CloudFront & WAF

๐Ÿ”ฅ Vibe Prompt

"Set up CloudFront with S3 origin, WAF rate limiting, geo-blocking, and custom domain with SSL."

CloudFront Distribution

resource "aws_cloudfront_distribution" "cdn" {
  enabled = true
  price_class = "PriceClass_100"  # US, Europe only
  
  origin {
    domain_name = aws_s3_bucket_website_configuration.assets.website_endpoint
    origin_id   = "S3Assets"
    custom_origin_config {
      http_port = 80
      https_port = 443
      origin_protocol_policy = "https-only"
    }
  }
  
  default_cache_behavior {
    allowed_methods = ["GET", "HEAD"]
    cached_methods  = ["GET", "HEAD"]
    target_origin_id = "S3Assets"
    
    viewer_protocol_policy = "redirect-to-https"
    cache_policy_id = "658327ea-f89d-4fab-a63d-7e88639e58f6"  # CachingOptimized
    
    compress = true
  }
  
  restrictions {
    geo_restriction {
      restriction_type = "whitelist"
      locations = ["TW", "US", "JP"]
    }
  }
  
  viewer_certificate {
    acm_certificate_arn = aws_acm_certificate.main.arn
    ssl_support_method = "sni-only"
  }
  
  web_acl_id = aws_wafv2_web_acl.main.arn
}

WAF Rules

resource "aws_wafv2_web_acl" "main" {
  name = "app-waf"
  scope = "CLOUDFRONT"
  
  default_action { allow {} }
  
  rule {
    name = "RateLimit"
    priority = 1
    action { block {} }
    statement {
      rate_based_statement {
        limit = 2000
        aggregate_key_type = "IP"
      }
    }
  }
  
  rule {
    name = "AWSManagedRules"
    priority = 2
    override_action { none {} }
    statement {
      managed_rule_group_statement {
        vendor_name = "AWS"
        name = "AWSManagedRulesCommonRuleSet"
      }
    }
  }
}

CloudFront WAF Security

User โ†’ CloudFront (WAF) โ†’ Origin Shield โ†’ S3/ALB
         โ”œโ”€โ”€ Rate limiting (2000 req/min per IP)
         โ”œโ”€โ”€ AWS Managed Rules (SQLi, XSS)
         โ”œโ”€โ”€ Geo-blocking (whitelist)
         โ””โ”€โ”€ HTTPS forced

Best Practices

| Practice | Reason | |----------|--------| | Use Origin Shield | Reduces load on origin server | | Enable compression | gzip/brotli reduces transfer size | | Set cache policies | Longer TTL = fewer origin requests | | Use AWS Managed WAF rules | Pre-built protection for common threats | | PriceClass_100 | Lower cost, focuses on North America/Europe | | Enable HTTP/2 | Faster page loads with multiplexing | | Use Lambda@Edge sparingly | Edge functions increase cost and complexity | | Monitor with CloudWatch | Track cache hit ratio, error rates, bandwidth |

Summary

CloudFront accelerates content delivery with a global edge network. WAF protects against web exploits. Together they provide fast, secure content delivery.

Key takeaways:

  • CloudFront: 600+ edge locations, low latency content delivery |
  • Lambda@Edge: customize content at edge locations |
  • WAF: protect against SQL injection, XSS, rate limiting |
  • AWS Shield: DDoS protection included |
  • Free SSL certificates via ACM |
  • Origin Shield reduces origin server load |
  • PriceClass options control cost vs. coverage |

What's Next: IAM & Full Infrastructure

The next chapter covers IAM โ€” users, groups, roles, policies, and building full infrastructure with Terraform.

CloudFront Origins

| Origin Type | Use Case | |-------------|----------| | S3 bucket | Static files, images, downloads | | ALB/EC2 | Dynamic content, APIs | | Custom origin | Any HTTP server | | MediaPackage | Video streaming |

Cache Behavior Settings

| Setting | Effect | |---------|--------| | Path pattern | /images/* โ†’ different TTL than /api/* | | TTL | Min/Default/Max cache duration in seconds | | Cache policy | Predefined or custom cache key settings | | Origin request policy | Headers/query strings forwarded to origin | | Response headers policy | CORS, security headers added at edge | | Smooth streaming | Enable for media files | | Field-level encryption | Encrypt sensitive data at edge |

WAF Rate Limiting

{
  "Name": "rate-limit",
  "Priority": 0,
  "Statement": {
    "RateBasedStatement": {
      "Limit": 2000,
      "AggregateKeyType": "IP"
    }
  },
  "Action": {
    "Block": {}
  }
}

Summary

CloudFront and WAF provide fast, secure content delivery. CloudFront caches content at 600+ edge locations. WAF protects against web exploits and rate limits traffic.

Key takeaways:

  • CloudFront: CDN with 600+ edge locations |
  • Origins: S3, ALB, custom HTTP, MediaPackage |
  • Cache behaviors: path-based TTL and policy settings |
  • WAF: SQL injection, XSS, rate limiting protection |
  • Rate limiting: block excessive requests per IP |
  • Geo-restriction: control access by country |
  • SSL: free certificates via ACM |
  • Lambda@Edge: customize content at edge |

What's Next: IAM & Full Infrastructure

The next chapter covers IAM and building full infrastructure with AWS CDK.

AWS Shield

| Shield Tier | Protection | Cost | |-------------|------------|------| | Shield Standard | Network layer DDoS protection | Free (included) | | Shield Advanced | Application layer protection, DDoS cost protection | $3000/month |

Price Classes

| Class | Edge Locations Included | Cost | |-------|----------------------|------| | PriceClass_100 | North America, Europe | Lowest | | PriceClass_200 | NA, Europe, Asia | Medium | | PriceClass_All | All edge locations | Highest |

Choose PriceClass_100 if most of your users are in North America or Europe.

Summary

CloudFront accelerates content delivery, WAF protects against web exploits, and Shield provides DDoS protection.

Key takeaways:

  • 600+ edge locations for low-latency delivery |
  • WAF blocks SQL injection, XSS, and bots |
  • Shield Standard is free, Advanced is $3000/mo |
  • PriceClass options control cost vs. coverage |

What's Next: IAM & Full Infrastructure

The next chapter covers IAM and building full infrastructure with CDK.

Unlock Full Tutorial

This chapter is paid content. Join the project to unlock over 5000 words of deep analysis, including 10+ god-tier Prompts and real Source Code examples!