Secure Static Website From Public Exposure

Question

A static website hosted in S3, served via CloudFront. Now, the website URL of dev environment is accessible over the internet by anyone, which seem to be a security risk. For that, am planning to enable Users authentication with Okta/ Cognito in the next phase.

In the meantime, have tried some workarounds like (1) restricting the application access with IP address/range, which is impossible because our users are accessing from AWS Workspace (dynamic IP range), (2) restricting with IAM user/role, which is also impossible because we do not have privileges to manage the IAM.

Apart from above, what are the possible alternatives to protect the application from anonymous access?

Also, I am not sure whether it is a severe application security issue. By any chance, leaving the website open to public access prone to Cross-Site Scripting (XSS) attacks or any other security threats?

Answer

Hi cloudarch,

You could look for these options:
* Enable WAF on CloudFront. At least it will prevent certain malicious XSS script attack. You can leverage default manage rules, block countries and more: https://www.wellarchitectedlabs.com/security/200_labs/200_cloudfront_with_waf_protection/
* A quick temporary win can be to leverage CloudFront functions and or Lambda@Edge to perform some lightweight authentication such as Basic Auth, where you share “beta” credentials to your users and check those. This is an example: https://gist.github.com/lmakarov/e5984ec16a76548ff2b278c06027f1a4.
* 
hope above helps you

Answer

If you had to restrict based on IP address (not something I'd normally recommend; but in this case it's probably suitable):

Normally Workspaces instance access the internet via a NAT Gateway in the VPC that the instances are running. That NAT Gateway has a static IP address so it would be reasonably easy to work with that.

Secure Static Website From Public Exposure

Relevant content