CloudFront WAF Disabled

This plugin verifies that WAF has been activated for CloudFront distributions.

Risk Level: Medium

Description: 

This plugin verifies that WAF has been activated for CloudFront distributions. Activating WAF permits management of Cloudfront distribution requests that accept or reject traffic based upon Web ACL rules.

PingSafe strongly recommends performing the following functions:

  1. Enter the WAF service. 
  2. Enter Web ACLs and filter by global. 
  3. If no Web ACL is found, Create a new global Web ACL and in Resource, type to associate with web ACL, select the Cloudfront Distribution. 

About the Service :

Amazon CloudFront is a web service that accelerates your online content delivery to your users, such as.html,.css,.js, or picture files. CloudFront provides your content over a global data center network known as edge locations. When a user requires the material you provide with CloudFront, the request is routed to the lowest delay location, which ensures the optimum performance for the content.

Impact : 

The disabled WAF will result in no control access to content. Furthermore, the other downside will be we won’t be able to block any malicious requests made to our Cloudfront Content Delivery Network based on the criteria defined in the WAF Web Access Control List (ACL) associated with the CDN distribution.

Steps to reproduce :

  1. Log In the AWS Console.
  2. Move to Cloudfront dashboard.
  3. Click on the Distributions panel on the left panel to access the distributions.
  4. Click on the Edit button in the General tab of Distribution Settings.
  5. Verify the AWS WAF Web ACL configuration status on the Distribution Settings page. If AWS WAF Web ACL is set to None, that means that the Cloudfront WAF is Disabled.

 

Steps for remediation :

  1. Log In the AWS Console.
  2. Move to Cloudfront dashboard.
  3. Click on the Distributions panel on the left panel to access the distributions.
  4. Click on the Edit button in the General tab of Distribution Settings.
  5. Verify the AWS WAF Web ACL configuration status on the Distribution Settings page. If AWS WAF Web ACL is set to None, that means that the Cloudfront WAF is Disabled.
  6. We need to establish the needed WAF Access Control List and link it to the proper web distribution for integrating CloudFront into AWS WAF.
  7. Navigate to the Web Application Firewall dashboard.
  8. Choose Web ACLs in the left navigation panel, under the AWS WAF section.
  9. Click on Create web ACL button from the WAF dashboard.
  10. Provide names for the new WAF web ACL and the required AWS CloudWatch metric on the Name web ACL page.
  11. Choose conditions on the Create Conditions page and then Create rule on the Create rules page.
  12. Select from the Resource dropdown list the Cloudfront web distribution on the Choose AWS resource page.
  13. Review the web ACL settings on Review and create page. Then click Confirm and create.

 

Optional Steps: To associate the ACL created at the previous step with other CloudFront web distributions 

  1. Log In the AWS Console.
  2. Move to Cloudfront dashboard.
  3. Click on the Distributions panel on the left panel to access the distributions.
  4. Click on the Edit button in the General tab of Distribution Settings.
  5. Select the newly created ACL from the AWS WAF Web ACL.
  6. The CDN distribution status will change from In Progress to Deployed after clicking Yes, Edit to apply the changes.

References: