SHART.CLOUD | DESKTOP | LABROULETTE | AWS-WAF-CLOUDFRONT-LOGS.YAML
01 - Labroulette - Put a WAF in Front of CloudFront and Keep the Receipts
| shart.cloud / labroulette / aws-waf-cloudfront-logs |
AWS **O ~85 min $2-8 reviewed 6/30/2026

Put a WAF in Front of CloudFront and Keep the Receipts

Add AWS WAF protections to a CloudFront distribution, log every decision, and prove common junk traffic gets blocked without turning the site into a false-positive bonfire.

#security#networking#observability
Lab FormBurp, a signup-form startup whose marketing site gets scraped, sprayed, and lovingly probed by every bargain-bin scanner with a user agent and a dream. all labs
02 - Actions
score -- - -- votes
-- completed
State loading
03 - Scenario

FormBurp, a signup-form startup whose marketing site gets scraped, sprayed, and lovingly probed by every bargain-bin scanner with a user agent and a dream.

Add AWS WAF protections to a CloudFront distribution, log every decision, and prove common junk traffic gets blocked without turning the site into a false-positive bonfire.

Constraints

  • CloudFront must have a regional scope-correct WAF web ACL attached
  • Managed rule groups are enabled before custom rules get cute
  • WAF logs must land in a queryable destination
  • At least one custom rate-based rule limits noisy clients
Scenario AWS - intermediate
05 - Steps
  1. STEP_01

    Build the web ACL in the right scope

    Create a WAFv2 web ACL for CloudFront scope and add AWS managed rule groups for common application junk. Keep the default action explicit so reviewers can tell whether unknown traffic is allowed or blocked.

    Terraform docs

  2. STEP_02

    Add a rate-based rule

    Add a custom rate-based rule that blocks a single IP after a low lab-safe request threshold. This gives you a deterministic control to test without trying to summon the entire internet.

    Hint: Use a deliberately low threshold only for the lab. Production thresholds need real traffic baselines, not vibes in a trench coat.

    Terraform docs

  3. STEP_03

    Attach the ACL to CloudFront

    Update the CloudFront distribution so the web_acl_id points at the ACL. Wait for deployment, then confirm normal requests still load the site.

    Terraform docs

  4. STEP_05

    Exercise allow and block paths

    Make normal requests, then generate enough repeated requests to trigger the rate rule. Capture the HTTP response change and the matching WAF log entry that explains why it happened.

    Terraform docs

Steps 5 tasks
06 - Deliverables
  • Terraform defining the WAF ACL, managed rules, rate rule, logging, and CloudFront attachment
  • Evidence that normal requests still pass through the distribution
  • A blocked request plus its matching WAF log entry
Deliverables 3 required
07 - Rubric
WAF ACL is attached to CloudFront with the correct scope 25%
Managed rule groups and a custom rate-based rule are configured 30%
WAF logs are enabled and queryable 25%
Allow and block paths are both demonstrated 20%
Rubric self-assessed