- Newest
- Most votes
- Most comments
I think the problem (though it may have changed recently) with Security Groups is that it couldn't handle all the CloudFront IP addresses. Therefore, using WAF was the preferred solution.
Whichever you use to limit access based on IP addresses, the IP addresses are used by all CloudFront distributions, so this protection on its own is not enough - I could create my own distribution and point it to your ALB. Therefore you do need to use a shared secret in a custom header to origin. As WAF support the ability to protect based on the contents of a header, you might as well use it to restrict access by IP addresses as well. If you're using a custom header, do you need IP protection? Perhaps not, but it's best to have defence in depth. I wrote a blog post a while back that, while it relates to using MediaStore as the origin, describes using a shared secret to restrict access to a CloudFront distribution.
It would also be good practice to rotate the shared secret in the custom header, though I don't know of a specific blog post or documentation to do that. This could be achieved by using a Lambda function running on a schedule to update the CloudFront configuration and WAF (making sure that you have a suitable window where both the old and new secret is accepted).
Relevant content
- asked 3 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago