
-      tags: {}
-      tags_all: {}
-      throughput: 0
-      volume_id: vol-03a9776afc3cbeef4
-      volume_size: 8
-      volume_type: standard
-secondary_private_ips: []
-security_groups:
-    - default
 source_dest_check: true
-spot_instance_request_id: ""
-subnet_id: subnet-0ef2e7d283a63f71b
 tags:
     Name: SG Removal Example Instance 1
 tags_all:
     Name: SG Removal Example Instance 1
-tenancy: default
 terraform_address: module.scenarios[0].aws_instance.example_2
 terraform_name: module.scenarios[0].aws_instance.example_2
 user_data_replace_on_change: false
-vpc_security_group_ids:
-    - sg-0948cdc916d1efffd

Blast Radius

Items	Edges
104	120

Open in Overmind

Risks

Increased Load on Origin Servers Due to Broad Header Caching [Medium]

The change to cache all headers (*) in the aws_cloudfront_response_headers_policy policy can substantially increase the number of requests forwarded to the origin servers, bypassing CloudFront's cache. This situation could arise because unique headers introduced by clients or intermediaries would prevent cache hits, leading to an increased load on the origin, identified as EC2 instances (540044833068.eu-west-2.ec2-instance.i-0f24c04384c85df4c and 540044833068.eu-west-2.ec2-instance.i-0309be06b8d1f7ccb). Considering the current state of these instances, with their configurations (t3.micro), this could potentially cause performance degradation or even service unavailability if the load significantly exceeds their processing capabilities.

Potential Unintended Disclosure of Sensitive Information [Medium]

Allowing all headers (*) might inadvertently lead to caching and exposing sensitive information if such data is passed within response headers from the origin. Given the current infrastructure layout and the presence of ECS tasks (540044833068.eu-west-2.ecs-task.example/00b76c0a808a44479911d7216b653eb6 and 540044833068.eu-west-2.ecs-task.example/70f04b4090fa45fe8e0b2194bb1fe26e), which might include dynamically generated headers containing sensitive information, this poses an implicit risk of unauthorized information access through cached headers.

Increased Complexity in Debugging [Low]

Configuring the policy to accept all headers increases variability in cache behavior, potentially making debugging more complex, especially in identifying issues tied to caching and header handling. While the configured policy (540044833068.cloudfront-response-headers-policy.8ed09a88-177f-4f37-a844-66b7b54a7cda) directly impacts CloudFront's behavior, it implicates related CloudFront distributions (540044833068.cloudfront-distribution.ENCRXJFTQ8556 and 540044833068.cloudfront-distribution.E15V1JM5GZXBKB), necessitating broader monitoring to diagnose issues effectively.