Implementing AWS AWF over CloudFront and ELB

Question

We have an infrastructure in Amazon AWS with two components. One API with a Load Balancer in front and a Webpage with a CloudFront in front. We are looking for options to start to address security issues, like blocking malicious IPs. We have seen that Amazon AWS AWF could be an interesting option but I have some questions:

• Can we create one ACL with one rule and bind it to one condition including several IPs that we want to block?
• Can we assign the same ACL to both ELB and CloudFront or we need to create independent ACLs and/or rules?

Thanks for your replies.

Answer 1

Can we create one ACL with one rule and bind it to one condition including several IPs that we want to block?

Yes, an IP Match Condition can match up to 10,000 IP addresses or CIDR ranges.

An IP match condition lists up to 10,000 IP addresses or IP address ranges that your requests originate from. Later in the process, when you create a web ACL, you specify whether to allow or block requests from those IP addresses.

https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-ip-conditions.html

Can we assign the same ACL to both ELB and CloudFront or we need to create independent ACLs and/or rules?

That depends -- sort of -- on whether you use AWS Firewall Manager. If you do, then you can manage them in one place.

Otherwise, you'll have to do this separately, because WAF for CloudFront and WAF for ALB are actually multiple independent services -- there's one "global region" service for CloudFront, and one service for each EC2 region. When you build conditions and ACLs, you define them in the specific service where you want to use them (or Firewall Manager deploys them where you configure).

Either way, WAF will charge you for each region where rules and ACLs are deployed, but you can reuse them across multiple resources within a region without further additional charges.