An AWS CloudFront distribution does not have a WAF (Web Application Firewall) in front

• GG_ID: GG_IAC_0025
• Severity: HIGH
• Complexity: HIGH
• Categories: NETWORK
• Providers: AWS
• Potential data exposure: True
• Visible in logs: False
• User interaction required: False
• Privileges required: False

Description

AWS WAF is a web application firewall that lets you monitor and block the HTTP(S) requests that are forwarded to an Amazon CloudFront distribution. It allows custom access control to a web application based on conditions such as IP addresses or specific traffic patterns.

Not having one eases attacks exploiting common web application vulnerabilities such as SQL injection or cross-site scripting like described in the OWASP Top Ten.

Impact

Common web application vulnerabilities could be exploited.

Remediation guidelines

Enable WAF for the CloudFront distribution.

External documentation

• Get started with AWS WAF
• AWS WAF Developer Guide
• How AWS WAF works with Amazon CloudFront features
• OWASP Top Ten Web Application Security Risks