Posted On: Feb 7, 2022

Starting today, you can use the AWS managed prefix list for Amazon CloudFront to limit the inbound HTTP/HTTPS traffic to your origins from only the IP addresses that belong to CloudFront’s origin-facing servers. CloudFront keeps the managed prefix list up-to-date with the IP addresses of CloudFront’s origin-facing servers, so you no longer have to maintain a prefix list yourself.

You can reference the managed prefix list for CloudFront in your Amazon Virtual Private Cloud (VPC) security group rules, the subnet route table, the common security group rules with AWS Firewall Manager, and any other AWS resource that can use a managed prefix list. For example, you can use the managed prefix list for CloudFront in the inbound rules of your VPC security group to allow only CloudFront IP addresses to access your EC2 instances. When using the managed prefix list with the common security group rules for AWS Firewall Manager, you can limit access to multiple Application Load Balancers (ALB) across all your AWS accounts.  Please see the AWS Managed Prefix List for more details.

The managed prefix list is available for immediate use via the AWS Console, and the AWS SDK in all regions except China, Asia Pacific (Jakarta), and Asia Pacific (Osaka). The prefix list can be referenced in your CloudFormation templates in the available regions. There is no additional fee for using the CloudFront managed prefix lists. For further information, please see the CloudFront developer guide.