AWS Cloud Front - WAF Integration
Ensure that all your AWS CloudFront web distributions are integrated with the Web Application Firewall (AWS WAF) service to protect against application-layer attacks
Risk Level: Medium
Cloud Entity: Amazon CloudFront
CloudGuard Rule ID: D9.AWS.NET.36
Covered by Spectral: Yes
Category: Networking & Content Delivery
GSL LOGIC
CloudFront where region unlike 'cn_%' should have distributionConfig.webACLId
REMEDIATION
From Portal
- Login to the AWS Management Console and open Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.
- On the Distributions page, select the relevant CDN.
- On the General tab click the Edit button.
- On the Distribution Settings page, verify the AWS WAF Web ACL configuration status. If AWS WAF Web ACL is set to None:, AWS WAF is not associated with an Access Control List (ACL).
- Edit the Settings in under General tab.
- Add a AWS WAF web ACL to the distribution.
- Click on Save changes.
From TF
while creating cloudfront add the web acl ID.
resource "aws_cloudfront_distribution" "test" {
+ web_acl_id = "ID"
}
From Command Line
To create WAF ACL and update the configuration to integrate with CloudFront, run:
aws waf create-web-acl --name NAME --metric-name METRIC_NAME --default-action Type=BLOCK --change-token TOKEN
aws cloudfront update-distribution --id ID --distribution-config file://FILE.json
References
- https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html
- https://docs.aws.amazon.com/waf/latest/developerguide/classic-cloudfront-features.html
- https://docs.aws.amazon.com/cli/latest/reference/wafv2/create-web-acl.html
- https://docs.aws.amazon.com/waf/latest/developerguide/cloudfront-features.html
- https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/wafregional_web_acl_association
Amazon CloudFront
Amazon CloudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .html, .css, .php, image, and media files, to end users. CloudFront delivers your content through a worldwide network of edge locations. When an end user requests content that you're serving with CloudFront, the user is routed to the edge location that provides the lowest latency, so content is delivered with the best possible performance. If the content is already in that edge location, CloudFront delivers it immediately.
Compliance Frameworks
- AWS CIS Controls V 8
- AWS CloudGuard Best Practices
- AWS CloudGuard SOC2 based on AICPA TSC 2017
- AWS CloudGuard Well Architected Framework
- AWS HITRUST
- AWS HITRUST v11.0.0
- AWS ISO27001:2022
- AWS ITSG-33
- AWS MAS TRM Framework
- AWS MITRE ATT&CK Framework v10
- AWS MITRE ATT&CK Framework v11.3
- AWS NIST 800-53 Rev 5
- CloudGuard AWS All Rules Ruleset
Updated over 1 year ago