AWS CloudFront and WAF

Scope

AWS content delivery and edge security services. Covers CloudFront distribution configuration, cache behaviors, Origin Access Control, WAF managed and custom rules, Shield Advanced, and edge compute (CloudFront Functions, Lambda@Edge).

Checklist

• [Critical] Is CloudFront configured as the entry point for all public-facing content, with the origin (ALB, S3, API Gateway) not directly accessible?
• [Critical] Is Origin Access Control (OAC) used for S3 origins to replace legacy Origin Access Identity (OAI)?
• [Recommended] Are cache behaviors configured per path pattern with appropriate TTLs, and are cache policies and origin request policies used instead of legacy forwarding settings?
• [Recommended] Is a custom cache policy defined that only forwards the minimum necessary headers, cookies, and query strings to maximize cache hit ratio?
• [Recommended] Is origin failover configured with an origin group for automatic failover to a secondary origin on 5xx errors?
• [Recommended] Are response headers policies configured to set security headers (HSTS, X-Content-Type-Options, X-Frame-Options, CSP)?
• [Critical] Is AWS WAF associated with the CloudFront distribution with at least the AWS Managed Rules core rule set (AWSManagedRulesCommonRuleSet)?
• [Recommended] Are WAF rate-based rules configured to prevent DDoS and brute-force attacks at the edge?
• [Optional] Is AWS Shield Advanced enabled for high-value applications needing DDoS cost protection and SRT support?
• [Optional] Are geographic restrictions (geo-blocking) or geo-match conditions applied where required by licensing or regulation?
• [Recommended] Is real-time logging enabled to S3 or Amazon Data Firehose for traffic analysis and incident investigation?
• [Recommended] Are CloudFront Functions or Lambda@Edge used for header manipulation, URL rewrites, A/B testing, or authentication at the edge?
• [Critical] Is TLS 1.2 minimum enforced on the viewer-side, and is the origin connection using a custom SSL certificate with SNI?
• [Optional] Is field-level encryption configured for sensitive form fields that must remain encrypted through to the application?
• [Optional] Evaluate CloudFront KeyValueStore for low-latency key-value lookups at the edge within CloudFront Functions; stores up to 5 MB of data (keys up to 512 bytes, values up to 1 KB) with global eventual consistency; ideal for URL rewrites, A/B testing configuration, feature flags, and redirect maps without origin requests
• [Optional] Evaluate CloudFront VPC origins for connecting CloudFront directly to origins in private VPC subnets (ALBs, NLBs, EC2 instances) without requiring public IP addresses or internet-facing load balancers; eliminates the need for custom origin headers or WAF rules to restrict direct origin access

Why This Matters

CloudFront misconfiguration exposes origins directly to the internet, bypassing WAF and caching. Missing cache optimization increases origin load and latency. Without WAF, applications are vulnerable to OWASP Top 10 attacks, bots, and DDoS. Over-forwarding headers and cookies destroys cache hit ratios, effectively making CloudFront an expensive proxy.

Common Decisions (ADR Triggers)

• CDN architecture -- CloudFront vs third-party CDN (Cloudflare, Akamai), multi-CDN strategy
• WAF rule management -- AWS Managed Rules vs third-party managed rules (F5, Fortinet) vs custom rules
• Edge compute -- CloudFront Functions (lightweight, <1ms) vs Lambda@Edge (full Node.js/Python, origin-facing)
• Cache invalidation strategy -- path-based invalidation vs versioned URLs/filenames
• Origin architecture -- ALB origin vs API Gateway origin vs S3 static origin, custom origin headers for validation
• Shield Advanced -- cost ($3K/mo) vs DDoS cost protection and response team access
• Logging and observability -- real-time logs vs standard logs, log analysis with Athena vs third-party SIEM

Reference Architectures

• AWS Architecture Center: Networking & Content Delivery -- reference architectures for CloudFront with ALB, S3, and API Gateway origins
• AWS WAF Security Automations -- deployable solution for automated WAF rule management and threat protection
• AWS Well-Architected Labs: Edge Security with CloudFront and WAF -- hands-on labs for securing web applications at the edge
• AWS Prescriptive Guidance: DDoS mitigation with Shield and WAF -- reference architecture for layered DDoS protection with CloudFront, WAF, and Shield Advanced
• AWS CloudFront origin failover architecture -- reference design for high-availability content delivery with origin groups

---

See Also

• general/networking.md -- General networking concepts including CDN and edge security patterns
• providers/aws/route53.md -- DNS routing policies used with CloudFront distributions
• providers/aws/s3.md -- S3 as a CloudFront origin for static content hosting
• providers/aws/lambda-serverless.md -- Lambda@Edge and CloudFront Functions for edge compute