CloudFront distributions should be protected by WAFs¶
Description¶
WAF should be deployed on CloudFront distributions to protect web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources.
Remediation Steps¶
AWS Console¶
Navigate to WAF.
In the navigation pane, choose Web ACLs.
Choose the web ACL that you want to associate with a CloudFront distribution.
On the Rules tab, under AWS resources using this web ACL, choose Add association.
When prompted, use the Resource list to choose the CloudFront distribution that you want to associate this web ACL with.
Choose Add.
To associate this web ACL with an additional CloudFront distribution, repeat the last three steps.
AWS CLI¶
Get the ID of the web ACL to associate with the CloudFront distribution:
aws waf list-web-acls --output table --query 'WebACLs[*].WebACLId'
Get the ID of the CloudFront CDN distribution you want to remediate:
aws cloudfront list-distributions --output table --query 'DistributionList.Items[*].Id'
Save the distribution configuration to a file:
aws cloudfront get-distribution-config --id <distribution_id> > distribution-config.json
Modify the configuration file so the
WebACLId
attribute is changed to the web ACL ID from the first step:
"WebACLId": "df6bd310-6012-4870-0000-123456789012",
Modify the configuration file to remove the following from the beginning of the file. Note the value for the “Etag” attribute before deleting because it is required for the next command.
{
"ETag": "ETag_Value",
"DistributionConfig":
Remove the last brace
}
at the very end of the configuration file.Update the distribution configuration from the saved configuration file:
aws cloudfront update-distribution --id <distribution_id> --distribution-config file://distribution-config.json --if-match <etag_attribute>
CloudFormation¶
JSON¶
Ensure that AWS::CloudFront::Distribution contains the following:
{
"Properties" : {
"DistributionConfig" : {
"WebACLId" : "arn:aws:wafv2:us-east-1:123456789012:global/webacl/ExampleWebACL/473e64fd-f30b-4765-81a0-62ad96dd167a"
}
}
}
`
JSON Example Configuration¶
{
"Type" : "AWS::CloudFront::Distribution",
"Properties" : {
"DistributionConfig" : {
"WebACLId" : "arn:aws:wafv2:us-east-1:123456789012:global/webacl/ExampleWebACL/473e64fd-f30b-4765-81a0-62ad96dd167a"
}
}
# other required fields here
}
YAML¶
Ensure that AWS::CloudFront::Distribution contains the following:
Properties:
DistributionConfig:
WebACLId: arn:aws:wafv2:us-east-1:123456789012:global/webacl/ExampleWebACL/473e64fd-f30b-4765-81a0-62ad96dd167a
YAML Example Configuration¶
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
WebACLId: arn:aws:wafv2:us-east-1:123456789012:global/webacl/ExampleWebACL/473e64fd-f30b-4765-81a0-62ad96dd167a
# other required fields here
Terraform¶
Ensure that the aws_cloudfront_distribution resource includes a
web_acl_id
field that specifies the AWS WAF web ACL to associate with this distribution. To specify a web ACL created using the latest version of AWS WAF (WAFv2), use the ACL ARN. To specify a web ACL created using AWS WAF Classic, use the ACL ID. The WAF Web ACL must exist in the WAF Global (CloudFront) region and the credentials configuring this argument must havewaf:GetWebACL
permissions assigned.
Example Configuration¶
resource "aws_cloudfront_distribution" "example" {
web_acl_id = "aws_wafv2_web_acl.example.arn"
# other required fields here
}