CODEWITHSUNDEEP
amazon-web-servicesamazon-cloudfront
RandomUser
RandomUser

Reputation: 4220

AWS CloudFront with custom HTTPS origin, only allow origin requests from CF?

When using CloudFront with a custom HTTPS origin, I have my DNS setup like this

domain.com -> A (Alias) -> CloudFront Distribution Alias
origin.domain.com -> IPaddress of HTTPS server

I realize that the origin server needs to be reachable from any of the edge locations, however it would be great if I could somehow configure my HTTPS origin server to only accept incoming connections from the CloudFront edges eliminating any possibility it could be accessed directly by a user/bot. Is this possible?

Upvotes: 1

Views: 1264

Answers (1)

Kannaiyan
Kannaiyan

Reputation: 13025

You can restrict with Cloud Front IP Addresses,

CloudFront IP Address List:

https://ip-ranges.amazonaws.com/ip-ranges.json

    {
      "ip_prefix": "13.32.0.0/15",
      "region": "GLOBAL",
      "service": "CLOUDFRONT"
    }

Search for CLOUDFRONT as service in file and place IP Restrictions to your endpoints or to your security group. That will protect from anyone accessing other than cloudfront.

Example of the implementation:

https://aws.amazon.com/blogs/security/how-to-automatically-update-your-security-groups-for-amazon-cloudfront-and-aws-waf-by-using-aws-lambda/

IP Address Range Change Event:

What happens if the IP address list gets changed?

You can subscribe to Lambda and update your list automatically via lambda.

https://aws.amazon.com/blogs/aws/subscribe-to-aws-public-ip-address-changes-via-amazon-sns/

Additional Security:

Enable secret headers from your CloudFront and make sure you are receiving the request only through your Distribution and not through others. This comes with the additional maintenance of keeping the header in a rotation.

Hope it helps.

Upvotes: 2

Related Questions