0Pricing
AWS Solutions Architect · Lesson

CloudFront with WAF and Lambda@Edge

Attach AWS WAF to block common web attacks and run lightweight request/response transformations at the edge with Lambda@Edge.

Protecting CloudFront with AWS WAF

AWS WAF (Web Application Firewall) filters and monitors HTTP/HTTPS requests reaching your CloudFront distribution. By attaching a WAF Web ACL to your distribution, you can block common web exploits—SQL injection, cross-site scripting (XSS), bad bots, and OWASP Top 10 attacks—before they reach your origin.

WAF operates at the CloudFront edge, meaning malicious requests are rejected at the nearest edge location rather than reaching your ALB or application server. This reduces load on your backend and stops attacks closer to the attacker.

# Associate a WAF Web ACL with a CloudFront distribution
aws wafv2 associate-web-acl \
  --web-acl-arn arn:aws:wafv2:us-east-1:123456789:global/webacl/MyACL/12345 \
  --resource-arn arn:aws:cloudfront::123456789:distribution/EDFDVBD6EXAMPLE

WAF Rules and Rule Groups

A WAF Web ACL contains ordered rules and rule groups that each match request attributes and take an action (Allow, Block, Count, CAPTCHA). Rules are evaluated in priority order; the first matching rule's action is applied.

AWS provides managed rule groups—pre-built rulesets maintained by AWS and AWS Marketplace sellers. The AWS Managed Rules - Core Rule Set covers OWASP Top 10 without any configuration. Managed rule groups are updated by AWS as new threats emerge, reducing your operational burden.

# Create a Web ACL with AWS Managed Core Rule Set
aws wafv2 create-web-acl \
  --name MyCloudFrontACL \
  --scope CLOUDFRONT \
  --default-action Allow={} \
  --rules '[{
    "Name": "CoreRuleSet",
    "Priority": 1,
    "Statement": {
      "ManagedRuleGroupStatement": {
        "VendorName": "AWS",
        "Name": "AWSManagedRulesCommonRuleSet"
      }
    },
    "OverrideAction": {"None": {}},
    "VisibilityConfig": {
      "SampledRequestsEnabled": true,
      "CloudWatchMetricsEnabled": true,
      "MetricName": "CoreRuleSet"
    }
  }]' \
  --visibility-config SampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=MyACL \
  --region us-east-1

All lessons in this course

  1. CloudFront Distributions and Origins
  2. Cache Behaviors and TTL Settings
  3. Signed URLs, Signed Cookies, and Geo-Restriction
  4. CloudFront with WAF and Lambda@Edge
← Back to AWS Solutions Architect