AWS Security ChangesHomeSearch

AWS AmazonCloudFront high security documentation change

Service: AmazonCloudFront · 2025-05-31 · Security-related high

File: AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.md

Summary

Expanded guidance on using Application Load Balancers with CloudFront, added explicit security mitigation steps (custom headers, HTTPS enforcement), and dual access strategies

Security assessment

The changes explicitly add security controls to prevent direct access to Application Load Balancers (requiring custom headers and HTTPS), which directly addresses potential security risks of unauthorized access. Mentions DDoS protection benefits and provides concrete security configuration steps.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.md b/AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.md
index 83e14746c..4800644a4 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/restrict-access-to-load-balancer.md
@@ -9 +9 @@ Configure CloudFront to add a custom HTTP header to requestsConfigure an Applica
-To prevent your application from being accessible on the public internet, you can use your Application Load Balancer with a VPC origin. For more information, see [Restrict access with VPC origins](./private-content-vpc-origins.html).
+You can use both internal and internet-facing Application Load Balancers with Amazon CloudFront. You can use internal Application Load Balancers inside private subnets with CloudFront by using VPC origins. CloudFront VPC origins allow you to serve content from applications hosted in private VPC subnets without exposing them to the public internet. For more information, see [Restrict access with VPC origins](./private-content-vpc-origins.html).
@@ -11 +11 @@ To prevent your application from being accessible on the public internet, you ca
-Alternatively, for a web application or other content that’s served by an internet-facing Application Load Balancer in Elastic Load Balancing, CloudFront can cache objects and serve them directly to users (viewers), reducing the load on your Application Load Balancer. An internet-facing load balancer has a publicly resolvable DNS name and routes requests from clients to targets over the internet.
+If you are using an internet-facing Application Load Balancer with CloudFront, you can use the following security mitigations to prevent users from directly accessing an Application Load Balancer, and allow access only through CloudFront.
@@ -13 +13 @@ Alternatively, for a web application or other content that’s served by an inte
-CloudFront can also help to reduce latency and even absorb some distributed denial of service (DDoS) attacks.
+  1. Configure CloudFront to add a custom HTTP header to requests that it sends to the Application Load Balancer.
@@ -15 +15 @@ CloudFront can also help to reduce latency and even absorb some distributed deni
-However, if users can bypass CloudFront and access your Application Load Balancer directly, you don’t get these benefits. But you can configure Amazon CloudFront and your Application Load Balancer to prevent users from directly accessing the Application Load Balancer. This allows users to access the Application Load Balancer only through CloudFront, ensuring that you get the benefits of using CloudFront.
+  2. Configure the Application Load Balancer to only forward requests that contain the custom HTTP header.
@@ -17 +17 @@ However, if users can bypass CloudFront and access your Application Load Balance
-To prevent users from directly accessing an Application Load Balancer and allow access only through CloudFront, complete these high-level steps:
+  3. Require HTTPS to improve the security of this solution.
@@ -19 +18,0 @@ To prevent users from directly accessing an Application Load Balancer and allow
-  1. Configure CloudFront to add a custom HTTP header to requests that it sends to the Application Load Balancer.
@@ -21 +19,0 @@ To prevent users from directly accessing an Application Load Balancer and allow
-  2. Configure the Application Load Balancer to only forward requests that contain the custom HTTP header.
@@ -23 +20,0 @@ To prevent users from directly accessing an Application Load Balancer and allow
-  3. (Optional) Require HTTPS to improve the security of this solution.
@@ -24,0 +22 @@ To prevent users from directly accessing an Application Load Balancer and allow
+CloudFront can also help to reduce latency and even absorb some distributed denial of service (DDoS) attacks.
@@ -25,0 +24 @@ To prevent users from directly accessing an Application Load Balancer and allow
+If your use case requires dual access to web applications from both CloudFront and Application Load Balancer directly over the internet, consider splitting your web application APIs as follows:
@@ -26,0 +26,8 @@ To prevent users from directly accessing an Application Load Balancer and allow
+  * APIs that must go through CloudFront. In this case, consider using a separate private Application Load Balancer as an origin.
+
+  * APIs that require access through Application Load Balancer. In this case, you bypass CloudFront.
+
+
+
+
+Alternatively, for a web application or other content that’s served by an internet-facing Application Load Balancer in Elastic Load Balancing, CloudFront can cache objects and serve them directly to users (viewers), reducing the load on your Application Load Balancer. An internet-facing load balancer has a publicly resolvable DNS name and routes requests from clients to targets over the internet.