AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-05-01 · Documentation low

File: waf/latest/developerguide/cloudfront-features.md

Summary

Rewrote documentation to explain AWS WAF integration with CloudFront standard vs multi-tenant distributions, added implementation patterns, and removed sections about custom error pages/HTTP methods

Security assessment

The changes focus on explaining security configuration patterns (web ACL management for different distribution types) rather than addressing a specific vulnerability. While they document security features like multi-tenant protections and rule inheritance, there's no evidence of patching a security flaw.

Diff

diff --git a/waf/latest/developerguide/cloudfront-features.md b/waf/latest/developerguide/cloudfront-features.md
index 40c8796c2..67d6ae9bf 100644
--- a//waf/latest/developerguide/cloudfront-features.md
+++ b//waf/latest/developerguide/cloudfront-features.md
@@ -5 +5 @@
-Using AWS WAF with CloudFront custom error pagesUsing AWS WAF with CloudFront for applications running on your own HTTP serverChoosing the HTTP methods that CloudFront responds to
+How AWS WAF works with different distribution types
@@ -9 +9 @@ Using AWS WAF with CloudFront custom error pagesUsing AWS WAF with CloudFront fo
-This section explains how to use AWS WAF with Amazon CloudFront features.
+Learn how to use AWS WAF with Amazon CloudFront features.
@@ -11 +11 @@ This section explains how to use AWS WAF with Amazon CloudFront features.
-When you create a web ACL, you can specify one or more CloudFront distributions that you want AWS WAF to inspect. AWS WAF starts to inspect and manage web requests for those distributions based on the criteria that you identify in the web ACL. CloudFront provides some features that enhance the AWS WAF functionality. This chapter describes a few ways that you can configure CloudFront to make CloudFront and AWS WAF work better together.
+When you create a web ACL, you can specify one or more CloudFront distributions that you want AWS WAF to inspect. CloudFront supports two types of distributions: standard distributions that protect individual tenants, and multi-tenant distributions that protect multiple tenants through a single, shared configuration template. AWS WAF inspects web requests for both distribution types based on the rules you define in your web ACLs, with different implementation patterns for each type.
@@ -15 +15 @@ When you create a web ACL, you can specify one or more CloudFront distributions
-  * Using AWS WAF with CloudFront custom error pages
+  * How AWS WAF works with different distribution types
@@ -17 +17 @@ When you create a web ACL, you can specify one or more CloudFront distributions
-  * Using AWS WAF with CloudFront for applications running on your own HTTP server
+  * [Common use cases for protecting CloudFront distributions with AWS WAF](./cloudfront-waf-use-cases.html)
@@ -19 +18,0 @@ When you create a web ACL, you can specify one or more CloudFront distributions
-  * Choosing the HTTP methods that CloudFront responds to
@@ -22,0 +22 @@ When you create a web ACL, you can specify one or more CloudFront distributions
+## How AWS WAF works with different distribution types
@@ -24 +24 @@ When you create a web ACL, you can specify one or more CloudFront distributions
-## Using AWS WAF with CloudFront custom error pages
+### Distribution types
@@ -26 +26 @@ When you create a web ACL, you can specify one or more CloudFront distributions
-By default, when AWS WAF blocks a web request based on the criteria that you specify, it returns HTTP status code `403 (Forbidden)` to CloudFront, and CloudFront returns that status code to the viewer. The viewer then displays a brief and sparsely formatted default message similar to the following:
+AWS WAF provides web application firewall capabilities for both standard and multi-tenant distribution CloudFront distributions.
@@ -27,0 +28 @@ By default, when AWS WAF blocks a web request based on the criteria that you spe
+#### Standard distributions
@@ -29 +30 @@ By default, when AWS WAF blocks a web request based on the criteria that you spe
-    Forbidden: You don't have permission to access /myfilename.html on this server.
+For standard distributions, AWS WAF adds protection using a single web ACL for each distribution. You can enable this protection by associating an existing web ACL with a CloudFront distribution or by using one-click protection in the CloudFront console. This lets you manage the security controls for each of your distributions independently, since any changes to a web ACL will only affect the distribution associated with it.
@@ -31 +32 @@ By default, when AWS WAF blocks a web request based on the criteria that you spe
-You can override this behavior in your AWS WAF web ACL rules by defining custom responses. For more information about customizing response behavior using AWS WAF rules, see [Sending custom responses for Block actions](./customizing-the-response-for-blocked-requests.html).
