AWS Introduction
AWS Pricing
AWS Threats
AWS Misconfigurations
- Getting Started with AWS Audit
- Permissions required for Misconfigurations Detection
- API Gateway Audit
- Cloudformation Audit
- CloudFront Audit
- CloudTrail Audit
- Cloudwatch Audit
- DynamoDB Audit
- EC2 Audit
- Elastic Search Audit
- ELB Audit
- IAM Audit
- KMS Audit
- Kubernetes Audit
- Lambda Audit
- RDS Audit
- Redshift Audit
- Route53 Audit
- S3 Audit
- Security Groups Audit
- SES Audit
- SNS Audit
- IAM Deep Dive
- App Sync Audit
- Code Build Audit
- Open Search Audit
- Shield Audit
- SQS Audit
CloudFront Should Be Integrated With AWS WAF
More Info:
All your AWS CloudFront web distributions should be integrated with the Web Application Firewall (AWS WAF) service to protect against application-layer attacks
Risk Level
Low
Address
Security
Compliance Standards
SOC2, GDPR, NISTCSF, PCIDSS
Triage and Remediation
Remediation
To remediate the misconfiguration for AWS, follow these steps:
-
Log in to the AWS Management Console and navigate to the AWS WAF service.
-
Create a new web ACL (Access Control List) by clicking on the “Create web ACL” button.
-
Give your new web ACL a name and description.
-
Under “Rules”, click on the “Add rule” button.
-
Select “AWS Managed Rules” and choose the rule set that you want to use. For example, choose the “AWSManagedRulesCommonRuleSet” rule set.
-
Under “Web ACL associations”, click on the “Add association” button.
-
Select the CloudFront distribution that you want to associate with the web ACL.
-
Click on the “Add association” button to complete the association.
-
Wait for a few minutes for the changes to propagate.
-
Test your CloudFront distribution to ensure that it is now integrated with AWS WAF.
By following these steps, you should be able to remediate the misconfiguration and integrate your CloudFront distribution with AWS WAF.
To remediate the misconfiguration of CloudFront not being integrated with AWS WAF for AWS using AWS CLI, follow the steps below:
-
Open the AWS CLI on your local machine.
-
Run the following command to create a new Web ACL in AWS WAF:
aws wafv2 create-web-acl --name <name-of-web-acl> --scope CLOUDFRONT --default-action block --description "<description-of-web-acl>"
Replace <name-of-web-acl> and <description-of-web-acl> with the desired name and description for your Web ACL.
- Run the following command to get the ARN of the newly created Web ACL:
aws wafv2 list-web-acls --scope CLOUDFRONT --query "WebACLs[?Name=='<name-of-web-acl>'].ARN" --output text
Replace <name-of-web-acl> with the name of the Web ACL you created in step 2.
- Run the following command to update the CloudFront distribution to use the new Web ACL:
aws cloudfront update-distribution --id <distribution-id> --web-acl-id <web-acl-arn> --web-acl-override
Replace <distribution-id> with the ID of the CloudFront distribution you want to update, and <web-acl-arn> with the ARN of the Web ACL you retrieved in step 3.
- Wait for the CloudFront distribution to update and propagate the changes.
After completing these steps, your CloudFront distribution will be integrated with AWS WAF, and the new Web ACL will be applied to all incoming traffic.
To remediate the misconfiguration of CloudFront not being integrated with AWS WAF, you can follow these steps using Python:
- Import the necessary modules:
import boto3
- Create a boto3 client for AWS WAF:
waf_client = boto3.client('waf')
- Create a boto3 client for CloudFront:
cf_client = boto3.client('cloudfront')
- Get the distribution ID of the CloudFront distribution that needs to be integrated with AWS WAF:
distribution_id = 'YOUR_DISTRIBUTION_ID'
- Get the current configuration of the CloudFront distribution:
response = cf_client.get_distribution_config(Id=distribution_id)
- Check if the distribution already has an AWS WAF web ACL ID configured:
if 'WebACLId' in response['DistributionConfig']['WebACLId']:
print('The CloudFront distribution is already integrated with AWS WAF.')
else:
print('The CloudFront distribution is not integrated with AWS WAF.')
- If the distribution is not integrated with AWS WAF, get the ID of the AWS WAF web ACL that needs to be associated with the distribution:
web_acl_id = 'YOUR_WEB_ACL_ID'
- Update the configuration of the CloudFront distribution to integrate it with AWS WAF:
response['DistributionConfig']['WebACLId'] = web_acl_id
cf_client.update_distribution(DistributionConfig=response['DistributionConfig'], Id=distribution_id, IfMatch=response['ETag'])
- Verify that the CloudFront distribution is now integrated with AWS WAF:
response = cf_client.get_distribution_config(Id=distribution_id)
if 'WebACLId' in response['DistributionConfig']['WebACLId']:
print('The CloudFront distribution is now integrated with AWS WAF.')
else:
print('Failed to integrate CloudFront distribution with AWS WAF.')
You can save this code as a Python script and execute it using a Python interpreter to remediate the misconfiguration of CloudFront not being integrated with AWS WAF.