dev-resources.site
for different kinds of informations.
Configuring AWS WAF, CloudFront, and S3 Bucket for Secure Access
Published at
1/3/2025
Categories
aws
waf
cloudfront
s3
Author
randiakm
Author
8 person written this
randiakm
open
How to Set Up AWS WAF, CloudFront and an S3 Bucket to serve content securely and Restrict content Access to certain originating sources only. This guide looks at some issues, for instance, 403 Forbidden, in order to troubleshoot the problem.
1. Objective
The purpose of this assignment is to deploy AWS WAF, CloudFront and S3 bucket:
- Restrict Access to certain origins, for example, https://dev.test.com and https://int.test.com.
- When the CloudFront distribution is accessed, the index.html page should be served by default.
- To prevent unauthorized access and to correct common errors.
2. You will require.
And AWS S3 bucket called, sample-bucket, where the files for the static website are stored.
An AWS CloudFront distribution created with OAC linked to the S3 bucket.
3. Configuration Steps
Step 1: Make Sure S3 Bucket Policy has below
- Open the S3 Console.
- Select your bucket (e.g., sample-bucket).
- Check the following bucket policy to allow access from CloudFront:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "AllowCloudFrontServicePrincipal",
"Effect": "Allow",
"Principal": {
"Service": "cloudfront.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::sample-bucket/*",
"Condition": {
"StringEquals": {
"AWS:SourceArn": "arn:aws:cloudfront::AWS_ACC_ID:distribution/CLOUDFRONT_ID"
}
}
}
]
}
Step 2: Configure CORS for the S3 Bucket
- In the S3 Console, go to the Permissions tab.
- Edit the CORS configuration and set the following:
[
{
"AllowedHeaders": ["*"],
"AllowedMethods": ["GET", "HEAD", "PUT", "POST", "DELETE"],
"AllowedOrigins": [
"https://dev.test.com",
"https://int.test.com"
]
}
]
- Replace AllowedOrigins with your allowed domains.
- Restrict AllowedHeaders to necessary headers for production.
Step 3: Configure AWS WAF
Create WAF Rules:
- Open the AWS WAF Console and select your Web ACL.
- Add the following rules:
Rule 1: Allow-Traffic
- Description: Allows requests from specific origins.
- Rule Definition:
{
"Name": "Allow-Traffic",
"Priority": 1,
"Statement": {
"OrStatement": {
"Statements": [
{
"ByteMatchStatement": {
"SearchString": "https://dev.test.com",
"FieldToMatch": {
"SingleHeader": {
"Name": "origin"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "EXACTLY"
}
},
{
"ByteMatchStatement": {
"SearchString": "https://int.test.com",
"FieldToMatch": {
"SingleHeader": {
"Name": "origin"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "EXACTLY"
}
}
]
}
},
"Action": {
"Allow": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "Allow-Traffic"
}
}
Rule 2: Block-All-Other-Traffic
- Description: Blocks all requests that donโt match the allowed origins.
- Rule Definition:
{
"Name": "Block-All-Other-Traffic",
"Priority": 2,
"Statement": {
"NotStatement": {
"Statement": {
"OrStatement": {
"Statements": [
{
"ByteMatchStatement": {
"SearchString": "https://dev.test.com",
"FieldToMatch": {
"SingleHeader": {
"Name": "origin"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "EXACTLY"
}
},
{
"ByteMatchStatement": {
"SearchString": "https://int.test.com",
"FieldToMatch": {
"SingleHeader": {
"Name": "origin"
}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
],
"PositionalConstraint": "EXACTLY"
}
}
]
}
}
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "Block-All-Other-Traffic"
}
}
4. Testing and Verification
Test Allowed Origins
Run the following command:
curl -X GET https://cloudfront_domain_name \
-H "Origin: https://dev.test.com" \
-v
Expected Result: HTTP 200 OK.
Test Disallowed Origins
Run the following command:
curl -X GET https://cloudfront_domain_name \
-H "Origin: https://unauthorized.com" \
-v
Expected Result: HTTP 403 Forbidden.
Check WAF Logs
- Enable logging for the Web ACL in the AWS WAF Console.
- Monitor logs in CloudWatch to verify rule matches.
cloudfront Article's
30 articles in total
Lee esto antes de implementar S3 y CloudFront usando Terraform.
read article
Lee esto antes de implementar S3 y CloudFront usando Terraform.
read article
Building an S3 Static Website with CloudFront Using Terraform
read article
AWS CloudFront: A Comprehensive Guide
read article
Configuring AWS WAF, CloudFront, and S3 Bucket for Secure Access
currently reading
Setting Up Custom Domain for API Gateway & CloudFront
read article
Apply SSL Certificate on AWS ACM (also Cloudflare)
read article
How to Fix Next.js CloudFront Permission Denied: Complete Guide to Static Export URL Issues
read article
Building Testable CloudFront Functions with TypeScript
read article
CloudFront and S3: SignatureDoesNotMatch , the request signature we calculated does not match the signature you provided
read article
Mastering Custom Responses in Amazon CloudFront to Block Behavior โ Default(*)
read article
Unlock CloudFront's New Logging Potential with Athena Partition Projection
read article
Discovering the Latest Features of AWS CloudFront: Enhancing Performance andย Security
read article
Create an Asset Store with a Custom Domain using AWS CDK, Route53, S3 and CloudFront
read article
New Feature: Amazon CloudFront no longer charges (No Billing) for requests blocked by AWS WAF
read article
Reduce the amount of code in AWS CDK: Apply OAC in Amazon CloudFront L2 constructs
read article
Amazon Web Services (AWS) has announced today a new edge location in #Qatar
read article
Hosting a Static Website On S3 bucket With CloudFront.
read article
Setting up AWS S3 and CloudFront with Signed URLs using CDK
read article
Leveraging Lambda@Edge to seamlessly manage frontend maintenance window like a pro
read article
How to Resolve 403 Access Issues When Deploying a SPA on AWS with S3 and CloudFront
read article
Cloud Resume Challenge: Hosting a React CV using S3, CloudFront, Route 53, Lambda, DynamoDB and GitHub actions for CI/CD
read article
Deploying Static Website to AWS: A Step-by-Step Guide with S3, Route 53, and CloudFront
read article
Resolve Lambda URL Error - signature not match when using POST/PUT
read article
Setting Up and Securing CloudFront for S3 Static Sites with Custom Subdomains Using AWS Cloud Development Kit(CDK)
read article
How to Host a Static Website on AWS Using S3, Route 53, CloudFront, and Certificate Manager
read article
RTT Reduction Strategies for Enhanced Network Performance
read article
Dynamically Choosing Origin Based on Host Header and Path with AWS CloudFront and Lambda@Edge
read article
Understanding Speed: A Beginner's Guide to AWS CloudFront
read article
Deploy a Static React Site Using AWS S3 and CloudFront
read article
Featured ones: