amazon-web-servicesaws-cloudformationamazon-cloudfrontrate-limitingamazon-waf
How do I configure "Core protections" and "Rate limiting" in CloudFormation template for a CloudFront distribution
So I am trying to configure AWS::CloudFront::Distribution so that the basic security protections are enabled.
And I am trying to configure these options, but I can't find anything from the documentation that describes how to do it in CloudFormation template.
The following is my base configuration for the CloudFront distribution:
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
Properties:
DistributionConfig:
Origins:
- Id: S3Origin
DomainName:
Fn::Join:
- ''
- - !Ref FrontendS3Bucket
- '.s3-${env:REGION}.amazonaws.com'
S3OriginConfig:
OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${FrontendS3OAI}'
- Id: ApiGatewayOrigin
DomainName:
Fn::Join:
- ''
- - !Ref HttpApi
- '.execute-api.${env:REGION}.amazonaws.com'
CustomOriginConfig:
OriginProtocolPolicy: https-only
OriginSSLProtocols:
- TLSv1.2
DefaultRootObject: index.html
DefaultCacheBehavior:
TargetOriginId: S3Origin
CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # Managed-CachingOptimized
ViewerProtocolPolicy: https-only
CacheBehaviors:
- TargetOriginId: ApiGatewayOrigin
PathPattern: /api/*
ViewerProtocolPolicy: https-only
OriginRequestPolicyId: b689b0a8-53d0-40ab-baf2-68738e2966ac # Managed-AllViewerExceptHostHeader
CachePolicyId: 4135ea2d-6df8-44a3-9df3-4b5a84be39ad # Managed-CachingDisabled
AllowedMethods:
- GET
- HEAD
- OPTIONS
- PUT
- PATCH
- POST
- DELETE
Enabled: true
Solution
Rate limit is part of Web Application Firewall, you can see in your screenshot also. This is way to configure this.
Step 1 Create a WAF using this. https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ratebasedstatement.html
Step 2
Integrate WAF with Cloudfront distribution
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html
- Changing the name of a Load Balancer on AWS Console
- Timeout when trying to retrieve EC2 instance-id metadata from within it
- Row was updated or deleted by another transaction (or unsaved-value mapping was incorrect)
- Downloading an entire S3 bucket?
- Unable to unzip .zip file on linux machine
- Missing Authentication Token while accessing API Gateway?
- AWS S3 Access Denied when open object URL in browser
- AWS Lambda NodeJs unable to return response
- How can I access my AWS MSK managed kafka queue from my local machine and EC2 instances in other regions
- How to recreate EC2 instances of an autoscaling group with terraform?
- AWS Cloudwatch Alarm Issue
- AWS EC2 | using Rusoto SDK: Couldn't find AWS credentials
- How to enable "Use for Hive table metadata" in "AWS Glue Data Catalog settings" using Terraform?
- Determine if instance is a part of some AutoScaling Group in AWS
- Difference bw "start_of_file" and "end_of_file" in AWS cloud agent configuration
- not authorized to perform: ec2:DescribeInstances because no identity-based policy allows the ec2:DescribeInstances action
- Environment specific ebextensions Beanstalk commands
- Deleting records from a DynamoDB table where the TTL value has been set incorrectly
- MySQL/Amazon RDS error: "you do not have SUPER privileges..."
- Is EC2 t3.micro created by ECS cluster eligible for free tier?
- Amazon Neptune OpenCypher - What is the cause for "Operation terminated (internal error)" when using SET after MERGE?
- AWS SAM CLI cannot access Dynamo DB when function is invoked locally
- EC2 instance connect : There was a problem setting up the instance connection
- Wildcard filter in aws-nuke
- Add advanced validation for AWS::Serverless::Api GET query params
- Organizing AWS IAM permissions: limit of 10 policies?
- AWS: S3 Bucket AWS You can't grant public access because Block public access settings are turned on for this account
- failed calling webhook "vingress.elbv2.k8s.aws"
- terraform tags for list variable not working
- Amazon SES successfully forwarded emails but respond with 451 4.3.0 This message could not be delivered