Cloudfront Distributions that do not use AWS Waf lack a number of security protections and tracking
AWS CloudFront is a content distribution network (CDN) that acts as an intermediary to distribute content from your origin services. CDNs were originally designed to improve response times and reduce the direct load on your application by removing the requirement for every user to connect directly. CDNs also enable geographic distribution of your content, improving availability and performance across multiple geographic regions. Over time, CDNs have evolved to include a variety of features that enhance content management and access control, making them beneficial to content distribution in almost all situations.
However, while CDNs like AWS CloudFront offer certain security-related features such as geo-blocking, they are not inherently security tools as their primary function is content distribution. Therefore, to ensure better control and to adopt a stronger security posture, it’s necessary to attach security layers such as an AWS Web Application Firewall (WAF) to your CloudFront distribution. This adds critical security benefits such as protection against DDoS attacks, SQL injections, spam, and other network and application-level threats.
Additionally, a WAF helps manage costs by identifying and blocking malicious traffic, preventing unwanted requests from driving up expenses. Although there are rare instances where a CloudFront distribution without a firewall might be acceptable, in most cases, attaching a firewall enhances security and improves overall protection for your infrastructure.
Attaching an Application Firewall also provides the flexibility to control traffic in response to current activity. Whilst your ruleset might initially be simple, you can rapidly expand your protections in response to attacks by configuring the Application Firewall rules rather than attempting to attach a firewall during an attack.
SkySiege’s AWS Vulnerability Scan automatically detects this vulnerability across all AWS Regions with the report delivered the same day.
Implementation of the Firewall is a key consideration as simply attaching a Web Application Firewall can negatively affect current traffic. Therefore it’s best to get advice on how the AWS Web Application Firewall works (AWS WAF), what rules are available and how those rules would affect current traffic. The default rules included in AWS WAF are a good starting point, however, some of the rules can block legitimate traffic depending on the use case.
To get guidance and advice as well as how to determine which rules best suit your service, get in touch for architectural support.
AWS WAF acts as an attached intermediary to compatible services. When attached AWS WAF will interrogate incoming requests to determine if they trigger the rules configured for the WAF. If they trigger the rule then the WAF will perform the associated action with that rule which includes actions such as allowing the traffic, blocking the traffic or prompting the traffic with a Captcha or other challenge.
The available AWS WAF ruleset is large and covers a number of default rules that should almost always be active (User Agent Bad Bots) and others that are situational.
We recommend: