Amazon Web Services Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – How do I configure "Core protections" and "Rate limiting" in CloudFormation template for a CloudFront distribution

So I am trying to configure AWS::CloudFront::Distribution so that the basic security protections are enabled.

At the moment in the AWS Dashboard the Security tab of the distribution looks like this after deployment.

And I am trying to configure these options, but I can’t find anything from the documentation that describes how to do it in CloudFormation template.

The following is my base configuration for the CloudFront distribution:

CloudFrontDistribution:
  Type: AWS::CloudFront::Distribution
  Properties:
    DistributionConfig:
      Origins:
        - Id: S3Origin
          DomainName:
            Fn::Join:
              - ''
              - - !Ref FrontendS3Bucket
                - '.s3-${env:REGION}.amazonaws.com'
          S3OriginConfig:
            OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${FrontendS3OAI}'
        - Id: ApiGatewayOrigin
          DomainName:
            Fn::Join:
              - ''
              - - !Ref HttpApi
                - '.execute-api.${env:REGION}.amazonaws.com'
          CustomOriginConfig:
            OriginProtocolPolicy: https-only
            OriginSSLProtocols:
              - TLSv1.2
      DefaultRootObject: index.html
      DefaultCacheBehavior:
        TargetOriginId: S3Origin
        CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # Managed-CachingOptimized
        ViewerProtocolPolicy: https-only
      CacheBehaviors:
        - TargetOriginId: ApiGatewayOrigin
          PathPattern: /api/*
          ViewerProtocolPolicy: https-only
          OriginRequestPolicyId: b689b0a8-53d0-40ab-baf2-68738e2966ac # Managed-AllViewerExceptHostHeader
          CachePolicyId: 4135ea2d-6df8-44a3-9df3-4b5a84be39ad # Managed-CachingDisabled
          AllowedMethods:
            - GET
            - HEAD
            - OPTIONS
            - PUT
            - PATCH
            - POST
            - DELETE
      Enabled: true
Tags:

2

Answers


  1. 0

    Rate limit is part of Web Application Firewall, you can see in your screenshot also.
    This is way to configure this.

    Step 1
    Create a WAF using this.
    https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ratebasedstatement.html

    enter image description here
    Step 2
    Integrate WAF with Cloudfront distribution
    https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html

    enter image description here

    Login or Signup to reply.
  2. 0

    Core Protections are a console only integration, but you can replicate them in CloudFormation by creating a WebACL in WAF that has the following rules in this order:

    1. AWSManagedRulesAmazonIpReputationList
    2. AWSManagedRulesCommonRuleSet
    3. AWSManagedRulesKnownBadInputsRuleSet

    Once you’ve created your Web ACL, you can pass that WebACLID to CloudFront as mentioned by Rohit.

    Although enabling core protections is a console only integration, you will still get access to the CloudFront security dashboard when WAF is enabled on your CloudFront distribution.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search