Amazon CloudFront Security Recommendations and One-Click Security Protections

Many of us use CloudFront as entry point to our applications from across the globe thereby applying required security settings to counter ever changing threats/vulnerabilities becomes a challenging job. If you have ever struggled on what all security rules needs to be implemented @ CloudFront then this article is for you.

AWS has brought-in new enhancements to ease our life in deciding/implementing right security boundaries to our CloudFront distributions.

One-Click Security Protections were introduced few months back which enabled users to secure their CloudFront distributions against common web threats with out-of-the-box AWS WAF protection in single click. So, your Web Apps/API/Static Contents exposed via CloudFront can be secured from Day 1 while you figure out additional protections required based on nature of your workloads.

How to enable one-click protections :

→ Go to CloudFront console

→ Create Distribution or Edit existing distribution

Enabling for existing CloudFront distribution

→ In the WAF section, select Enable security protections

→ Optional : “Use existing WAF configuration” option is enabled only if you have web ACLs configured in WAF. Select you existing web ACL from the table.

→ Check Price Estimate

→ Review/Complete other CloudFront settings and Save.

Now with CloudFront upgrades @ Sep 2023, you will see additional protections as recommendations based on your CloudFront configuration. You can easily select recommended protections from the same WAF section of CloudFront console and your applications will be more secure by just click of the Save button.

In below screenshot, SQL protections and Rate limiting are recommended based on CloudFront configuration :

Conclusion :

It is a very useful capability that has been introduced and further enhanced for easily and quickly securing workloads hosted via CloudFront. This will enable users apply most of the WAF protection required by their applications out-of-the-box via default or recommended protection from CloudFront console itself.