Open menu
-->

AWS CloudFront – WAF Integration

Cloud Conformity allows you to automate the auditing process of this resolution page. Register for a 14 day evaluation and check your compliance level for free!

Start a Free Trial Product features
Security

Risk level: Medium (should be achieved)

Ensure that all your AWS CloudFront web distributions are integrated with the Web Application Firewall (AWS WAF) service to protect against application-layer attacks that can compromise the security of your web applications or place unnecessary load on them.

This rule resolution is part of the Cloud Conformity Security Package

With AWS Cloudfront – WAF integration enabled you will be able to block any malicious requests made to your Cloudfront Content Delivery Network based on the criteria defined in the WAF Web Access Control List (ACL) associated with the CDN distribution.

Audit

To determine if your Cloudfront distributions are integrated with AWS WAF, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.

03 On the Distributions page, select the CDN distribution that you want to examine.

04 Click the Distribution Settings button from the dashboard top menu to access the selected distribution configuration page.

05 On the General tab click the Edit button.

06 On the Distribution Settings page, verify the AWS WAF Web ACL configuration status. If AWS WAF Web ACL is set to None:

If AWS WAF Web ACL is set to None

the selected CDN distribution is not currently associated with an Access Control List (ACL), therefore is not integrated with the AWS WAF service for protection against malicious viewers.

07 Repeat steps no. 3 – 6 for each Cloudfront CDN distribution available in your AWS account.

Using AWS CLI

01Run list-distributions command (OSX/Linux/UNIX) using necessary filters to list the IDs of all Cloudfront distributions available in your account:

aws cloudfront list-distributions
	--output table
	--query 'DistributionList.Items[*].Id'

02The command output should return a table with the requested metadata:

--------------------
|ListDistributions |
+------------------+
|  E2ZZAENK18GEUD  |
|  E2RX3E6TS8SFB9  |
|  GDE6G5KZMPD0BF  |
+------------------+

02Run get-distribution command (OSX/Linux/UNIX) using the ID of the distribution that you want to examine as identifier with appropriate filtering to expose the name of the AWS WAF ACL associated with the selected Cloudfront distribution:

aws cloudfront get-distribution
	--id E2ZZAENK18GEUD
	--query 'Distribution.DistributionConfig.WebACLId'

03The command output should return a string representing the name of the assigned ACL:

""

If the returned string is empty, i.e. "", the selected distribution is not associated with an Access Control List (ACL), therefore is not integrated with the AWS WAF service for protection against harmful requests.

04Repeat step no. 3 and 4 to examine other CDN distributions available within your AWS account.

Remediation / Resolution

To integrate CloudFront with AWS WAF you must create the required WAF Access Control List and associate it with the appropriate web distribution. To define and assign a new web ACL, perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Web Application Firewall dashboard at https://console.aws.amazon.com/waf/.

03 In the left navigation panel, under AWS WAF section, choose Web ACLs.

04 Click Create web ACL button from the WAF dashboard top menu to initiate the Access Control List build process.

05 On the Name web ACL page, in the Web ACL name and CloudWatch metric name fields, provide names for the new WAF web ACL and the required AWS CloudWatch metric. Click Next to continue the ACL setup process.

06 On the Create Conditions page, choose one of the predefined conditions that you want to use to allow or block requests that are forwarded to your CloudFront web distribution(s). Click the Create condition button available within the chosen condition category to configure the condition access control filters based on your requirements. Once the necessary filters are defined, click Create to instantiate the new condition. Repeat the step to create as many conditions as needed. Click Next to continue the setup.

07 On the Create rules page, under Add rules to a web ACL, click Create rule to define the ACL rule that will be reference one or more conditions, which must be satisfied in order to activate the rule. In the Create rule dialog box, provide names for the rule and the required CloudWatch metric then add the necessary condition(s). Click Create to instantiate the new rule.

08 In the If a request matches all of the conditions in a rule, take the corresponding action section, select the appropriate action to take for each rule if a request matches the rule conditions.

09 In the If a request doesn't match any rules, take the default action section, choose the default action that the ACL must take if a request doesn't match any of the rules defined. Click Next to continue.

