From e8b8c0d8fa835de964277368eb1971982a50d67b Mon Sep 17 00:00:00 2001
From: Daniel Barranquero <74871504+danibarranqueroo@users.noreply.github.com>
Date: Wed, 5 Feb 2025 18:39:49 +0100
Subject: [PATCH] fix(cloudfront): fix false positive in s3 origins (#6823)

(cherry picked from commit 914012de2b665807ae9d93415d202a54059e22dc)
---
 ..._distributions_origin_traffic_encrypted.py | 22 +++++---
 ...ributions_origin_traffic_encrypted_test.py | 51 +++++++++++++++++++
 2 files changed, 65 insertions(+), 8 deletions(-)

diff --git a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_origin_traffic_encrypted/cloudfront_distributions_origin_traffic_encrypted.py b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_origin_traffic_encrypted/cloudfront_distributions_origin_traffic_encrypted.py
index 887237b4fb2..d333479ea9d 100644
--- a/prowler/providers/aws/services/cloudfront/cloudfront_distributions_origin_traffic_encrypted/cloudfront_distributions_origin_traffic_encrypted.py
+++ b/prowler/providers/aws/services/cloudfront/cloudfront_distributions_origin_traffic_encrypted/cloudfront_distributions_origin_traffic_encrypted.py
@@ -18,14 +18,20 @@ def execute(self):
             unencrypted_origins = []
 
             for origin in distribution.origins:
-                if (
-                    origin.origin_protocol_policy == ""
-                    or origin.origin_protocol_policy == "http-only"
-                ) or (
-                    origin.origin_protocol_policy == "match-viewer"
-                    and distribution.viewer_protocol_policy == "allow-all"
-                ):
-                    unencrypted_origins.append(origin.id)
+                if origin.s3_origin_config:
+                    # For S3, only check the viewer protocol policy
+                    if distribution.viewer_protocol_policy == "allow-all":
+                        unencrypted_origins.append(origin.id)
+                else:
+                    # Regular check for custom origins (ALB, EC2, API Gateway, etc.)
+                    if (
+                        origin.origin_protocol_policy == ""
+                        or origin.origin_protocol_policy == "http-only"
+                    ) or (
+                        origin.origin_protocol_policy == "match-viewer"
+                        and distribution.viewer_protocol_policy == "allow-all"
+                    ):
+                        unencrypted_origins.append(origin.id)
 
             if unencrypted_origins:
                 report.status = "FAIL"
diff --git a/tests/providers/aws/services/cloudfront/cloudfront_distributions_origin_traffic_encrypted/cloudfront_distributions_origin_traffic_encrypted_test.py b/tests/providers/aws/services/cloudfront/cloudfront_distributions_origin_traffic_encrypted/cloudfront_distributions_origin_traffic_encrypted_test.py
index 4063794ee0f..cb58ef4af16 100644
--- a/tests/providers/aws/services/cloudfront/cloudfront_distributions_origin_traffic_encrypted/cloudfront_distributions_origin_traffic_encrypted_test.py
+++ b/tests/providers/aws/services/cloudfront/cloudfront_distributions_origin_traffic_encrypted/cloudfront_distributions_origin_traffic_encrypted_test.py
@@ -225,3 +225,54 @@ def test_distribution_traffic_encrypted(self):
                 == f"CloudFront Distribution {DISTRIBUTION_ID} does encrypt traffic to custom origins."
             )
             assert result[0].resource_tags == []
+
+    def test_distribution_traffic_encrypted_with_s3_config(self):
+        cloudfront_client = mock.MagicMock
+        cloudfront_client.distributions = {
+            DISTRIBUTION_ID: Distribution(
+                arn=DISTRIBUTION_ARN,
+                id=DISTRIBUTION_ID,
+                region=REGION,
+                origins=[
+                    Origin(
+                        id="origin1",
+                        domain_name="asdf.s3.us-east-1.amazonaws.com",
+                        origin_protocol_policy="",
+                        origin_ssl_protocols=[],
+                        s3_origin_config={
+                            "OriginAccessIdentity": "origin-access-identity/cloudfront/1234567890123456"
+                        },
+                    )
+                ],
+                default_cache_config=DefaultCacheConfigBehaviour(
+                    realtime_log_config_arn="",
+                    viewer_protocol_policy=ViewerProtocolPolicy.redirect_to_https,
+                    field_level_encryption_id="",
+                ),
+                default_root_object="index.html",
+                viewer_protocol_policy="redirect-to-https",
+            )
+        }
+
+        with mock.patch(
+            "prowler.providers.aws.services.cloudfront.cloudfront_service.CloudFront",
+            new=cloudfront_client,
+        ):
+            # Test Check
+            from prowler.providers.aws.services.cloudfront.cloudfront_distributions_origin_traffic_encrypted.cloudfront_distributions_origin_traffic_encrypted import (
+                cloudfront_distributions_origin_traffic_encrypted,
+            )
+
+            check = cloudfront_distributions_origin_traffic_encrypted()
+            result = check.execute()
+
+            assert len(result) == 1
+            assert result[0].region == REGION
+            assert result[0].resource_arn == DISTRIBUTION_ARN
+            assert result[0].resource_id == DISTRIBUTION_ID
+            assert result[0].status == "PASS"
+            assert (
+                result[0].status_extended
+                == f"CloudFront Distribution {DISTRIBUTION_ID} does encrypt traffic to custom origins."
+            )
+            assert result[0].resource_tags == []