You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
model|risks_v6 ✨Encryption Key State Risk✨KMS Key Creation
🔴 Change Signals
Policies 🔴 ▃▂▁ S3 bucket 'aws_s3_bucket.terraform-example-state-bucket' lacks server-side encryption and multiple required tags, while security group 'module.shared_security_group.aws_security_group.internet_access[0]' allows SSH access from anywhere, which is unusual compared to typical patterns. Routine ⚪ Building baseline for default_cache_behavior (first observation)
Forwarding all cookies without including them in the cache key will cache and serve Set-Cookie headers across users‼️HighOpen Risk ↗
The CloudFront distribution E2K9BRXH072ZBK is switching from explicit forwarded_values (cookies none, query strings false) to a cache policy and an origin request policy. The attached cache policy loom-replication-static-cache excludes cookies from the cache key, while the origin request policy loom-replication-forward-all forwards all viewer cookies to the origin. This means CloudFront will forward cookies but won’t vary the cache by cookie, so responses for cached routes can be shared across users.
Because our session middleware sets Set-Cookie on any request that carries a session cookie, CloudFront will cache those Set-Cookie headers and return them on cache hits to other viewers, leaking session cookies and breaking session isolation. No response headers policy or edge function is present to strip Set-Cookie, and the default behavior still caches GET/HEAD. This will cause cross-user session exposure and authentication breakage.
A CloudFront distribution’s caching behavior was modified by attaching a cache policy and origin request policy and removing explicit forwarded_values controls for cookies and query strings. With cache_policy_id and origin_request_policy_id now governing forwarding, previously blocked cookies/query strings may be sent to the origin and included in cached responses. This can cause Set-Cookie headers to be cached on static asset behaviors and served to multiple users, leaking session cookies and breaking session isolation and security, contrary to CloudFront cookie-caching best practices.
Investigation
I first loaded our CloudFront cookie-caching org knowledge, which states our session middleware sends Set-Cookie on any request that includes a session cookie and that static asset behaviors must not forward cookies. I reviewed the distribution diff for 540044833068.cloudfront-distribution.E2K9BRXH072ZBK: it removes forwarded_values (cookies none, query_string false) and attaches cache_policy_id e029a2a5-… and origin_request_policy_id 30f587ad-…. Using live queries, I verified the cache policy “loom-replication-static-cache” includes no cookies or query strings in the cache key, while the origin request policy “loom-replication-forward-all” forwards all cookies to the origin. Per AWS docs, cache policy controls the cache key and automatically forwards those values; origin request policy adds additional values to origin requests but not to the cache key, i.e., cookies forwarded via origin request policy are not in the cache key. As a result, all viewer cookies are forwarded to the origin while the cache key does not vary by cookie. AWS also documents that when CloudFront is configured to forward cookies, it caches Set-Cookie headers from the origin and serves them on subsequent cache hits. The distribution’s DefaultCacheBehavior caches GET/HEAD with nonzero TTLs and has no response headers policy or functions to strip Set-Cookie, so the leaked Set-Cookie would be served to other viewers. Query strings remain not forwarded in both policies, so the risk is specifically about cookies. This squarely violates our documented practice to never forward cookies on cached static routes and leads to session leakage. Therefore, the hypothesis is real and high severity. Citations: origin request + cache policy interaction and cache key behavior, and Set-Cookie caching behavior when cookies are forwarded. (docs.aws.amazon.com)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
No description provided.