Introducing CloudFront Security Dashboard, a Unified CDN and Security Experience

As security threats have become more sophisticated and easier to scale, customers increasingly use Amazon CloudFront and AWS WAF together to improve the performance, resiliency, and security of their web applications and APIs. CloudFront is a Content Delivery Network (CDN) that reduces latency by delivering data to viewers anywhere in the world using one of CloudFront’s hundreds of edge locations nearest to them. AWS WAF, a web application firewall, helps protect web applications from common exploits and unwanted bot traffic by analyzing and blocking malicious requests before they reach your web servers. Customers can already use CloudFront and AWS WAF to protect their applications. However, developers, startups, and small businesses often do not have access to security experts to help them decide which security protections to enable, craft security rules, or spot common patterns in logs such as when a disproportionate number of requests originate from a single IP address. These customers often ask us for additional guidance on how to keep their applications secure, including simple, easy-to-manage security within CloudFront.

Today, we’re happy to announce the availability of the CloudFront security dashboard, a unified experience that brings AWS WAF visibility and controls directly to your CloudFront distribution. The interactive security dashboard combines observability, investigative tools, and a contextual configuration experience that is simple, intuitive, and convenient to use.

• Manage application delivery and security in one place without navigating between service consoles.
• Gain visibility into your application’s top security trends, allowed and blocked traffic, and bot activity.
• Quickly understand traffic patterns using investigative tools like a visual log analyzer without querying logs.
• Take actions inline using built-in blocking controls without writing security rules.
• Prevent unwanted bots by controlling the bots you allow or block based on 17 different categories.

This post walks you through the end-to-end workflow of securing your application using the CloudFront security dashboard, as shown in the following figure. First, you learn how to enable core security protections, review and enable security recommendations, and protect your application against HTTP floods. Next, learn how to monitor your traffic using built-in reports, protect against bots, investigate unusual traffic patterns, and apply mitigations inline without writing security rules.

If AWS WAF is already enabled for your distribution, then navigate to the new Security tab within any CloudFront distribution to begin exploring the new security dashboard with historical metrics. Otherwise, you can follow the steps in this post to enable AWS WAF security protections within seconds to begin collecting metrics.

Figure1 – CloudFront Security Dashboard

Getting started: enable core protections, review recommendations, and protect against HTTP floods

The first step to secure your application is to enable security protections for a new or existing distribution. Note that when following these steps, you may also be shown recommended protections. In this post, we’ve broken out enabling recommendations as a separate steps so customers who already have AWS WAF enabled can follow along.

1. Open the Amazon CloudFront Console
2. Create a distribution by choosing Create distribution, and then entering the origin you would like to protect. Alternatively for an existing distribution, navigate to the Security tab within your distribution and select Edit.
3. In the Web Application Firewall (WAF) section, review the price estimate and select Enable security protections.
4. Review the remaining distribution settings and select Create distribution, or Save changes if you are editing an existing distribution.

CloudFront handles creating and configuring AWS WAF for you with out-of-the-box protections recommended by AWS for all applications. The core security protections that are included block IP addresses from potential threats based on Amazon internal threat intelligence, protect against the most common vulnerabilities found in web applications as described in the OWASP Top 10, and defend against malicious actors discovering application vulnerabilities.

Review and enable security recommendations

Figure 2 – Enabled security protections

CloudFront uses elements of your configuration as a signal to provide you with the appropriate security recommendations, when applicable. In the Security tab, select the Edit button to navigate to the security form and enable the recommended security rules you would like to add to your distribution. In the example shown in the following figure, we are using CloudFront to accelerate and protect a WordPress application. We check the WordPress protections checkbox to enable WordPress-specific protections provided by AWS WAF.

Figure 3 – Edit security configuration to enable recommendations

Additionally, we recommend protecting your application from volumetric attacks such as HTTP floods using the recommended rate limit rule: simply check the Rate limiting checkbox shown in the preceding figure. Because the rate is specific to each application, CloudFront helps you set and fine-tune the proper rate for your application to mitigate these attacks. After enabling, rate limiting captures metrics in monitor mode without blocking.

You can review the metrics for the rate limit rule in the Rate limiting section of the Security – Web Application Firewall (WAF) container as shown in the following figure. If the rate has been exceeded, then you can select on the Monitor mode – rate exceeded text to see how often your rate was exceeded and by how much. Additionally, you can adjust the rate as needed and enable blocking when ready.

