CloudFront & WAF
๐ฅ Vibe Prompt
"Set up CloudFront with S3 origin, WAF rate limiting, geo-blocking, and custom domain with SSL."
CloudFront Distribution
resource "aws_cloudfront_distribution" "cdn" {
enabled = true
price_class = "PriceClass_100" # US, Europe only
origin {
domain_name = aws_s3_bucket_website_configuration.assets.website_endpoint
origin_id = "S3Assets"
custom_origin_config {
http_port = 80
https_port = 443
origin_protocol_policy = "https-only"
}
}
default_cache_behavior {
allowed_methods = ["GET", "HEAD"]
cached_methods = ["GET", "HEAD"]
target_origin_id = "S3Assets"
viewer_protocol_policy = "redirect-to-https"
cache_policy_id = "658327ea-f89d-4fab-a63d-7e88639e58f6" # CachingOptimized
compress = true
}
restrictions {
geo_restriction {
restriction_type = "whitelist"
locations = ["TW", "US", "JP"]
}
}
viewer_certificate {
acm_certificate_arn = aws_acm_certificate.main.arn
ssl_support_method = "sni-only"
}
web_acl_id = aws_wafv2_web_acl.main.arn
}
WAF Rules
resource "aws_wafv2_web_acl" "main" {
name = "app-waf"
scope = "CLOUDFRONT"
default_action { allow {} }
rule {
name = "RateLimit"
priority = 1
action { block {} }
statement {
rate_based_statement {
limit = 2000
aggregate_key_type = "IP"
}
}
}
rule {
name = "AWSManagedRules"
priority = 2
override_action { none {} }
statement {
managed_rule_group_statement {
vendor_name = "AWS"
name = "AWSManagedRulesCommonRuleSet"
}
}
}
}
CloudFront WAF Security
User โ CloudFront (WAF) โ Origin Shield โ S3/ALB
โโโ Rate limiting (2000 req/min per IP)
โโโ AWS Managed Rules (SQLi, XSS)
โโโ Geo-blocking (whitelist)
โโโ HTTPS forced
Best Practices
| Practice | Reason | |----------|--------| | Use Origin Shield | Reduces load on origin server | | Enable compression | gzip/brotli reduces transfer size | | Set cache policies | Longer TTL = fewer origin requests | | Use AWS Managed WAF rules | Pre-built protection for common threats | | PriceClass_100 | Lower cost, focuses on North America/Europe | | Enable HTTP/2 | Faster page loads with multiplexing | | Use Lambda@Edge sparingly | Edge functions increase cost and complexity | | Monitor with CloudWatch | Track cache hit ratio, error rates, bandwidth |
Summary
CloudFront accelerates content delivery with a global edge network. WAF protects against web exploits. Together they provide fast, secure content delivery.
Key takeaways:
- CloudFront: 600+ edge locations, low latency content delivery |
- Lambda@Edge: customize content at edge locations |
- WAF: protect against SQL injection, XSS, rate limiting |
- AWS Shield: DDoS protection included |
- Free SSL certificates via ACM |
- Origin Shield reduces origin server load |
- PriceClass options control cost vs. coverage |
What's Next: IAM & Full Infrastructure
The next chapter covers IAM โ users, groups, roles, policies, and building full infrastructure with Terraform.
CloudFront Origins
| Origin Type | Use Case | |-------------|----------| | S3 bucket | Static files, images, downloads | | ALB/EC2 | Dynamic content, APIs | | Custom origin | Any HTTP server | | MediaPackage | Video streaming |
Cache Behavior Settings
| Setting | Effect |
|---------|--------|
| Path pattern | /images/* โ different TTL than /api/* |
| TTL | Min/Default/Max cache duration in seconds |
| Cache policy | Predefined or custom cache key settings |
| Origin request policy | Headers/query strings forwarded to origin |
| Response headers policy | CORS, security headers added at edge |
| Smooth streaming | Enable for media files |
| Field-level encryption | Encrypt sensitive data at edge |
WAF Rate Limiting
{
"Name": "rate-limit",
"Priority": 0,
"Statement": {
"RateBasedStatement": {
"Limit": 2000,
"AggregateKeyType": "IP"
}
},
"Action": {
"Block": {}
}
}
Summary
CloudFront and WAF provide fast, secure content delivery. CloudFront caches content at 600+ edge locations. WAF protects against web exploits and rate limits traffic.
Key takeaways:
- CloudFront: CDN with 600+ edge locations |
- Origins: S3, ALB, custom HTTP, MediaPackage |
- Cache behaviors: path-based TTL and policy settings |
- WAF: SQL injection, XSS, rate limiting protection |
- Rate limiting: block excessive requests per IP |
- Geo-restriction: control access by country |
- SSL: free certificates via ACM |
- Lambda@Edge: customize content at edge |
What's Next: IAM & Full Infrastructure
The next chapter covers IAM and building full infrastructure with AWS CDK.
AWS Shield
| Shield Tier | Protection | Cost | |-------------|------------|------| | Shield Standard | Network layer DDoS protection | Free (included) | | Shield Advanced | Application layer protection, DDoS cost protection | $3000/month |
Price Classes
| Class | Edge Locations Included | Cost | |-------|----------------------|------| | PriceClass_100 | North America, Europe | Lowest | | PriceClass_200 | NA, Europe, Asia | Medium | | PriceClass_All | All edge locations | Highest |
Choose PriceClass_100 if most of your users are in North America or Europe.
Summary
CloudFront accelerates content delivery, WAF protects against web exploits, and Shield provides DDoS protection.
Key takeaways:
- 600+ edge locations for low-latency delivery |
- WAF blocks SQL injection, XSS, and bots |
- Shield Standard is free, Advanced is $3000/mo |
- PriceClass options control cost vs. coverage |
What's Next: IAM & Full Infrastructure
The next chapter covers IAM and building full infrastructure with CDK.