Mitigate Common Web Threats with One Click in Amazon CloudFront

You can now add AWS WAF protections to Amazon CloudFront distributions with one click. In this walkthrough, we will guide you through setting up and monitoring protections offered by this new feature along with pricing and additional security recommendations.

This blog relates to Amazon CloudFront — a AWS service that you can use to deliver data, videos, applications, and APIs securely to your customers globally with low latency and high transfer speeds. CloudFront improves the performance of static and dynamic applications by caching content close to users, terminating TLS connections close to users, and routing user requests through AWS’s private backbone rather than the public Internet.

Publicly accessible web applications and APIs are exposed to threats such as commonly occurring vulnerabilities described in the OWASP Top 10, SQL injection, automated requests, and HTTP floods (Denial of Service (DoS)) that can affect availability, compromise security, or consume excessive resources. AWS WAF, a web application firewall, analyzes incoming requests and helps you block these types of threats before they reach your servers. You can secure your CloudFront distributions with AWS WAF by configuring your web access control list (web ACL) containing the security rules that you’d like to enable.

CloudFront now handles creating and configuring an AWS WAF web ACL with out-of-the-box protections recommended by AWS for all applications. This provides your application with a first line of defense against web threats. The included security protections block IP addresses from potential threats based on Amazon internal threat intelligence, protect against the most common vulnerabilities found in web applications as described in the OWASP Top 10, and defend against malicious actors discovering application vulnerabilities. Optionally, you can configure additional security protections later on against bots and fraud or other threats specific to your application in the AWS WAF console.

Enable security protections in CloudFront with one click

You can enable security protections with AWS WAF for both new and existing CloudFront distributions.

1. Open the Amazon CloudFront console.
2. Create a distribution by choosing Create distribution, and then enter the origin you would like to protect. Alternatively, choose Edit for an existing distribution.
3. In the Web Application Firewall (WAF) section, select Enable security protections.
4. Review the remaining distribution settings and click Create distribution, or Save Settings if you are editing an existing distribution.

Figure 1: Enable security protections with AWS WAF for the distribution

CloudFront creates an AWS WAF web ACL, configures rules to protect your servers from common web threats, and attaches the web ACL to the CloudFront distribution for you. You can see the resulting AWS WAF web ACL after creating or editing your distribution. Choose the link to open the web ACL in the AWS WAF console.

Figure 2: Review the distribution and web ACL

The Overview tab shows the requests that were inspected by the web ACL.

Figure 3: Review requests allowed or blocked by the AWS WAF web ACL

Choose the Rules tab to view the three rules that are automatically created by CloudFront security protections:

1. AWS-AWSManagedRulesAmazonIpReputationList – Block IP addresses from potential threats based on Amazon internal threat intelligence.
2. AWS-AWSManagedRulesCommonRuleSet – Protect against the most common vulnerabilities found in web applications as described in the OWASP Top 10.
3. AWS-AWSManagedRulesKnownBadInputsRuleSet – Protect against malicious actors discovering application vulnerabilities.

Figure 4: Web ACL Rules automatically created for the CloudFront distribution

Configure additional protections

AWS WAF has additional rules you can add to your web ACL to protect against other types of web threats depending on your application’s needs.

HTTP floods are a type of DoS attack that inundates your web application with an unusually high number of HTTP requests. By configuring rate-based rules, you can block offending source IP addresses that exceed the number of requests you allow in a five minute period.

Bot Traffic can result in poor customer experience by hoarding limited inventory, generating fraudulent credit card transactions, or increasing hosting costs. AWS WAF Bot Control can detect and block advanced bot traffic that are using sophisticated techniques to avoid detection.

Availability and pricing

One-click security protections with AWS WAF are now available in the CloudFront console and can be used to configure new or existing CloudFront distributions. To learn more, see the CloudFront Developer Guide.

Standard AWS WAF pricing applies. The AWS WAF web ACL created by CloudFront has a cost estimate of $14/month for 10 million requests/month. Adding rules or serving a different request volume changes this estimate. To view the total number of requests for an existing CloudFront distribution, visit the Cache statistics report in the Reports & Analytics section of the CloudFront console. For information on pricing, see AWS WAF Pricing.

About the authors

David MacDonald

David is a Senior Solutions Architect focused on helping New Zealand startups build secure and scalable solutions. He has spent most of his career building and operating SaaS products that serve a variety of industries. Outside of work, David is an amateur farmer and tends to a small herd of alpacas and goats.

Cristian Graziano

Cristian Graziano is a Senior Product Manager with Amazon CloudFront based out of Seattle. He works across product, engineering, and UX to help first-time and experienced AWS customers quickly onboard, configure, and manage Amazon CloudFront and related AWS services.