10 On the Choose AWS resource page, select from Resource dropdown list the Cloudfront web distribution that you want to associate with this new WAF ACL.

11 Click Review and create button to open the Review and create page.

12 Review the web ACL settings then click Confirm and create to generate the ACL. Once created the new web ACL will be listed on the Web ACLs WAF page. On the AWS Cloudfront Distributions page, the associated distribution status will change from In Progress to Deployed once the configuration change is deployed through the entire CDN network (it should take less than 15 minutes).

(Optional): To associate the ACL created at the previous step with other CloudFront web distributions (other than the one selected during the ACL setup), perform the following:

Using AWS Console

01 Login to the AWS Management Console.

02 Navigate to Cloudfront dashboard at https://console.aws.amazon.com/cloudfront/.

03 On the Distributions page, select the CDN distribution that you want to update.

04 Click the Distribution Settings button from the dashboard top menu to access the selected distribution configuration page.

05 On the General tab click the Edit button.

06 On the Distribution Settings page, select the newly created ACL from the AWS WAF Web ACL dropdown list.

07 Click Yes, Edit to apply the changes. The CDN distribution status will change from In Progress to Deployed once the configuration change is deployed through the Cloudfront network.

08 Repeat steps no. 3 – 7 for each Cloudfront CDN distribution that requires AWS WAF integration.

Using AWS CLI

01 First, run get-change-token command (OSX/Linux/UNIX) to get a change token for working with the WAF service through AWS CLI. A change token is a unique string required each time you need to create, update or delete WAF objects, used to avoid sending conflicting API requests to AWS WAF service:

aws waf get-change-token

02The command output should return the new WAF change token:

{
    "ChangeToken": "321c4206-aff3-462d-a1b7-cd1d8e6a0cbb"
}

03Now begin to create the WAF components necessary for building the web Access Control List (ACL). Run create-ip-set command (OSX/Linux/UNIX) using the unique token generated at the previous step as parameter to create an IPSet object used to specify which web requests you want to block based on the IP addresses that the requests originate from:

{
    "ChangeToken": "321c4206-aff3-462d-a1b7-cd1d8e6a0cbb"
}

04The command output should return the IPSet object metadata:

{
    "IPSet": {
        "IPSetId": "695ee7a9-4f75-40cf-823a-b7762e746a2e",
        "Name": "MaliciousIPs",
        "IPSetDescriptors": []
    },
    "ChangeToken": "321c4206-aff3-462d-a1b7-cd1d8e6a0cbb"
}

05Create an IPSetDescriptor JSON object to define the IP addresses or IP ranges that you want to block with the ACL, then save the entire object definition in a JSON document named ipset-params.json:

[
  {
    "Action": "INSERT",
    "IPSetDescriptor": {
      "Type": "IPV4",
      "Value": "54.173.98.60/32"
    }
  }
]

06Run update-ip-set command (OSX/Linux/UNIX) to attach the IPSetDescriptor object to the IPSet component created at step no. 3 by passing the JSON document defined at step no. 5 as command parameter:

aws waf update-ip-set
	--ip-set-id 695ee7a9-4f75-40cf-823a-b7762e746a2e
	--change-token 321c4206-aff3-462d-a1b7-cd1d8e6a0cbb
	--updates file://ipset-params.json

07The command output should return the WAF change token used to submit the API requests for creating the WAF components:

{
    "ChangeToken": "321c4206-aff3-462d-a1b7-cd1d8e6a0cbb"
}

08Run create-rule command (OSX/Linux/UNIX) to create the WAF rule that contains the IPSet object defined earlier (identified by the change token). The rule is required by the ACL to block the requests that satisfy the condition set:

aws waf create-rule
	--name BlockMaliciousIPs
	--metric-name BlockMaliciousIPsMetric
	--change-token 321c4206-aff3-462d-a1b7-cd1d8e6a0cbb

09The command output should return the new WAF rule metadata:

{    "ChangeToken": "321c4206-aff3-462d-a1b7-cd1d8e6a0cbb",
    "Rule": {
        "Predicates": [],
        "MetricName": "BlockMaliciousIPMetric",
        "Name": "BlockMaliciousIP",
        "RuleId": "b5f0f89c-27d1-43d4-8a53-a1cb0d9874bb"
    }
}

