Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I protect my web application from web threats with CloudFront and AWS WAF?

3 minute read
1

I want to protect my web application from web threats with Amazon CloudFront and AWS WAF.

Short description

Common application layer attacks include SQL injection or cross-site scripting (XSS). To protect your web application from these attacks, configure CloudFront with AWS WAF to inspect HTTP/HTTPS requests at edge locations. Then, they can block malicious traffic before it reaches your origin servers. For more information, see Common use cases for protecting CloudFront distributions with AWS WAF.

Resolution

Prerequisites:

  • An Application Load Balancer that routes traffic to your Amazon Elastic Compute Cloud (Amazon EC2) instance or any other AWS Regional endpoints.
  • Your application content is deployed and running.
  • You have the required permissions to configure CloudFront and AWS WAF.

Set up CloudFront

To set up CloudFront to act as a security shield, complete the following steps:

  1. Open the CloudFront console.
  2. Create a distribution.
  3. In the Origin domain field, enter your website's address.
  4. Under Viewer Protocol Policy, choose Redirect HTTP to HTTPS.
  5. Choose Create distribution.

Note: When you cache static and dynamic content at the edge location, you reduce the number of requests that reach your origin. This action cuts costs and improves performance.

Set up AWS WAF

To set up AWS WAF to act as a security guard, complete the following steps:

  1. Open the AWS WAF console.
  2. Create a web ACL (Web Access List).
  3. Choose your AWS Region.
  4. Give it a name. For example, "MyWebsiteProtection".
  5. Choose Add rules, and then choose Add rate-based rule.
    Enter the following rate limit rule:
    Set it to block IP addresses that send too many requests. For example, 2,000 requests per 5 minutes.
  6. Choose Add rules, and then choose Add managed rules.
    Add an AWS Managed Rules core rule set (CRS). The CRS includes protection against common attacks such as SQL injection and XSS.
    Note: Edge locations enforce AWS WAF rules and stop malicious traffic closer to the source.
  7. Select Next, and then choose Create web ACL.

Note: You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more information, see Getting started with AWS WAF using the updated console experience.

Connect AWS WAF to CloudFront

To make sure that AWS WAF and CloudFront work together, complete the following steps:

  1. Open the AWS WAF console.
  2. Select your web ACL.
  3. Choose Associated AWS resources.
  4. Select Add AWS resources.
  5. Select your CloudFront distribution.
  6. Choose Add. For more information, see Using AWS WAF with Amazon CloudFront.

Set up monitoring

Note: To activate standard logs, you must use the pro plan or pay as you go plan. For more information, see Amazon CloudFront pricing. CloudWatch offers a free tier, but charges apply when you exceed the free tier limits. For more information, see Amazon CloudWatch pricing.

To set up monitoring in CloudFront, complete the following steps:

  1. Open the CloudFront console.
  2. Choose your distribution.
  3. Go to Logs.
  4. Turn on standard logging.

To set up monitoring in AWS WAF, complete the following steps:

  1. Open the AWS WAF console.
  2. Open your web ACL.
  3. Choose Logging and metrics.
  4. Turn on logging. For more information, see CloudFront and edge function logging.

Related information

Automating application layer DDoS mitigation with Shield Advanced

Accelerate and protect your websites using Amazon CloudFront and AWS WAF

Topics
Networking & Content Delivery
Tags
AWS Global Accelerator
Language
English
AWS OFFICIALUpdated 7 months ago
No comments

Relevant content