Profile Applicability:

 Level 2

Description

AWS WAF is a web application firewall that helps protect your web applications and APIs from common web exploits and vulnerabilities. By using AWS WAF with CloudFront distributions, you can block malicious requests before they reach your servers, enhancing the security of your web applications.

Rationale

  • Enhanced Security: Protects against common web exploits and vulnerabilities.

  • Improved Performance: Blocks malicious requests before they reach your servers, reducing load and improving performance.

  • Compliance: Ensures adherence to security best practices and regulatory requirements.

Impact

Pros:

  • Enhances security by blocking malicious requests.

  • Reduces load on origin servers, improving performance.

  • Ensures compliance with security standards.

Cons:

  • Requires additional configuration and management of WAF rules.

  • Potential temporary disruption during the setup process.

Default Value

By default, AWS WAF is not enabled for CloudFront distributions. It must be explicitly configured and associated with the distribution.

Pre-Requisite

IAM Permissions:

  • cloudfront:GetDistribution

  • cloudfront:UpdateDistribution

  • waf:GetWebACL

  • waf:AssociateWebACL

  • AWS CLI installed and configured.

Remediation

Test Plan: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudFront Dashboard.

  3. Click on the Distributions tab in the top left navigation menu.

  4. Select the Distribution you want to audit.

  5. Click on the General tab in the top menu.

  6. Check if AWS WAF is enabled and associated with the distribution.

Using AWS CLI:

Check WAF Status:

aws cloudfront get-distribution --id <distribution-id> --query 'Distribution.DistributionConfig.WebACLId'

Implementation Steps: 

Using AWS Console:

  1. Sign in to the AWS Management Console.

  2. Navigate to the CloudFront Dashboard.

  3. Click on the Distributions tab in the top left navigation menu.

  4. Select the Distribution you want to modify.

  5. Click on the General tab in the top menu.

  6. Click Edit to modify the distribution settings.

  7. Enable AWS WAF and associate a Web ACL (Web Access Control List).

  8. Click Save changes to save the changes.

Using AWS CLI:

Associate a Web ACL with the CloudFront distribution:

aws cloudfront update-distribution --id <distribution-id> --distribution-config file://distconfig-waf.json


Backout Plan

Using AWS Console:

  1. Navigate to the CloudFront Dashboard.

  2. Select the Distribution.

  3. Click Edit Attributes.

  4. Revert to the previous configuration by disassociating the Web ACL.

  5. Click Save changes to save the changes.

Using AWS CLI:

aws cloudfront update-distribution --id <distribution-id> --distribution-config file://distconfig-original.json


References

CIS Controls

Version

Control ID

Control Description

IG1

IG2

IG3

v8

5.3

Securely Manage Network Infrastructure – Ensure network devices are resilient and fault-tolerant.

v8

13.2

Ensure Secure Network Communication – Implement measures that prevent disruption during network changes.

v7

9.1

Limit Exposure to External Networks – Use techniques like connection draining to ensure reliable connections.