AWS CloudFront
CloudFront Security
-
Web Application Firewall (WAF)
- a web application firewall that helps secure you web applications and APIs by blocking requests before they reach your servers
- keep your application secure from the most common web threats and security vulnerabilities
-
CloudFront Geographic Restrictions
- also known as geo blocking, to prevent users in specific geographic locations from accessing content that you're distributing
- you can
allow
orblock
specific geographic locations, but you cannot route traffic based on the geographic location of the user which can be achieved by Route 53 geolocation routing policy
-
CloudFront Origin Shield
- an additional layer in the CloudFront caching infrastructure that helps to minimise your origin's load, improve its availability and reduce it's operating costs
- better cache hit ratio
- reduced origin load
- better network performance
How to serve private content?
- Recommended: require your users to access your content only through CloudFront
- Specify the trusted key groups or trusted signers that you want to use to create signed URLs or signed cookies. Trusted key groups is recommended.
- create public/private key pair, add to CloudFront key groups
- add the signer (key group) to the distribution (Behaviours => Restrict Viewer Access)
- Choose Signed URLs if
- you need t restrict access to individual files
- the number of resources requiring access control is limited
- you prefer to control access via unique URLs, which can be easily distributed or embedded
- you want tighter control over each resource's access parameters
- Choose Signed Cookies if:
- you need to grant access to multiple restricted resources within a user session
- managing a large number of signed URLs would be impractical
- you application serves complex web pages with numerous assets that need protection
- you prefer leveraging browser-managed cookies for seamless access across multiple requests
- you don't want to change your current URLs
- Create an Origin Access Control (OAC) in CloudFront
- give the OAC permission to access the S3 bucket
- create an OAC
- update the Origin Access of the origin to use Origin access control settings (recommended)
OAC vs OAI:
- OAC: Origin Access Control, helps secure your origins, supports:
- all S3 buckets in all regions
- S3 SSE-KMS
- dynamic requests (PUT/DELETE) to S3
- OAI: Origin Access Identity, legacy, not recommended
Lambda@Edge
- Lambda@Edge is a an extension of AWS Lambda, a compute service that lets you execute functions that customise the content that CloudFront delivers
- Processing requests at AWS locations closer to the viewer instead of on origin servers significantly reduces latency and improves the user experience
- CloudFront intercepts requests and responses at CloudFront edge locations, you can execute Lambda functions when the following CloudFront events occur:
- When CloudFront receives a request from a viewer (viewer request)
- Before CloudFront forwards a request to the origin (origin request)
- When CloudFront receives a response from the origin (origin response)
- Before CloudFront returns the response to the viewer (viewer response)
- Use cases
- inspect cookies and rewrite URLs so that users see different versions of a site for A/B testing
- inspect headers or authorization tokens, and insert a header to control access to your content before CloudFront forwards the request to your origin
- make network calls to external resources to confirm user credentials, or fetch additional content to customize a response.