Protecting from external threats at the edge
When your application runs on AWS, you can combine CloudFront and AWS WAF to help defend against application layer attacks. AWS WAF is a web application firewall you can use to monitor web requests to your applications and to control access to your content.
You use AWS WAF to control how your protected resources respond to HTTP(S) web requests. You can do this by defining a web access control list (web ACL) and then associating it with one or more web application resources that you want to protect, in this case CloudFront distributions. For ease of configuration, you can use CloudFront one-click protection in the console; it creates a web ACL, configures rules to protect your applications from common web threats, and attaches the web ACL to the CloudFront distribution for you. Optionally, you can later configure additional security protections for other threats specific to your application.
CloudFront forwards incoming requests to AWS WAF for inspection by the web ACL. In your web ACL, you create rules to define traffic patterns in requests and specify the actions to take on matching requests. The actions include: allow or block requests, count requests, or Run CAPTCHA or challenge checks against requests to verify human users.
You can define rules that inspect for criteria, like scripts that are likely to be malicious, IP addresses or address ranges, strings that appear in the request, labels that prior rules in the web ACL have added to the request, and many more combinations. You can also create rate limiting rules that will count requests. The rule aggregates requests and rate limits the aggregate groupings, based on the rule's limit and action settings.
CloudFront also provides security recommendations for your distributions based on elements of your CloudFront configuration, including path patterns or your origin type. Additionally, to help protect against HTTP floods, you can use a guided workflow to rate limit requests, which will capture metrics and allow you to adjust configuration as needed. You can select the rules you’d like to enable and CloudFront automatically adds those rules to your AWS WAF configuration.
Besides creating your own rules, you can use AWS-managed AWS WAF rules, or use Managed Rules for AWS WAF offered by
sellers in the AWS Marketplace
If you are subscribed to AWS Shield Advanced, you can configure it to automatically mitigate application layer (OSI model layer 7) attacks against your protected CloudFront distributions by counting or blocking web requests that are part of the attack. This option is in addition to the application layer protection that you add through Shield Advanced with an AWS WAF web ACL and rate-based rules. You can engage the AWS Shield Response Team (SRT) to help create rules to mitigate attacks impacting your application’s availability. For more information, see Configure AWS SRT support.
You can use AWS Firewall Manager
-
To learn more about using geo-restriction to limit access to your CloudFront distribution, see Restricting the Geographic Distribution of Your Content.
-
To learn more about using AWS WAF, see Getting started with AWS WAF.
-
To learn more about configuring rate-based rules, see Rate-based rules examples.
-
To learn more about enabling AWS WAF protections with one click and set up rate limiting, see Using AWS WAF to protect your application.
-
To learn how to manage the deployment of AWS WAF rules across your AWS resources with AWS Firewall Manager, see Getting started with AWS Firewall Manager AWS WAF policies.