Rule: CloudFront distributions should have AWS WAF enabled
Implement AWS WAF on CloudFront distributions for enhanced security.
| Rule | CloudFront distributions should have AWS WAF enabled |
| Framework | AWS Foundational Security Best Practices |
| Severity | ✔ Medium |
Rule Description:
The rule, "CloudFront distributions should have AWS WAF enabled for AWS Foundational Security Best Practices," enforces the best practice of enabling AWS Web Application Firewall (WAF) for CloudFront distributions. AWS WAF provides protection against common web application security threats, such as cross-site scripting (XSS), SQL injection, and distributed denial of service (DDoS) attacks. By enabling AWS WAF for CloudFront distributions, you add an additional layer of security to your web applications and help protect them from potential threats.
Troubleshooting Steps:
If AWS WAF is not enabled for a CloudFront distribution, you may encounter vulnerabilities in your web application that could be exploited by attackers. Here are some troubleshooting steps to ensure AWS WAF is properly enabled:
- 1.
Check the CloudFront Distribution:
- Go to the AWS Management Console and navigate to the CloudFront service.
- Select the desired CloudFront distribution.
- 2.
Verify AWS WAF Integration:
- In the CloudFront distribution settings, navigate to the "Web Application Firewall" section.
- Confirm that AWS WAF is enabled for the distribution.
- 3.
Review WAF Rules and Policies:
- Check the AWS WAF rules and policies associated with the CloudFront distribution.
- Ensure that the appropriate rules and policies are configured to meet your security requirements.
- 4.
Test the Protection:
- Conduct security testing, such as vulnerability scanning or penetration testing, to verify the effectiveness of AWS WAF and its configured rules.
Necessary Codes:
In order to enable AWS WAF for a CloudFront distribution, you don't need to write any specific code. Instead, you can use the AWS Management Console or command-line interface (CLI) to configure the settings. However, you may need to perform some CLI commands to verify or troubleshoot the setup.
Step-by-Step Guide for Remediation:
To enable AWS WAF for a CloudFront distribution, follow these steps:
- 1.
Open the AWS Management Console and navigate to the CloudFront service.
- 2.
Select the desired CloudFront distribution from the list.
- 3.
In the distribution settings, navigate to the "Web Application Firewall" section.
- 4.
Click on the "Edit" button.
- 5.
Enable AWS WAF integration by selecting the desired WAF web ACL (Access Control List).
- 6.
Review the available AWS WAF rules and policies, and select the relevant ones based on your security requirements.
- 7.
Click on the "Save" button to apply the changes.
- 8.
Monitor the CloudFront distribution and AWS WAF logs to ensure proper functioning and protection.
CLI Commands for Verification:
To verify the AWS WAF configuration for a CloudFront distribution using the AWS CLI, follow these steps:
- 1.
Open the AWS CLI or terminal.
- 2.
Run the following command to describe the CloudFront distribution:
aws cloudfront get-distribution --id <CloudFront Distribution ID>
- 1.
Look for the "WebACLId" field in the command output, which represents the AWS WAF web ACL associated with the distribution.
- 2.
Run the following command to describe the AWS WAF web ACL:
aws wafv2 get-web-acl --name <WAF Web ACL Name>
- 1.Verify that the web ACL contains the desired rules and policies.
By following these steps and performing the necessary verifications, you can ensure that AWS WAF is properly enabled for your CloudFront distribution, enhancing the security of your web applications.