These rules identify CloudFront distributions using the most expensive price class when a cheaper option may be sufficient, as well as distributions that are generating almost no traffic and may be candidates for consolidation or deletion.
| Rule ID | Scan Type | Name |
|---|---|---|
| CLDBRN-AWS-CLOUDFRONT-1 | Discovery and IaC | CloudFront Distribution Price Class All |
| CLDBRN-AWS-CLOUDFRONT-2 | Discovery | CloudFront Distribution Unused |
CLDBRN-AWS-CLOUDFRONT-1
CloudFront Distribution Price Class All
Scan type: Discovery and IaC
What it checks
Flags CloudFront distributions configured with PriceClass_All, which includes edge locations in every AWS region, including the most expensive ones (South America, Australia, Asia). If your audience is concentrated in North America and Europe, a cheaper price class delivers the same experience at lower cost.
Why it matters
CloudFront pricing varies significantly by edge location. Requests served from South American or Australian edge locations cost 2-3x more per GB than the same request from a US or European edge. PriceClass_All routes traffic to these expensive regions even when the audience there is negligible. Switching to PriceClass_100 (US, Canada, Europe) or PriceClass_200 (adds Asia, Middle East, Africa) can cut per-request costs substantially for distributions that don't need global edge coverage.
What triggers a finding
The distribution's priceClass is PriceClass_All.
How to remediate
Update the distribution's price class based on where your users actually are. Check your CloudFront access logs or CloudWatch metrics to see which edge locations serve the most traffic:
aws cloudfront update-distribution \
--id E1EXAMPLE \
--distribution-config file://updated-config.json
In the config, set PriceClass to PriceClass_100 (cheapest, US/Canada/Europe only) or PriceClass_200 (adds Asia/Middle East/Africa). Users outside the selected edge regions still get served, just from the nearest included edge location with slightly higher latency.
IaC resources checked
| Provider | Resource |
|---|---|
| Terraform | aws_cloudfront_distribution |
| CloudFormation | AWS::CloudFront::Distribution |
CLDBRN-AWS-CLOUDFRONT-2
CloudFront Distribution Unused
Scan type: Discovery
What it checks
Flags CloudFront distributions with fewer than 100 requests over the last 30 days.
Why it matters
Each CloudFront distribution incurs fixed costs and potentially underused edge caching. Distributions serving almost no traffic waste money on origin shield, logging, and per-distribution overhead when the content could be served directly from the origin or consolidated into another distribution.
What triggers a finding
totalRequestsLast30Days is not null AND is less than 100.
How to remediate
Check CloudWatch RequestCount metrics to confirm the distribution is genuinely unused. If it's obsolete, delete the distribution. If it serves a low-traffic site, consider consolidating it with another distribution using behaviors and alternate domain names.
See Also
- CLI discover command - scan live CloudFront distributions
- SDK Reference - run discovery programmatically