Using Amazon WAF protections
You can use Amazon WAF to protect your CloudFront distributions and
origin servers. Amazon WAF is a web application firewall that helps secure your web applications and APIs by blocking
requests before they reach your servers. For more details, see Accelerate and protect your websites using CloudFront and Amazon WAF
To enable Amazon WAF protections, you can:
Use one-click protection in the CloudFront console. One-click protection creates an Amazon WAF web access control list (web ACL), configures rules to protect your servers from common web threats, and attaches the web ACL to the CloudFront distribution for you. The topics in this section assume the use of one-click protections.
Use a preconfigured web ACL (access control list) that you create in the Amazon WAF console, or by using the Amazon WAF APIs. For more information, see Web access control lists (ACLs) in the Amazon WAF Developer Guide and AssociateWebACL in the Amazon WAF API Reference
You can enable Amazon WAF when you:
Create a distribution
Use the Security dashboard to edit the security settings of an existing distribution
When you use one-click protection, CloudFront applies an Amazon-recommended set of protections that:
-
Block IP addresses from potential threats based on Amazon internal threat intelligence.
-
Protect against the most common vulnerabilities found in web applications as described in the OWASP Top 10
. -
Defend against malicious actors discovering application vulnerabilities.
Important
You must enable Amazon WAF if you want to view security metrics in the CloudFront Security dashboard. Without Amazon WAF, enabled, you can only use the Security dashboard to enable Amazon WAF or configure CloudFront geographic restrictions. For more information about the dashboard, see Using CloudFront security dashboards, later in this section.