We use machine learning technology to do auto-translation. Click "English" on top navigation bar to check Chinese version.
Mitigate Common Web Threats with One Click in Amazon CloudFront
You can now add
This blog relates to Amazon CloudFront — a Amazon Web Services service that you can use to deliver data, videos, applications, and APIs securely to your customers globally with low latency and high transfer speeds. CloudFront improves the performance of static and dynamic applications by caching content close to users, terminating TLS connections close to users, and routing user requests through Amazon Web Services’s private backbone rather than the public Internet.
Publicly accessible web applications and APIs are exposed to threats such as commonly occurring vulnerabilities described in the OWASP Top 10, SQL injection, automated requests, and HTTP floods (Denial of Service (DoS)) that can affect availability, compromise security, or consume excessive resources. Amazon Web Services WAF, a web application firewall, analyzes incoming requests and helps you block these types of threats before they reach your servers. You can secure your CloudFront distributions with Amazon Web Services WAF by configuring your web access control list (web ACL) containing the security rules that you’d like to enable.
CloudFront now handles creating and configuring an Amazon Web Services WAF web ACL with out-of-the-box protections recommended by Amazon Web Services for all applications. This provides your application with a first line of defense against web threats. The included security protections block IP addresses from potential threats based on Amazon internal threat intelligence, protect against the most common vulnerabilities found in web applications as described in the OWASP Top 10, and defend against malicious actors discovering application vulnerabilities. Optionally, you can configure additional security protections later on against bots and fraud or other threats specific to your application in the Amazon Web Services WAF console.
Enable security protections in CloudFront with one click
You can enable security protections with Amazon Web Services WAF for both new and existing CloudFront distributions.
- Open the
Amazon CloudFront console . - Create a distribution by choosing Create distribution, and then enter the origin you would like to protect. Alternatively, choose Edit for an existing distribution.
- In the Web Application Firewall (WAF) section, select Enable security protections .
- Review the remaining distribution settings and click Create distribution , or Save Settings if you are editing an existing distribution.
Figure 1: Enable security protections with Amazon Web Services WAF for the distribution
CloudFront creates an Amazon Web Services WAF web ACL, configures rules to protect your servers from common web threats, and attaches the web ACL to the CloudFront distribution for you. You can see the resulting Amazon Web Services WAF web ACL after creating or editing your distribution. Choose the link to open the web ACL in the Amazon Web Services WAF console.
Figure 2: Review the distribution and web ACL
The Overview tab shows the requests that were inspected by the web ACL.
Figure 3: Review requests allowed or blocked by the Amazon Web Services WAF web ACL
Choose the Rules tab to view the three rules that are automatically created by CloudFront security protections:
-
Amazon Web Services-Amazon Web ServicesManagedRulesAmazonIpReputationList – Block IP addresses from potential threats based on Amazon internal threat intelligence. -
Amazon Web Services-Amazon Web ServicesManagedRulesCommonRuleSet – Protect against the most common vulnerabilities found in web applications as described in the OWASP Top 10. -
Amazon Web Services-Amazon Web ServicesManagedRulesKnownBadInputsRuleSet – Protect against malicious actors discovering application vulnerabilities.
Figure 4: Web ACL Rules automatically created for the CloudFront distribution
Configure additional protections
Amazon Web Services WAF has additional rules you can add to your web ACL to protect against other types of web threats depending on your application’s needs.
HTTP floods are a type of DoS attack that inundates your web application with an unusually high number of HTTP requests. By
Bot Traffic can result in poor customer experience by hoarding limited inventory, generating fraudulent credit card transactions, or increasing hosting costs.
Availability and pricing
One-click security protections with Amazon Web Services WAF are now available in the CloudFront console and can be used to configure new or existing CloudFront distributions. To learn more, see the
Standard Amazon Web Services WAF pricing applies. The Amazon Web Services WAF web ACL created by CloudFront has a cost estimate of $14/month for 10 million requests/month. Adding rules or serving a different request volume changes this estimate. To view the total number of requests for an existing CloudFront distribution, visit the Cache statistics report in the Reports & Analytics section of the CloudFront console. For information on pricing, see
About the authors
David MacDonald
David is a Senior Solutions Architect focused on helping New Zealand startups build secure and scalable solutions. He has spent most of his career building and operating SaaS products that serve a variety of industries. Outside of work, David is an amateur farmer and tends to a small herd of alpacas and goats.
Cristian Graziano
Cristian Graziano is a Senior Product Manager with Amazon CloudFront based out of Seattle. He works across product, engineering, and UX to help first-time and experienced Amazon Web Services customers quickly onboard, configure, and manage Amazon CloudFront and related Amazon Web Services services.
The mentioned AWS GenAI Services service names relating to generative AI are only available or previewed in the Global Regions. Amazon Web Services China promotes AWS GenAI Services relating to generative AI solely for China-to-global business purposes and/or advanced technology introduction.