+This straightforward method of protecting CloudFront distributions is optimal for providing individual domains with specific protections from a single web ACL.
@@ -33 +34 @@ You can override this behavior in your AWS WAF web ACL rules by defining custom
-###### Note
+##### Standard distribution considerations
@@ -35 +36 @@ You can override this behavior in your AWS WAF web ACL rules by defining custom
-Responses that you customize using AWS WAF rules take precedence over any response specifications that you define in CloudFront custom error pages. 
+  * Web ACL changes affect only the associated distribution
@@ -37 +38 @@ Responses that you customize using AWS WAF rules take precedence over any respon
-If you'd rather display a custom error message through CloudFront, possibly using the same formatting as the rest of your website, you can configure CloudFront to return to the viewer an object (for example, an HTML file) that contains your custom error message. 
+  * Each distribution requires independent web ACL configuration
@@ -39 +40 @@ If you'd rather display a custom error message through CloudFront, possibly usin
-###### Note
+  * Rules and rule groups are managed separately for each distribution
@@ -41 +41,0 @@ If you'd rather display a custom error message through CloudFront, possibly usin
-CloudFront can't distinguish between an HTTP status code 403 that is returned by your origin and one that is returned by AWS WAF when a request is blocked. This means that you can't return different custom error pages based on the different causes of an HTTP status code 403. 
@@ -43 +42,0 @@ CloudFront can't distinguish between an HTTP status code 403 that is returned by
-For more information about CloudFront custom error pages, see [Generating custom error responses](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/GeneratingCustomErrorResponses.html) in the _Amazon CloudFront Developer Guide_.
@@ -45 +43,0 @@ For more information about CloudFront custom error pages, see [Generating custom
-## Using AWS WAF with CloudFront for applications running on your own HTTP server
@@ -47 +45 @@ For more information about CloudFront custom error pages, see [Generating custom
-When you use AWS WAF with CloudFront, you can protect your applications running on any HTTP webserver, whether it's a webserver that's running in Amazon Elastic Compute Cloud (Amazon EC2) or a webserver that you manage privately. You can also configure CloudFront to require HTTPS between CloudFront and your own webserver, as well as between viewers and CloudFront.
+#### Multi-tenant distributions
@@ -49 +47 @@ When you use AWS WAF with CloudFront, you can protect your applications running
-###### Requiring HTTPS between CloudFront and your own webserver
+For multi-tenant distributions, AWS WAF adds protection across multiple domains using a single web ACL. Domains that are managed by multi-tenant distributions are known as distribution tenants. You can only enable AWS WAF protection for multi-tenant distributions in the CloudFront console, either during or after the multi-tenant distribution creation process. However, changes to a web ACL are still managed through the AWS WAF console or API. 
@@ -51 +49 @@ When you use AWS WAF with CloudFront, you can protect your applications running
-To require HTTPS between CloudFront and your own webserver, you can use the CloudFront custom origin feature and configure the **Origin Protocol Policy** and the **Origin Domain Name** settings for specific origins. In your CloudFront configuration, you can specify the DNS name of the server along with the port and the protocol that you want CloudFront to use when fetching objects from your origin. You should also ensure that the SSL/TLS certificate on your custom origin server matches the origin domain name you’ve configured. When you use your own HTTP webserver outside of AWS, you must use a certificate that is signed by a trusted third-party certificate authority (CA), for example, Comodo, DigiCert, or Symantec. For more information about requiring HTTPS for communication between CloudFront and your own webserver, see the topic [Requiring HTTPS for Communication Between CloudFront and Your Custom Origin](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-cloudfront-to-custom-origin.html) in the _Amazon CloudFront Developer Guide_.
+Multi-tenant distributions offer the flexibility to enable AWS WAF protections at two levels:
@@ -53 +51 @@ To require HTTPS between CloudFront and your own webserver, you can use the Clou
-###### Requiring HTTPS between a viewer and CloudFront
+  * **Multi-tenant distribution level** – Web ACLs associated with multi-tenant distributions provide baseline security controls that apply to all applications sharing that distribution
@@ -55 +53 @@ To require HTTPS between CloudFront and your own webserver, you can use the Clou
