Put a WAF in Front of CloudFront and Keep the Receipts
Add AWS WAF protections to a CloudFront distribution, log every decision, and prove common junk traffic gets blocked without turning the site into a false-positive bonfire.
#security#networking#observability
LabFormBurp, a signup-form startup whose marketing site gets scraped, sprayed, and lovingly probed by every bargain-bin scanner with a user agent and a dream.all labs
02 - Actions
score -- - -- votes
-- completed
Sign in with a real account to save ratings, completions, and share snapshots.
Stateloading
03 - Scenario
FormBurp, a signup-form startup whose marketing site gets scraped, sprayed, and lovingly probed by every bargain-bin scanner with a user agent and a dream.
Add AWS WAF protections to a CloudFront distribution, log every decision, and prove common junk traffic gets blocked without turning the site into a false-positive bonfire.
Constraints
CloudFront must have a regional scope-correct WAF web ACL attached
Managed rule groups are enabled before custom rules get cute
WAF logs must land in a queryable destination
At least one custom rate-based rule limits noisy clients
ScenarioAWS - intermediate
05 - Steps
STEP_01
Build the web ACL in the right scope
Create a WAFv2 web ACL for CloudFront scope and add AWS managed rule groups for common application junk. Keep the default action explicit so reviewers can tell whether unknown traffic is allowed or blocked.
Add a custom rate-based rule that blocks a single IP after a low lab-safe request threshold. This gives you a deterministic control to test without trying to summon the entire internet.
Hint: Use a deliberately low threshold only for the lab. Production thresholds need real traffic baselines, not vibes in a trench coat.
Configure WAF logging to a destination you can inspect, then filter the log output for terminatingRuleId and action. A blocked request without a log is just a shrug with billing.
Make normal requests, then generate enough repeated requests to trigger the rate rule. Capture the HTTP response change and the matching WAF log entry that explains why it happened.