Lab: Securing the Network Edge with AWS WAF and CloudFront

This lab guides you through designing and implementing security controls at the network edge. You will deploy an Amazon CloudFront distribution for a static website hosted on S3 and protect it using AWS WAF (Web Application Firewall) to mitigate common OWASP Top 10 threats and implement geographic access controls.

Prerequisites

An AWS Account with Administrator access.
AWS CLI installed and configured with credentials.
Basic knowledge of CIDR blocks and HTTP status codes.
A unique identifier (e.g., your initials and a random number) to use for resource naming (referred to as <LAB_ID>).

Learning Objectives

Deploy an Amazon CloudFront distribution with Origin Access Control (OAC).
Implement AWS WAF Web ACLs with Managed Rule Groups (SQLi, XSS).
Configure advanced edge controls including Geoblocking and Rate Limiting.
Troubleshoot edge security issues using WAF logs and CloudFront error responses.

Architecture Overview

Loading Diagram...

Step-by-Step Instructions

Step 1: Create the Origin S3 Bucket

First, create a bucket to hold our web content. We will keep this bucket private and only allow CloudFront to access it.

bash

# Replace <LAB_ID> with your identifier
aws s3 mb s3://brainybee-lab-origin-<LAB_ID>
echo "<h1>Hello from the Secure Edge!</h1>" > index.html
aws s3 cp index.html s3://brainybee-lab-origin-<LAB_ID>/index.html

▶Console Alternative

Navigate to

Create bucket

. 2. Name:

brainybee-lab-origin-<LAB_ID>

. 3. Keep

Block all public access

checked. 4. Click

Create bucket

and upload

index.html

Step 2: Create a CloudFront Distribution with OAC

We will create a distribution to serve the content globally and restrict S3 access to CloudFront only.

bash

# This command creates an Origin Access Control (OAC) resource
aws cloudfront create-origin-access-control \
    --origin-access-control-config '{"Name": "OAC-<LAB_ID>", "OriginAccessControlOriginType": "s3", "SigningBehavior": "always", "SigningProtocol": "sigv4"}'

[!NOTE] Note the Id from the output above. You will use it to create the distribution. For the purpose of this lab, it is recommended to use the Console for the full distribution setup as the CLI JSON input for CloudFront is highly complex.

▶Console Alternative

Navigate to

CloudFront

Create distribution

. 2.

Origin domain:

Select your S3 bucket. 3.

Origin access:

Select "Origin access control settings". 4.

OAC:

Click "Create control setting" and accept defaults. 5.

Web Application Firewall (WAF):

For now, select "Do not enable security protections" (we will add this later manually). 6. Click

Create distribution

. 7.

IMPORTANT:

Copy the S3 bucket policy suggested by the CloudFront banner and apply it to your S3 bucket permissions.

Step 3: Create AWS WAF Web ACL

Now we create the "Virtual Wall" using AWS WAF.

bash

# Note: WAF for CloudFront must be created in the us-east-1 region
aws wafv2 create-web-acl \
    --name "Edge-Protection-ACL" \
    --scope CLOUDFRONT \
    --default-action Allow={} \
    --rules '[{"Name":"AWS-AWSManagedRulesCommonRuleSet","Priority":0,"Statement":{"ManagedRuleGroupStatement":{"VendorName":"AWS","Name":"AWSManagedRulesCommonRuleSet"}},"OverrideAction":{"None":{}},"VisibilityConfig":{"SampledRequestsEnabled":true,"CloudWatchMetricsEnabled":true,"MetricName":"CommonRules"}}]' \
    --visibility-config '{"SampledRequestsEnabled":true,"CloudWatchMetricsEnabled":true,"MetricName":"GlobalACL"}' \
    --region us-east-1

Step 4: Implement Geoblocking and Rate Limiting

To prevent DDoS and unauthorized regional access, we add specialized rules.

bash

# Example: Adding a Rate Limit rule (limit to 100 requests per 5 minutes)
# This is typically added via the 'update-web-acl' command.

▶Console Alternative

Navigate to

WAF & Shield

Web ACLs

(ensure region is Global/CloudFront). 2. Select your ACL >

Rules

Add rules

Add my own rules and rule groups

. 3.

Rule type:

Rate-based rule.

Rate limit:

Action:

Block. 4. Click

Add rule

. 5. Repeat for

Geoblocking

: Create a rule with

Statement:

"Originates from a country in" and select countries to block.

Checkpoints

CloudFront Access: Visit your CloudFront URL (dxxxx.cloudfront.net). You should see "Hello from the Secure Edge!".
S3 Security: Try to access the S3 Object URL directly. You should receive 403 Forbidden.
WAF Blocking: If you configured Geoblocking for your own country (for testing), you should see a 403 Forbidden from CloudFront when visiting the URL.

Troubleshooting

Issue	Possible Cause	Fix
`403 Forbidden` (Always)	S3 Bucket Policy	Ensure the OAC service principal `cloudfront.amazonaws.com` is granted `s3:GetObject` in the S3 bucket policy.
WAF Not Blocking	Scope Issue	Ensure the Web ACL is created in the `us-east-1` region (required for CloudFront).
`403` from WAF	Rule Match	Check WAF "Sampled Requests" to see which rule (e.g., CommonRuleSet) is blocking your traffic.

Clean-Up / Teardown

[!WARNING] To avoid ongoing charges, you must delete the CloudFront distribution. Note that distributions take ~15 minutes to disable before they can be deleted.

Disable CloudFront: Go to CloudFront Console, select your distribution, and click Disable.
Delete CloudFront: Once the status is "Disabled", click Delete.
Delete WAF:
bash
aws wafv2 delete-web-acl --name Edge-Protection-ACL --scope CLOUDFRONT --id <ACL_ID> --lock-token <TOKEN> --region us-east-1
Empty and Delete S3 Bucket:
bash
aws s3 rb s3://brainybee-lab-origin-<LAB_ID> --force

Cost Estimate

S3: Negligible for lab-sized data.
CloudFront: First 1TB/month is free (Free Tier).
AWS WAF: $5.00 per Web ACL per month (prorated) + $1.00 per rule per month (prorated).
Total Lab Cost: < $0.50 if deleted within 2 hours.