Description:
AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security or consume excessive resources. AWS WAF allows you to monitor HTTP and HTTPS requests that are forwarded to Amazon Cloudfront, Application Load Balancer, and API Gateway. AWS WAF can configure conditions such as what IPs are allowed to make these requests or what query string parameters need to be passed for the request to be allowed, Then the Application Load Balancer or Cloudfront will either allow this content to be received or give it an HTTP 403 status code which is permission denied.
Rationale:
Ensure all your AWS Cloudfront web distributions are integrated with the web application firewall (AWS WAF) service to protect attacks on your applications on the internet that can affect the security of your web applications or place unnecessary load and resource usage.
Impact:
With AWS Cloudfront WAF enabled you will be able to block any malicious requests made to your Cloudfront based on criteria defined in the WAF Web Access Control List (ACL) associated with the CDN distribution.
Default Value:
By default, Cloudfront CDN and WAF are not Associated, If you want to create, First you have to create CDN distribution in Cloudfront, and Web ACL (Access Control List) in WAF and attach ACL with Cloudfront CDN
Pre-requisites
Must have CloudFront Distribution
Create a AWS WAF ACL.
Test Plan:
1. Log in to the AWS management console.
2. Navigate to the CloudFront dashboard at https://console.aws.amazon.com/cloudfront.
3. On the Distributions page, select the CDN distribution that you want to examine.
4. Click on the General button
5. On the Distribution Settings page, verify the AWS WAF Web ACL configuration status. If AWS WAF Web ACL is set to None:
6. The selected CDN distribution is not currently associated with an Access Control List (ACL), therefore is not integrated with the AWS WAF service for protection against malicious viewers.
7. Repeat step no. 3-6 for each Cloudfront CDN distribution available in your AWS account.
CLI Commands
1. To get to know about the Distribution
aws cloudfront get-distribution
--id E2ZZAENK18GEUD
--query 'Distribution.DistributionConfig.WebACLId'
Remediation:
1. Login to the AWS Management Console.
2. Navigate to the Web Application Firewall dashboard at https://console.aws.amazon.com/wafv2/homev2
3. In the left navigation panel, Under the AWS WAF section, choose Web ACLs.
4. Click Create web ACL button from the WAF dashboard top menu to initiate the Access Control List built process.
5. On the Name ACL page, in the Web ACL name and CloudWatch metric name fields, provide names for the new WAF web ACL and the required AWS CloudWatch metric. Click Next to continue the ACL setup process.
6. On the Create Conditions page, choose one of the predefined conditions that you want to use to allow or block requests that are forwarded to your CloudFront web distributions.
Click the Create condition button available within the chosen condition category to configure the condition access control filters based on your requirements. Once the necessary filters are defined, click Create to instantiate the new condition, Repeat the step to create as many conditions as needed. Click Next to continue the setup.
7. On the Create rules page, under Add rules to a web ACL, click Create a rule to define the ACL rule that will reference one or more conditions, which must be satisfied to activate the rule. In the Create rule dialogue box, provide names for the rule and the required CloudWatch metric then add the necessary conditions. Click Create to instantiate the new rule.
8. In if a request matches all of the conditions in a rule, take the corresponding action section, and select the appropriate action to take for each rule if a request matches the rule conditions.
Thee If a request doesn’t match any of the rules, go to the default action section, choose the default action that the ACL must take if a request doesn’t match any of the rules defined, and click Next to continue.
On the Choose AWS resource page, select from the Resource dropdown list the Cloudfront web distributions that you want to associate with this new WAF ACL.
9. Click the Review and Create button to open the Review and create the page.
10. Review the web ACL setting then click Confirm and create to generate the ACL once created the new ACL will be listed on the Web ACLs WAF page. On the AWS Cloudfront Distributions page, the associated distribution status will change from In Process to Deployed once the configuration change is deployed through the entire CDN network (it should take less than 15 minutes).
11. Navigate to the CloudFront page https://us-east-1.console.aws.amazon.com/cloudfront
12. click on Cloudfront Distribution
13. Select the Distribution you want to make changes
14. Click on the General
15. Click on the Edit button in the setting
16. Click on Choose web ACL
17. Click on Save changes
CLI Commands
1. Run the create-web-ACL command to create the AWS WAF web Access Control List that will be attached later to the Cloudfront distribution used as a CDN solution for your web application:
aws waf create-web-acl --name <name> --metric-name <metric-name> --default-action Type=BLOCK --change-token 3ub5d8bb-73c6....
2. To update the distribution
aws cloudfront update-distribution --id <value> --distribution-config file://distconfig-waf-integration.json --if-match <value>
Backout Plan:
1. Open the Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/home
2. Click on Distribution
3. Click on General
4. In the Settings page Click on edit
5. Click on None in the AWS WAF ACL
6. Click on save changes
CLI Commands
1. To delete the WAF ACL
aws waf delete-web-acl --web-acl-id <value> --change-token <value>
References:
https://docs.aws.amazon.com/waf/latest/developerguide/what-is-aws-waf.html
https://docs.aws.amazon.com/waf/latest/developerguide/cloudfront-features.html
https://docs.aws.amazon.com/cli/latest/reference/cloudfront/update-streaming-distribution.html
https://docs.aws.amazon.com/cli/latest/reference/waf/delete-web-acl.html