Harnessing the Power of Amazon CloudFront with AWS WAF for Robust Web Application Security

Overview

AWS CloudFront is a fast and highly scalable content delivery network (CDN) service designed to help businesses deliver content, such as web pages, videos, images, and other static or dynamic files, to end users with low latency and high transfer speeds. At the same time, AWS WAF is a powerful web application firewall service that provides an additional layer of security to web applications and APIs, protecting them from common web-based attacks and ensuring data integrity.

Introduction

This lab aims to demonstrate the collaborative functionality of Amazon CloudFront and Amazon Web Application Firewall (WAF) in shielding workloads against network-based attacks. To deploy Amazon CloudFront with AWS WAF integration using defense in depth methods, you will use the AWS Management Console and AWS CloudFormation. Your workloads will be secured using the AWS Well-Architected Framework skills gained from this course.

Goals:

• The protection of network boundaries and host boundaries
• Configuration and maintenance of security systems
• Enforcement of service level protection

Prerequisites

• Test accounts on AWS that are not used for production or other purposes but can be used for testing. It is important to remember that completion of this lab will result in you being charged for any applicable AWS resources used.
• To configure Amazon CloudFront as the origin, you need a web application.

Steps to Launch AWS EC2 Instance

Using the AWS Management Console, you can launch a Linux instance. Many options are available when setting up your first instance, so this tutorial will not cover them all. Launch an instance:

1. Go to the Amazon EC2 console at https://console.aws.amazon.com/ec2/.
2. Choose Launch Instance from the console dashboard.
3. In the Choose an Amazon Machine Image (AMI) page, you can select from a list of basic configurations called Amazon Machine Images (AMIs), which serve as templates for your instance. You can choose either version of the Amazon Linux AMI that contains the HVM edition.
4. Once you select the instance type, a hardware configuration can be selected for your instance. By default, tmicro will be selected; let it be the same. This instance type comes under the free tier. Then select Next: Configure Instance Details.
5. Make the following changes on the Configure Instance Details page.

• Select Create a new IAM role
• In the new tab that opens, Select Create role
• Amazon EC2 appears at the top of the list when AWS services are pre-selected, then click Next: Permission.
• You can find AmazonS3ReadOnlyAccess in the list of policies if you enter AWS S3 in the search box and click Next: Review. By adding this policy, this Amazon EC2 instance will receive access to Amazon S3 within your AWS account for reading and listing objects.
• Create the role by entering a name, such as ec2-s3-read-only-role
• When you return to the web browser tab of the Amazon EC2 launch, select the refresh button next to Create new IAM role and choose the newly created role
• Expand the Advanced Details section by scrolling down. You can configure the Apache web server when launching an instance by entering the following in the User Data test box:

6. Click Next: Add tags after accepting the defaults
7. By clicking Next: Configure the Security Group.

• Select Create a new security group option from default.
• Select Source as My IP on the first default entry SSH.
• In the first default entry, SSH, choose Source as My IP. Add a rule by clicking Add Rule, selecting HTTP as the Type, and Anywhere as the Source. Note: Amazon EC2 instances should not be directly exposed to the internet; the best practice is to have an Elastic Load Balancer inline. However, we are opening access to anywhere for the simplicity of the lab.
• Click on review and launch.
• The Review Instance Launch page shows you the details for the review instance, and then you can click Launch.
• An option to generate a key pair will appear if you do not already have one.
• Click on Create a new keypair, give a name to it, and then click on Download key pair.
• Click on the launch instance.

10. Click on view instance.
11. The status of your instance will change to running in a few minutes after it is launched, and then the patches will be applied, and Apache will be installed within a few minutes.
12. In the description tab or instances list, you’ll find the public DNS, which you can use to access the Apache test page.

Steps to Configure AWS WAF

Let’s deploy an AWS WAF configuration with CloudFront using AWS CloudFormation.

1. To open the CloudFormation console, sign into the AWS Management Console, select your preferred region, and click https://console.aws.amazon.com/cloudformation/. Click New Console in the CloudFormation menu if your CloudFormation console does not look the same.
2. Click on Create Stack.

3. The following Amazon S3 URL should be entered: https://s3-us-west-2.amazonaws.com/aws-well-architected-labs/Security/Code/waf-global.yaml, then click Next.

4. Enter the following details:

• Stack name: For this lab, use waf, the name of this stack.
• WAFName: Enter Lab1
• WAFCloudWatchPrefix: Enter Lab1

• At the bottom of the page, Click Next
• As we won’t be adding any tags, Click Next
• Review and then click on Create Stack
• After a few minutes, you should see a change in the stack status from CREATE_IN_PROGRESS to CREATE_COMPLETE.
• Amazon CloudFront now has a basic AWS WAF configuration in place

Steps to Configure Amazon CloudFront

Now we will create a CloudFront distribution using the AWS Management Console, then link it to our previously created WAF ACL.

1. Open the Amazon CloudFront console at https://console.aws.amazon.com/cloudfront/home.
2. Choose to Create Distribution from the dashboard of the console
3. Click on Get Started

4. The distribution settings should be as follows:

• Enter the Amazon EC2 public DNS name you recorded when your instance was launched in Origin Domain Name.

• Click AWS WAF Web ACL in the distribution Settings section, and then select the one you previously created.

• Click on Create Distribution
• Once Amazon CloudFront has created your distribution, your distribution’s Status column will be changed from In Progress to Deployed.

• Once your distribution is deployed, confirm that your new Amazon CloudFront URL or CNAME can be used to access your content.

NOTE: Please delete the resources we have created during the lab to avoid the charges.

Conclusion

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding Amazon CloudFront, AWS WAF, I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.