-To require HTTPS between viewers and CloudFront, you can change the **Viewer Protocol Policy** for one or more cache behaviors in your CloudFront distribution. For more information about using HTTPS between viewers and CloudFront, see the topic [Requiring HTTPS for Communication Between Viewers and CloudFront](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/using-https-viewers-to-cloudfront.html) in the _Amazon CloudFront Developer Guide_. You can also bring your own SSL certificate so viewers can connect to your CloudFront distribution over HTTPS using your own domain name, for example _https://www.mysite.com_. For more information, see the topic [Configuring Alternate Domain Names and HTTPS](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/cnames-and-https-procedures.html) in the _Amazon CloudFront Developer Guide_.
+  * **Distribution tenant level** – Individual tenants within a multi-tenant distribution can have their own web ACLs to implement additional security controls or override multi-tenant distribution settings
@@ -57 +54,0 @@ To require HTTPS between viewers and CloudFront, you can change the **Viewer Pro
-## Choosing the HTTP methods that CloudFront responds to
@@ -59 +55,0 @@ To require HTTPS between viewers and CloudFront, you can change the **Viewer Pro
-When you create an Amazon CloudFront web distribution, you choose the HTTP methods that you want CloudFront to process and forward to your origin. You can choose from the following options:
@@ -61 +56,0 @@ When you create an Amazon CloudFront web distribution, you choose the HTTP metho
-  * **`GET`, `HEAD`** – You can use CloudFront only to get objects from your origin or to get object headers.
@@ -63 +58 @@ When you create an Amazon CloudFront web distribution, you choose the HTTP metho
-  * **`GET`, `HEAD`, `OPTIONS`** – You can use CloudFront only to get objects from your origin, get object headers, or retrieve a list of the options that your origin server supports.
+These two tiers make multi-tenant distributions optimal for sharing AWS WAF protections across multiple domains without losing the ability to customize security for an individual distribution. 
@@ -65 +60 @@ When you create an Amazon CloudFront web distribution, you choose the HTTP metho
-  * **`GET`, `HEAD`, `OPTIONS`, `PUT`, `POST`, `PATCH`, `DELETE`** – You can use CloudFront to get, add, update, and delete objects, and to get object headers. In addition, you can perform other `POST` operations such as submitting data from a web form. 
+#### Multi-tenant distribution considerations
@@ -66,0 +62 @@ When you create an Amazon CloudFront web distribution, you choose the HTTP metho
+  * Individual distribution tenants inherit changes made to web ACLs that are associated with related multi-tenant distributions
@@ -67,0 +64 @@ When you create an Amazon CloudFront web distribution, you choose the HTTP metho
+  * Web ACLs associated with specific distribution tenants can override settings configured at the multi-tenant web ACL level
@@ -68,0 +66 @@ When you create an Amazon CloudFront web distribution, you choose the HTTP metho
+  * Managed rule groups can be implemented at both distribution and distribution tenant levels
@@ -70 +68 @@ When you create an Amazon CloudFront web distribution, you choose the HTTP metho
-You also can use AWS WAF byte match rule statements to allow or block requests based on the HTTP method, as described in [String match rule statement](./waf-rule-statement-type-string-match.html). If you want to use a combination of methods that CloudFront supports, such as `GET` and `HEAD`, then you don't need to configure AWS WAF to block requests that use the other methods. If you want to allow a combination of methods that CloudFront doesn't support, such as `GET`, `HEAD`, and `POST`, you can configure CloudFront to respond to all methods, and then use AWS WAF to block requests that use other methods.
+  * Application identifiers can be located in logs to track security events by distribution
@@ -72 +70,11 @@ You also can use AWS WAF byte match rule statements to allow or block requests b
-For more information about choosing the methods that CloudFront responds to, see [Allowed HTTP Methods](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html#DownloadDistValuesAllowedHTTPMethods) in the topic [Values that You Specify When You Create or Update a Web Distribution](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-values-specify.html) in the _Amazon CloudFront Developer Guide_.
+
+
+
+### AWS WAF features by distribution type
+
+Web ACL implementation comparison AWS WAF Feature | Standard distributions | Multi-tenant distributions  
+---|---|---  
+Web ACL association | One web ACL per distribution | Web ACL shared across tenants, with optional tenant-specific web ACLs  
+Rule management | Rules affect a single distribution | Multi-tenant distribution rules affect all associated tenants; distribution tenant-specific rules affect only that tenant  
+Managed rule groups | Applied to individual distributions | Can be applied at multi-tenant distribution level for all tenants or at tenant level for specific applications  
+Logging | Standard AWS WAF logs | Logs include tenant identifiers for security event attribution  
@@ -82 +90 @@ Enabling your protections in production
-Security in your use of the AWS WAF service
+Use cases