AWS WAF to restrict file download

To configure AWS WAF to restrict file download, you can follow these steps:

1. Go to the AWS WAF console.
2. In the navigation pane, choose Web ACLs.
3. Choose the web ACL that you want to configure.
4. In the Rules tab, choose Add Rules.
5. In the Rule type dropdown list, choose Rule Builder.
6. In the Name field, enter a name for the rule.
7. In the Type field, choose Regular rule.
8. In the If a request section, choose Matches the statement.
9. In the Statement section, configure the following fields:
10. Inspect: Choose Single header.
11. Header name: Choose the header that contains the file name.
12. Regular expression: Enter a regular expression that matches the file names that you want to restrict.
13. In the Action section, choose Block.
14. Click Create.

The rule will now be created and applied to the web ACL. Any requests that contain a file name that matches the regular expression will be blocked.

**If the answer is helpful, please click "Accept Answer" and upvote it. **

Hi Ritika,

I understand you are you trying to see if there is a custom ACL which can be used to restrict download of file from the webpage. So the client can only view the list but cannot download it.

My response will be in two parts:

(a) Client can only view the list? This is more of applying least-privilege permissions. Apply this identiy-based policy to grants users read-only access to AWS WAF resources, to Amazon CloudFront web distributions:

{ "Version":"2012-10-17", "Statement": [ { "Action": [ "wafv2:Get*", "wafv2:List*", "cloudfront:GetDistribution", "cloudfront:GetDistributionConfig", "cloudfront:ListDistributions", "cloudfront:ListDistributionsByWebACLId", "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "ec2:DescribeRegions" ], "Effect": "Allow", "Resource": "*" } ] }

(b) Client can only view the list but cannot download it? To restrict download, you can configure CloudFront to require that users access your files using either signed URLs or signed cookies. Require that your users access your content by using CloudFront URLs, not URLs that access content directly on the origin server.

Reference: https://docs.aws.amazon.com/waf/latest/developerguide/security_iam_id-based-policy-examples.html https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html

**If the answer is helpful, please click "Accept Answer" and upvote it. **

Kind regards, Ahmed

Hi Ritika,

In addition to what Dave mentioned, you can also configure a URI path match rule, with the extensions you would like to block. You can specify the file extensions that you would like to block using a regex. Just to get you started with (on best effort basis), I can share a regex which you can use to block .csv and .pdf file downloads. You can add more extensions to this regex as needed.

.+.(csv|pdf)

If you create a "URI path" match rule with the above regex, all the requests for the .csv/.pdf files will be blocked. Below [1] is the document which can help you create a regex, and help you use it in the "URI path" match rule. I hope it helps.

[1] https://docs.aws.amazon.com/waf/latest/developerguide/waf-regex-pattern-set-managing.html

**If the answer is helpful, please click "Accept Answer" and upvote it. **