Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

4.1.2. Network Edge Protection (CloudFront, WAF, Shield)

First Principle: CloudFront, WAF, and Shield form a defense stack where CloudFront handles content delivery and caching, WAF inspects and filters requests, and Shield absorbs DDoS attacks — each operating at a different layer but working together.

AWS WAF inspects HTTP/HTTPS requests and applies rules:

  • Managed Rules: Pre-built rule groups maintained by AWS or marketplace sellers
    • Core Rule Set (CRS): general web protections
    • SQL Injection: detects common SQLi patterns
    • Known Bad Inputs: blocks requests with known exploit patterns
    • Bot Control: identifies and manages bot traffic
  • Custom Rules: Write rules based on IP, geo, headers, body, rate, or regex patterns
  • Rate-Based Rules: Automatically block IPs exceeding a request threshold (minimum 100 requests/5 min)
  • Web ACLs: Container for rules, associated with CloudFront, ALB, API Gateway, AppSync, or Cognito
CloudFront Security Features:
  • Viewer Protocol Policy: Force HTTPS between clients and CloudFront
  • Origin Protocol Policy: Force HTTPS between CloudFront and your origin
  • Origin Access Control (OAC): Restrict S3 origin access to CloudFront only (replaces OAI)
  • Field-Level Encryption: Encrypt specific form fields at the edge before forwarding to origin
  • Custom Headers: Add headers that your origin validates to ensure requests come only through CloudFront

AWS IoT Policies enforce access at the edge for IoT device communication:

  • Certificate-based authentication for device identity
  • Fine-grained policies controlling which topics devices can publish/subscribe to
  • Integration with IoT Device Defender for anomaly detection

S3 CORS Configuration controls cross-origin access to S3 resources from web browsers — preventing unauthorized domains from accessing your S3-hosted content via browser requests.

⚠️ Exam Trap: Origin Access Control (OAC) is the current recommended mechanism for restricting S3 origin access through CloudFront. Origin Access Identity (OAI) is the legacy method. Exam questions may test whether you know OAC is preferred for new implementations.

Scenario: A company needs to protect their web application against OWASP Top 10 threats while also preventing direct access to their S3 origin. They configure WAF with the Core Rule Set and SQL injection managed rules on their CloudFront distribution, and use OAC to ensure S3 only accepts requests from CloudFront.

Reflection Question: Why does combining CloudFront + WAF + OAC provide stronger security than configuring each independently?

Alvin Varughese
Written byAlvin Varughese
Founder15 professional certifications