10 Run create-web-acl command (OSX/Linux/UNIX) to create the AWS WAF web ACL that will be attached later to the Cloudfront web distribution:

aws waf create-web-acl
	--name MaliciousWebContentViewers
	--metric-name MaliciousWebContentViewersMetric
	--default-action Type=BLOCK
	--change-token 321c4206-aff3-462d-a1b7-cd1d8e6a0cbb

11 The command output should return the new web ACL metadata:

{
    "WebACL": {
        "DefaultAction": {
            "Type": "BLOCK"
        },
        "Rules": [],
        "MetricName": "MaliciousWebContentViewersMetric",
        "WebACLId": "81d28f33-de1c-4a01-a4fb-fc4f83eec274",
        "Name": "MaliciousWebContentViewers"
    },
    "ChangeToken": "321c4206-aff3-462d-a1b7-cd1d8e6a0cbb"
}

12 Define the ActivatedRule object that contains the reference to the ACL rule created earlier and the default action that must be taken if a request doesn't match the rule set. Save the definition in a JSON file named file://acl-rule-params.json:

[  {
    "Action": "INSERT",
    "ActivatedRule": {
      "Priority": 1,
      "RuleId": "b5f0f89c-27d1-43d4-8a53-a1cb0d9874bb",
      "Action": {
        "Type": "BLOCK"
      }
    }
  }
]

13 Run update-web-acl command (OSX/Linux/UNIX) to attach the ActivatedRule object defined at the previous step to the AWS WAF ACL created earlier:

aws waf update-web-acl
	--web-acl-id 81d28f33-de1c-4a01-a4fb-fc4f83eec274
	--change-token 321c4206-aff3-462d-a1b7-cd1d8e6a0cbb
	--update file://acl-rule-params.json

14The command output should return the change token used to submit API requests to AWS WAF:

{
    "ChangeToken": "321c4206-aff3-462d-a1b7-cd1d8e6a0cbb"
}

15 Now that the AWS WAF web ACL is ready for use, take the necessary steps to associate it with your Cloudfront distribution(s). Run get-distribution-config command (OSX/Linux/UNIX) to extract the configuration information from the web distribution that you want to protect with AWS WAF. The following command returns the configuration object of a CDN distribution identified by the ID E2ZZAENK18GEUD:

aws cloudfront get-distribution-config
	--id E2ZZAENK18GEUD

16 The command output should return the selected distribution configuration information:

{
    "ETag": "E3P4SFGSBMGZC",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Quantity": 0
        },
        "Logging": {
            "Bucket": "aws-cf-access-logs.s3.amazonaws.com",
            "Prefix": "cloudconformity/",
            "Enabled": true,
            "IncludeCookies": false
        },
        "WebACLId": "",

        ...

        "ViewerCertificate": {
            "CloudFrontDefaultCertificate": true,
            "MinimumProtocolVersion": "SSLv3",
            "CertificateSource": "cloudfront"
        },
        "Restrictions": {
            "GeoRestriction": {
                "RestrictionType": "none",
                "Quantity": 0
            }
        },
        "Aliases": {
            "Items": [
                "cdn.cloudconformity.com"
            ],
            "Quantity": 1
        }
    }
}

17 Modify the configuration information returned at the previous step to attach the WAF ACL created earlier by setting the ACL ID as the WebACLId property value (as shown in the example below) and save the new configuration in a JSON document named distconfig-waf-integration.json:

