AWS CloudFront and WAF

Overview

In this article we will explore AWS CloudFront and AWS WAF. We will discuss security, logging and monitoring, resilience and availability, and configuration management.

WAF Multi-Layer Web Application Security

The edge network is the first layer of policy enforcement and should be used for broad security policy enforcement. This is the ideal place for rules such as AWS Managed Rules Core rule set (CRS), geographical location blocks, IP reputational lists, anonymous IP lists, and basic rate limits enforcement.

The next level of enforcement should be an application load balancer in a public subnet with another/regional web ACL at the CloudFront origin. This layer is where you apply application-specific rules.

Protect CloudFront Origin

By using an IP allowed list and header inspection together, custom origin allows only chosen CloudFront distribution to access its private content.

Custom Header

Custom origins can inspect incoming HTTP requests and decide to discard the request. You can allow only trusted CloudFront distribution to access your origin by adding a custom header with a secret value to the origin request in
CloudFront, and setting up header inspection from the origin side. ALB has a rule that can be used for this header inspection purpose, if the origin web server is on AWS.

Security Group

CloudFront publishes its IP address ranges along with other Amazon services, without any prior setting or cost requirements. This enables you to allow CloudFront IP address ranges in your origin firewall, or add them into security groups. You may need more than one security group to allow all CloudFront IP ranges.

Logging and Monitoring

CloudWatch

Metrics for visibility on how web ACL is protecting your application. AllowedRequests, BlockedRequests and PassedRequests

You can set up alarms on CloudWatch metrics to receive notifications when a certain WAF rule is abnormally triggered based on predefined thresholds.

CloudFront is integrated with Cloudwatch, and automatically publishes six
operational metrics per distribution. You can monitor these metrics to detect anomalous behavior and
create alarms.

WAF Log

• Sample WAF log in console
• Send WAF log to S3

CloudFront Logging

• Standard/Access Log
• Real-time logs

Testing and Tuning

You can review Amazon CloudWatch metrics for your CloudFront distribution or application load balancer to determine the baseline for your rate limit based on the maximum expected requests per minute.

Web ACL starts with COUNT, later on update to BLOCK.

Resilience

Staging Test

Setup staging environment for your application. This approach allows you to experiment with AWS WAF without negatively impacting production traffic.

Create a new endpoint for your production environment. Your staging
environment is based on this new endpoint with AWS WAF deployed. For
example, you can create a new CloudFront distribution with WAF web ACL
attached and set the origin to your existing application’s load balancer.
(Note: If you are already using CloudFront, you can still create a new CloudFront distribution but you can’t reuse the same domain attached to the existing distribution, It’s not possible to create two distribution for one domain.)

CloudFront Distribution

There isn’t much information available in the web regarding routing to multiple CloudFront distributions. I guess it’s not common solution. If you need to switch to another origin, you may update the existing CloudFront distribution with the new origin or use another distribution. It will be interesting to see if can front the multiple distribution with Route53 and utilize the advanced routing rules.

Cloludfront is part of Amazon global edge network with POP around the world and regional cache, high availability is achieved.

Origin Redundancy

Configuration Management

AWS Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your accounts and applications in AWS Organization.

Firewall Manager also integrates with Managed Rules for AWS WAF, which gives you an easy way to deploy pre-configured WAF rules in front of your applications.

Firewall Prerequisites:

• AWS organization with all feature enabled
• Enable AWS config in all accounts
• Designate AWS firewall manager administrator account

All Together

References

Deploying defense in depth using AWS Managed Rules for AWS WAF (part 2) | Amazon Web Services

Defense in depth using AWS Managed Rules for AWS WAF (part 1) | Amazon Web Services

Centrally manage AWS WAF (API v2) and AWS Managed Rules at scale with Firewall Manager | Amazon Web…

https://aws.amazon.com/blogs/security/how-to-enhance-amazon-cloudfront-origin-security-with-aws-waf-and-aws-secrets-manager/

Improve your website availability with Amazon CloudFront | Amazon Web Services

CloudFront Migration Series (Part 3): OLX Europe, The DevOps Way | Amazon Web Services

The three most important AWS WAF rate-based rules | Amazon Web Services

Optimizing performance for users in China with Amazon Route 53 and Amazon CloudFront | Amazon Web…

https://aws.amazon.com/whitepapers/
https://d1.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf
https://d1.awsstatic.com/whitepapers/guidelines-implementing-aws-waf.pdf
https://docs.aws.amazon.com/whitepapers/latest/secure-content-delivery-amazon-cloudfront/secure-content-delivery-amazon-cloudfront.pdf

Automatically update security groups for Amazon CloudFront IP ranges using AWS Lambda | Amazon Web…

How to enhance Amazon CloudFront origin security with AWS WAF and AWS Secrets Manager | Amazon Web…

X-DNS-ORIGIN:

Using Amazon CloudFront with Multi-Region Amazon S3 Origins | Amazon Web Services

https://aws.amazon.com/blogs/networking-and-content-delivery/using-cloudfront-origin-shield-to-protect-your-origin-in-a-multi-cdn-deployment/