Figure 4 – Top rate exceeding requests

Monitor and improve security of your application

The CloudFront security dashboard is broken out into three observability sections: Security trends, Bot requests, and Request logs. The Security trends section gives you a high-level view of your traffic at a glance. Quickly spot changes in total traffic, ratio of allowed to blocked traffic, attack types, and viewer locations. If you would like to block traffic from specific countries, then hover over the country and set the toggle to block as shown in the following figure.

Figure 5 – Top attack types and sourced Countries

Manage bots

The second section, Bot requests, is where you see information about bots accessing your application. When bot protection is disabled, this section shows you how much of your traffic is coming from bots, based on request sampling, as shown in the following figure.

Figure 6 – Sampled bot traffic overview

You can choose to enable bot protection with AWS WAF Bot Control. This provides a common protection level that adds labels to self-identifying bots, verifies generally desirable bots, and detects high confidence bot signatures. This allows you to see detailed bot activity broken out by category, based on actual requests rather than request sampling. Many customers choose to block bots to lower their infrastructure costs.

To see detailed visibility into bot traffic and control the bots you allow or block, select the Manage bot protection button, check Enable Bot Control for common bots, and Save changes, as shown in the following figure.

Figure 7 – Enable bot protection modal

After enabling Bot Control, you see detailed metrics and have the option to configure how each unverified bot is handled per bot category. In the following figure, unverified Non-browser user agent, HTTP library, and SEO bots are in monitor mode while Link Checker and Security bots receive a challenge or CAPTCHA respectively. Bots that are known by AWS to be common and verifiable – for example, known search engine crawlers – are not subject to the actions you set here. Bot Control performs validation to confirm that these bots come from the source that they claim before marking them as verified.

Figure 8 – Bot Requests section with detailed metrics when bot protection is enabled

Visually search, filter, and inspect logs

Finally, you may want to dive deeper into your logs to isolate specific traffic patterns. For example, where certain traffic is coming from, what URI paths are most requested, etc. The final section, Request logs, is designed to make it easy to answer those types of questions without writing log queries or leaving the CloudFront console.

If you have not enabled logging, then use the built-in pricing calculator to estimate the price of enabling logs based on your expected request volume. To enable logs, check the Enable AWS WAF logs and select Enable as shown in the following figure. CloudFront creates a CloudWatch logs group and update your AWS WAF configuration to begin logging to CloudWatch.

Figure 9 – Enable AWS WAF logs

Within a few minutes you see log data begin flowing. Following the individual requests, you see visual aggregations by HTTP method, top URI paths, top IP addresses, and top countries. This helps you visually spot patterns right away, for example if a disproportionate volume of requests are coming from a single IP address, targeting specific URI paths, or originating from a country that you have not previously seen in your logs. You can filter requests based on IP address, country, user agent, URI path, and other attributes to help find unwanted traffic. Once identified, select the individual request or visualization and take immediate action to block the malicious traffic. For example, by hovering over an IP address to block it as shown in the following figure.

Figure 10 – Requests logs screen

Availability and pricing

The CloudFront security dashboard included with each CloudFront distribution at no additional cost. It can be accessed by selecting the Security tab in the CloudFront console for any distribution. Additional insights and configuration options are available in the AWS WAF console. Standard AWS WAF pricing applies to Web ACLs created through the dashboard, and standard CloudWatch pricing applies to metrics and logs queried through the dashboard. Configurable pricing estimates are provided inline in the console while setting up security protections. For additional information on pricing, see AWS WAF pricing and CloudWatch pricing.

CloudFront offers 1TB of data transfer out and 10MM HTTP(s) request for free, every month. If you use an AWS origin like Amazon Simple Storage Service (Amazon S3) or Application Load Balancer (ALB) behind CloudFront, then data transfer out for origin fetches are free. To learn more, see Amazon CloudFront pricing.

Conclusion

With the introduction of the CloudFront security dashboard, you have now a simple and convenient way to protect and monitor your application from common security threats. In this post, you learned how to use the CloudFront security dashboard to secure and monitor your application. You enabled core security protections and recommendations, protected against HTTP floods, and learned how to visually spot anomalies in the logs and block traffic. Additionally, you learned how to monitor bots and control which bots can access your application.

To learn more about CloudFront and AWS WAF, see the CloudFront Developer Guide, and the AWS WAF Developer Guide.