Cloudfront Distributions are accepting traffic from all locations on the internet. This includes traffic from geographical regions which are unlikely to be business accessible.
SkySiege has over a decade of experience in Cloud Security consultancy which we embed into our products. One of the major elements to our success is that we pair our technical understanding back to the practical business operations such that the security posture does not limit the business but does protect the business in a calculated and risk managed approach.
In our experience only a handful of organisations have required their services to have full open access from the entire internet. The applications and services that are required to do this are specifically legally mandated by government regulations to be freely accessible from the entire internet. When taking into account business operations, the majority of all other services do not need to be accessible from every part of the world, as their business operations are usually limited to specific geographic regions.
For example, due to sanctions between Western countries and nations like Iran and Russia, most businesses do not trade with these regions. As such, there’s no advantage to allowing access to their services from these countries. This advice isn’t driven by political motivations but by practicality. Allowing traffic from regions where business isn’t possible introduces unnecessary risks. Traffic from any region can be both beneficial and malicious, but if there’s no potential for business, their is no reason to risk accepting malicious traffic when the beneficial traffic cannot be capitalised on.
Compounding this approach is that most cyberattacks between entities tend to originate from regions without trade relationships. Blocking access from such regions can significantly reduce the volume of malicious traffic targeting your services.
While this doesn’t guarantee complete protection, it adds a layer of security by forcing an additional barrier. Since many attacks are automated, implementing simple firewall rules to block traffic from non-business regions can prevent automated threats, forcing the use of a more complex setup to access your service.
Blocking traffic from regions where business is not feasible is a practical strategy that mitigates risk without impacting your core consumer base. We advise our clients to take their business operations into account and to follow this advice. Traffic can always be opened later should circumstances change.
SkySiege’s AWS Vulnerability Scan automatically detects this vulnerability across all AWS Regions with the report delivered the same day.
Cloudfront includes functionality to apply Geographic Restrictions (Geo Restrictions). This is a built in feature for Cloudfront that can be enabled on any distribution. It’s important to discover which distributions are not configured and to determine what the business footprint each for each distribution.
There are two approaches to configuring the Geo Restriction - either block specific locations or only allow specific locations. In our experience it’s best to block all locations and only allow access from specific locations, however, it depends on the accessiblility of your services and your business footprint.
To enable either an allow or block list:
Security tabEdit button next to the Countries list under the Security - Web Application FirewallThe technical elements are easy to apply, however the business aspects including which geographic locations are suitable for firewalling may need further discussion and support. We’ve had this conversation a number of times and therefore would be happy to assist.