Skip to main content

An AWS CloudFront distribution does not have a WAF (Web Application Firewall) in front

  • GG_ID: GG_IAC_0025
  • Severity: HIGH
  • Complexity: HIGH
  • Categories: NETWORK
  • Providers: AWS
  • Potential data exposure: True
  • Visible in logs: False
  • User interaction required: False
  • Privileges required: False

Description#

AWS WAF is a web application firewall that lets you monitor and block the HTTP(S) requests that are forwarded to an Amazon CloudFront distribution. It allows custom access control to a web application based on conditions such as IP addresses or specific traffic patterns.

Not having one eases attacks exploiting common web application vulnerabilities such as SQL injection or cross-site scripting like described in the OWASP Top Ten.

Impact#

Common web application vulnerabilities could be exploited.

Remediation guidelines#

Enable WAF for the CloudFront distribution.

External documentation#