Protecting from external threats at the edge - Secure Content Delivery with Amazon CloudFront

Protecting from external threats at the edge

When your application runs on AWS, you can combine CloudFront and AWS WAF to help defend against application layer attacks. AWS WAF is a web application firewall you can use to monitor web requests to your applications and to control access to your content.

You use AWS WAF to control how your protected resources respond to HTTP(S) web requests. You can do this by defining a web access control list (web ACL) and then associating it with one or more web application resources that you want to protect, in this case CloudFront distributions. For ease of configuration, you can use CloudFront one-click protection in the console; it creates a web ACL, configures rules to protect your applications from common web threats, and attaches the web ACL to the CloudFront distribution for you. Optionally, you can later configure additional security protections for other threats specific to your application.

CloudFront forwards incoming requests to AWS WAF for inspection by the web ACL. In your web ACL, you create rules to define traffic patterns in requests and specify the actions to take on matching requests. The actions include: allow or block requests, count requests, or Run CAPTCHA or challenge checks against requests to verify human users.

You can define rules that inspect for criteria, like scripts that are likely to be malicious, IP addresses or address ranges, strings that appear in the request, labels that prior rules in the web ACL have added to the request, and many more combinations. You can also create rate limiting rules that will count requests. The rule aggregates requests and rate limits the aggregate groupings, based on the rule's limit and action settings.

CloudFront also provides security recommendations for your distributions based on elements of your CloudFront configuration, including path patterns or your origin type. Additionally, to help protect against HTTP floods, you can use a guided workflow to rate limit requests, which will capture metrics and allow you to adjust configuration as needed. You can select the rules you’d like to enable and CloudFront automatically adds those rules to your AWS WAF configuration.

Besides creating your own rules, you can use AWS-managed AWS WAF rules, or use Managed Rules for AWS WAF offered by sellers in the AWS Marketplace. The AWS-Managed rules identify malicious IP addresses that are included in IP reputation lists and common malicious request signatures, including options for intelligent threat mitigation using AWS WAF Bot Control. Both AWS WAF and CloudFront enable you to set geo-restrictions to block or allow requests from selected countries. This can help block attacks originating from geographic locations where you do not expect to serve users.

If you are subscribed to AWS Shield Advanced, you can configure it to automatically mitigate application layer (OSI model layer 7) attacks against your protected CloudFront distributions by counting or blocking web requests that are part of the attack. This option is in addition to the application layer protection that you add through Shield Advanced with an AWS WAF web ACL and rate-based rules. You can engage the AWS Shield Response Team (SRT) to help create rules to mitigate attacks impacting your application’s availability. For more information, see Configure AWS SRT support.

You can use AWS Firewall Manager to centrally configure and manage AWS WAF rules for your CloudFront distributions across your organization. Your AWS Organizations management account can designate an administrator account, which is authorized to create Firewall Manager policies. These policies allow you to define criteria, such as resource type and tags, which determine where rules are applied. This is useful when you have many accounts and want to standardize protections across your organization. Firewall Manager also allows you to create policies that manage AWS Shield Advanced protected resources, Network Firewall policies, and VPC security groups.