CloudFront distribution does not have a WAF in front. You should configure a Web Application Firewall in front of your CloudFront distribution. This will mitigate many types of attacks on your web application.
Impact
Recommended Actions Follow the appropriate remediation steps below to resolve the issue.
CloudFormation
Terraform
Enable WAF for the CloudFront distribution
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
Resources :
GoodExample :
Type : AWS::CloudFront::Distribution
Properties :
DistributionConfig :
DefaultCacheBehavior :
TargetOriginId : target
ViewerProtocolPolicy : https-only
Enabled : true
Logging :
Bucket : logging-bucket
Origins :
- DomainName : https://some.domain
Id : somedomain1
WebACLId : waf_id
Enable WAF for the CloudFront distribution
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
resource "aws_cloudfront_distribution" "good_example" {
origin {
domain_name = aws_s3_bucket . primary . bucket_regional_domain_name
origin_id = "primaryS3"
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity . default . cloudfront_access_identity_path
}
}
origin {
domain_name = aws_s3_bucket . failover . bucket_regional_domain_name
origin_id = "failoverS3"
s3_origin_config {
origin_access_identity = aws_cloudfront_origin_access_identity . default . cloudfront_access_identity_path
}
}
default_cache_behavior {
target_origin_id = "groupS3"
}
web_acl_id = "waf_id"
}
Links