Protecting Your Origin (BP1, BP5) - AWS Best Practices for DDoS Resiliency

Protecting Your Origin (BP1, BP5)

If you’re using Amazon CloudFront with an origin that is inside of your VPC, you should use an AWS Lambda function to automatically update your security group rules to allow only Amazon CloudFront traffic. This improves your origin’s security by helping to ensure that malicious users cannot bypass Amazon CloudFront and AWS WAF when accessing your web application.

To learn more about how to protect your origin by automatically updating your security groups, see How to Automatically Update Your Security Groups for Amazon CloudFront and AWS WAF by Using AWS Lambda.

You may also want to ensure that only your Amazon CloudFront distribution can forward requests to your origin. With Edge-to-Origin Request Headers, you can add or override the value of existing request headers when Amazon CloudFront forwards requests to your origin. You can use the X-Shared-Secret header to help validate that requests made to your origin were sent from Amazon CloudFront.

To learn more about protecting your origin with an X-Shared-Secret header, see Forwarding Custom Headers to Your Origin.