{
    "ETag": "E3P4SFGSBMGZC",
    "DistributionConfig": {
        "Comment": "",
        "CacheBehaviors": {
            "Quantity": 0
        },
        "Logging": {
            "Bucket": "aws-cf-access-logs.s3.amazonaws.com",
            "Prefix": "cloudconformity/",
            "Enabled": true,
            "IncludeCookies": false
        },
        "WebACLId": "81d28f33-de1c-4a01-a4fb-fc4f83eec274",
        "Origins": {
            "Items": [
                {
                    "OriginPath": "/static/files",
                    "CustomOriginConfig": {
                        "OriginProtocolPolicy": "https-only",
                        "HTTPPort": 80,
                        "OriginSslProtocols": {
                            "Items": [
                                "TLSv1",
                                "TLSv1.1",
                                "TLSv1.2"
                            ],
                            "Quantity": 3
                        },
                        "HTTPSPort": 443
                    },
                    "CustomHeaders": {
                        "Quantity": 0
                    },
                    "Id": "cloudconformity.com-custom-origin",
                    "DomainName": "cloudconformity.com"
                }
            ],
            "Quantity": 1
        },
        "DefaultRootObject": "index.html",
        "PriceClass": "PriceClass_All",
        "Enabled": true,
        "DefaultCacheBehavior": {
            "TrustedSigners": {
                "Enabled": false,
                "Quantity": 0
            },
            "TargetOriginId": "cloudconformity.com-custom-origin",
            "ViewerProtocolPolicy": "allow-all",
            "ForwardedValues": {
                "Headers": {
                    "Quantity": 0
                },
                "Cookies": {
                    "Forward": "none"
                },
                "QueryString": false
            },
            "MaxTTL": 31536000,
            "SmoothStreaming": false,
            "DefaultTTL": 86400,
            "AllowedMethods": {
                "Items": [
                    "HEAD",
                    "DELETE",
                    "POST",
                    "GET",
                    "OPTIONS",
                    "PUT",
                    "PATCH"
                ],
                "CachedMethods": {
                    "Items": [
                        "HEAD",
                        "GET",
                        "OPTIONS"
                    ],
                    "Quantity": 3
                },
                "Quantity": 7
            },
            "MinTTL": 0,
            "Compress": false
        },
        "CallerReference": "1472460217570",
        "ViewerCertificate": {
            "CloudFrontDefaultCertificate": true,
            "MinimumProtocolVersion": "SSLv3",
            "CertificateSource": "cloudfront"
        },
        "CustomErrorResponses": {
            "Quantity": 0
        },
        "Restrictions": {
            "GeoRestriction": {
                "RestrictionType": "none",
                "Quantity": 0
            }
        },
        "Aliases": {
            "Items": [
                "cdn.cloudconformity.com"
            ],
            "Quantity": 1
        }
    }
}

18 Finally, run update-distribution command (OSX/Linux/UNIX) to update your AWS Cloudfront distribution in order to integrate it with the AWS WAF service. The following command example updates a CloudFront CDN web distribution with the ID E2ZZAENK18GEUD and the ETag E3P4SFGSBMGZC (an ETag is a header ID exposed when a CDN distribution configuration is retrieved, e.g. "ETag": " E3P4SFGSBMGZC"), using a JSON configuration document with the file name distconfig-waf-integration.json:

aws cloudfront update-distribution
	--id E2ZZAENK18GEUD
	--distribution-config file://distconfig-waf-integration.json
	--if-match E3P4SFGSBMGZC

19 The command output should return the metadata for the updated CDN distribution:

{
    "Distribution": {
        "Status": "Deployed",
        "DomainName": "d2du1pcmpg6vep.cloudfront.net",
        "InProgressInvalidationBatches": 0,
        "DistributionConfig": {
            "Comment": "",
            "CacheBehaviors": {
                "Quantity": 0
            },
            "Logging": {
                "Bucket": "aws-cf-access-logs.s3.amazonaws.com",
                "Prefix": "cloudconformity/",
                "Enabled": true,
                "IncludeCookies": false
            },
            "WebACLId": "81d28f33-de1c-4a01-a4fb-fc4f83eec274",

            ...

            "Restrictions": {
                "GeoRestriction": {
                    "RestrictionType": "none",
                    "Quantity": 0
                }
            },
            "Aliases": {
                "Items": [
                    "cdn.cloudconformity.com"
                ],
                "Quantity": 1
            }
        },
        "ActiveTrustedSigners": {
            "Enabled": false,
            "Quantity": 0
        },
        "LastModifiedTime": "2016-08-30T11:23:46.754Z",
        "Id": "E2ZZAENK18GEUD"
    },
    "ETag": "E3P4SFGSBMGZC"
}

References

Publication date Aug 30, 2016