AWS, Cloud Computing

5 Mins Read

Harnessing the Power of Amazon CloudFront with AWS WAF for Robust Web Application Security


AWS CloudFront is a fast and highly scalable content delivery network (CDN) service designed to help businesses deliver content, such as web pages, videos, images, and other static or dynamic files, to end users with low latency and high transfer speeds. At the same time, AWS WAF is a powerful web application firewall service that provides an additional layer of security to web applications and APIs, protecting them from common web-based attacks and ensuring data integrity.


This lab aims to demonstrate the collaborative functionality of Amazon CloudFront and Amazon Web Application Firewall (WAF) in shielding workloads against network-based attacks. To deploy Amazon CloudFront with AWS WAF integration using defense in depth methods, you will use the AWS Management Console and AWS CloudFormation. Your workloads will be secured using the AWS Well-Architected Framework skills gained from this course.


  • The protection of network boundaries and host boundaries
  • Configuration and maintenance of security systems
  • Enforcement of service level protection

Pioneers in Cloud Consulting & Migration Services

  • Reduced infrastructural costs
  • Accelerated application deployment
Get Started


  • Test accounts on AWS that are not used for production or other purposes but can be used for testing. It is important to remember that completion of this lab will result in you being charged for any applicable AWS resources used.
  • To configure Amazon CloudFront as the origin, you need a web application.

Steps to Launch AWS EC2 Instance

Using the AWS Management Console, you can launch a Linux instance. Many options are available when setting up your first instance, so this tutorial will not cover them all. Launch an instance:

  1. Go to the Amazon EC2 console at
  2. Choose Launch Instance from the console dashboard.
  3. In the Choose an Amazon Machine Image (AMI) page, you can select from a list of basic configurations called Amazon Machine Images (AMIs), which serve as templates for your instance. You can choose either version of the Amazon Linux AMI that contains the HVM edition.
  4. Once you select the instance type, a hardware configuration can be selected for your instance. By default, tmicro will be selected; let it be the same. This instance type comes under the free tier. Then select Next: Configure Instance Details.
  5. Make the following changes on the Configure Instance Details page.
  • Select Create a new IAM role
  • In the new tab that opens, Select Create role
  • Amazon EC2 appears at the top of the list when AWS services are pre-selected, then click Next: Permission.
  • You can find AmazonS3ReadOnlyAccess in the list of policies if you enter AWS S3 in the search box and click Next: Review. By adding this policy, this Amazon EC2 instance will receive access to Amazon S3 within your AWS account for reading and listing objects.
  • Create the role by entering a name, such as ec2-s3-read-only-role
  • When you return to the web browser tab of the Amazon EC2 launch, select the refresh button next to Create new IAM role and choose the newly created role
  • Expand the Advanced Details section by scrolling down. You can configure the Apache web server when launching an instance by entering the following in the User Data test box:


  1. Click Next: Add tags after accepting the defaults
  2. By clicking Next: Configure the Security Group.
  • Select Create a new security group option from default.
  • Select Source as My IP on the first default entry SSH.
  • In the first default entry, SSH, choose Source as My IP. Add a rule by clicking Add Rule, selecting HTTP as the Type, and Anywhere as the Source. Note: Amazon EC2 instances should not be directly exposed to the internet; the best practice is to have an Elastic Load Balancer inline. However, we are opening access to anywhere for the simplicity of the lab.
  • Click on review and launch.
  • The Review Instance Launch page shows you the details for the review instance, and then you can click Launch.
  • An option to generate a key pair will appear if you do not already have one.
  • Click on Create a new keypair, give a name to it, and then click on Download key pair.
  • Click on the launch instance.
  1. Click on view instance.
  2. The status of your instance will change to running in a few minutes after it is launched, and then the patches will be applied, and Apache will be installed within a few minutes.
  3. In the description tab or instances list, you’ll find the public DNS, which you can use to access the Apache test page.

Steps to Configure AWS WAF

Let’s deploy an AWS WAF configuration with CloudFront using AWS CloudFormation.

  1. To open the CloudFormation console, sign into the AWS Management Console, select your preferred region, and click Click New Console in the CloudFormation menu if your CloudFormation console does not look the same.
  2. Click on Create Stack.


3. The following Amazon S3 URL should be entered:, then click Next.


4. Enter the following details:

  • Stack name: For this lab, use waf, the name of this stack.
  • WAFName: Enter Lab1
  • WAFCloudWatchPrefix: Enter Lab1


  • At the bottom of the page, Click Next
  • As we won’t be adding any tags, Click Next
  • Review and then click on Create Stack
  • After a few minutes, you should see a change in the stack status from CREATE_IN_PROGRESS to CREATE_COMPLETE.
  • Amazon CloudFront now has a basic AWS WAF configuration in place

Steps to Configure Amazon CloudFront

Now we will create a CloudFront distribution using the AWS Management Console, then link it to our previously created WAF ACL.

  1. Open the Amazon CloudFront console at
  2. Choose to Create Distribution from the dashboard of the console
  3. Click on Get Started


4. The distribution settings should be as follows:

  • Enter the Amazon EC2 public DNS name you recorded when your instance was launched in Origin Domain Name.


  • Click AWS WAF Web ACL in the distribution Settings section, and then select the one you previously created.


  • Click on Create Distribution
  • Once Amazon CloudFront has created your distribution, your distribution’s Status column will be changed from In Progress to Deployed.


  • Once your distribution is deployed, confirm that your new Amazon CloudFront URL or CNAME can be used to access your content.


NOTE: Please delete the resources we have created during the lab to avoid the charges.


The Amazon CloudFront with WAF (Web Application Firewall) lab offers a comprehensive guide on how to set up an Amazon CloudFront distribution with AWS WAF protection, making it an excellent resource for securing web applications.

Making IT Networks Enterprise-ready – Cloud Management Services

  • Accelerated cloud migration
  • End-to-end view of the cloud environment
Get Started

About CloudThat

CloudThat is an official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft Gold Partner, helping people develop knowledge of the cloud and help their businesses aim for higher goals using best-in-industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Drop a query if you have any questions regarding Amazon CloudFront, AWS WAF, I will get back to you quickly.

To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.


1. What is AWS CloudFormation?

ANS: – AWS CloudFormation is a service provided by Amazon Web Services (AWS) that enables you to model and provision AWS resources in a declarative manner using a template. It allows you to create, update, and delete resources as a single unit, making managing and deploying infrastructure easier.

2. What is AWS WAF?

ANS: – AWS WAF (Web Application Firewall) is a web application firewall that helps protect your web applications from common web exploits and vulnerabilities. It allows you to define rules to block or allow traffic to your web applications based on various conditions, such as IP addresses, HTTP headers, and request content.

WRITTEN BY Vaishali Bhawsar

Vaishali is working as a Research Associate in CloudThat Technologies. She has good knowledge of Networking, Linux systems & C language, and currently working on various AWS projects along with, Terraform, Docker, and Ansible. She enjoys painting and cooking during her free time.



    Click to Comment

Get The Most Out Of Us

Our support doesn't end here. We have monthly newsletters, study guides, practice questions, and more to assist you in upgrading your cloud career. Subscribe to get them all!