Skip to main content

CloudFront distributions should have WAF enabled

Severity: Medium

Resource Types: AWS::CloudFront::Distribution

Description

This control checks whether CloudFront distributions are associated with either AWS WAF or AWS WAFv2 web ACLs. The control fails if the distribution is not associated with a web ACL.

AWS WAF is a web application firewall that helps protect web applications and APIs from attacks. It allows you to configure a set of rules, called a web access control list (web ACL), that allow, block, or count web requests based on customizable web security rules and conditions that you define. Ensure your CloudFront distribution is associated with an AWS WAF web ACL to help protect it from malicious attacks.

Remediation

For information on how to associate a web ACL with a CloudFront distribution, see Using AWS WAF to control access to your content.