Skip to main content

πŸ›‘οΈ AWS CloudFront Web Distribution is not integrated with AWS WAF🟒

  • Contextual name: πŸ›‘οΈ Web Distribution is not integrated with AWS WAF🟒
  • ID: /ce/ca/aws/cloudfront/distribution-waf-integration
  • Tags:
  • Policy Type: BEST_PRACTICE
  • Policy Categories: SECURITY

Logic​

Similar Policies​

Description​

Open File

Description​

This policy identifies AWS CloudFront Web Distributions that are not associated with an AWS WAF Classic or AWS WAF (WAF v2) web ACL.

All CloudFront web distributions should be integrated with AWS WAF to help protect against application-layer attacks that could compromise application security or impose unnecessary load on backend resources.

Rationale​

AWS WAF provides an additional layer of security by enabling fine-grained control over inbound web traffic through customizable rules that allow, block, or monitor requests. Without AWS WAF integration, CloudFront distributions are more susceptible to common web application attack vectors, including:

  • SQL Injection: Attempts to manipulate backend databases through malicious query injection.
  • Cross-Site Scripting (XSS): Injection of malicious scripts into web pages viewed by end users.
  • Distributed Denial of Service (DDoS): High-volume illegitimate traffic intended to disrupt application availability.
  • Malicious Bots: Automated scraping or scanning activity that can degrade performance and availability.

... see more

Remediation​

Open File

Remediation​

Associate an AWS WAF Web ACL with the CloudFront Distribution​

To protect Amazon CloudFront distributions with AWS WAF, create and configure a web ACL and associate it with the target distribution.

From Command Line​

  1. Create or identify an AWS WAF Web ACL

    Ensure an appropriate web ACL exists with the required rule sets. This may include AWS Managed Rules, marketplace rule groups, or custom rules aligned with your organization’s security policies.

  2. Retrieve the current CloudFront distribution configuration and ETag

    Download the existing distribution configuration and capture the associated ETag, which is required to apply updates:

    aws cloudfront get-distribution-config \
        --id {{distribution-id}} \
        --query 'DistributionConfig' \
        > {{distribution-config}}.json

    ETAG=$(aws cloudfront get-distribution-config \
        --id {{distribution-id}} \
        --query 'ETag' \
        --output text)

  3. Update the Web ACL association

    Edit the downloaded {{distribution-config}}.json file and set the WebACLId attribute:

... see more

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό AWS Foundational Security Best Practices v1.0.0 β†’ πŸ’Ό [CloudFront.6] CloudFront distributions should have WAF enabled1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Data Protection and Recovery23no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)1161no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό AC-4(21) Physical or Logical Separation of Information Flows (M)(H)61no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό AC-4(21) Information Flow Enforcement _ Physical or Logical Separation of Information Flows3761no data
πŸ’Ό PCI DSS v4.0.1 β†’ πŸ’Ό 6.4.2 For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks.10no data
πŸ’Ό PCI DSS v4.0 β†’ πŸ’Ό 6.4.2 For public-facing web applications, an automated technical solution is deployed that continually detects and prevents web-based attacks.10no data