Skip to content

Wallarm Connector for Amazon CloudFront

CloudFront is a content delivery network operated by Amazon Web Services. Wallarm can act as a connector to secure and monitor traffic delivered through CloudFront.

To use Wallarm as a connector for CloudFront, you need to deploy the Wallarm node externally and run Wallarm-provided Lambda@Edge functions to route traffic to the Wallarm node for analysis.

The CloudFront connector supports both in-line and out-of-band traffic analysis:

If Wallarm is configured to block malicious activity:

Cloudfront with Wallarm - in-line scheme

Cloudfront with Wallarm - out-of-band scheme

Use cases

Among all supported Wallarm deployment options, this solution is recommended in case when you deliver traffic through Amazon CloudFront.

Limitations

  • The following restrictions apply to Lambda@Edge functions:

    • The body size is limited to 40 KB for viewer requests and 1MB for origin requests.
    • The maximum response time from the Wallarm node is 5 seconds for viewer requests and 30 seconds for origin requests.
    • Lambda@Edge does not support private networks (VPC).
    • The default limit for concurrent requests is 1,000 per region, but it can be increased up to tens of thousands.

  • Vulnerability detection based on passive detection and API response structure in API Discovery are limited due to Lambda@Edge response trigger restrictions. Since Wallarm functions cannot receive response bodies and rely on them, these features are unavailable.

  • Rate limiting by the Wallarm rule is not supported.

  • Multitenancy is not supported yet.

Requirements

To proceed with the deployment, ensure that you meet the following requirements:

  • Understanding of AWS CloudFront and Lambda technologies.

  • APIs or traffic running on AWS.

Deployment

1. Deploy a Wallarm node

The Wallarm node is a core component of the Wallarm platform that you need to deploy. It inspects incoming traffic, detects malicious activities, and can be configured to mitigate threats.

You can deploy it either hosted by Wallarm or in your own infrastructure, depending on the level of control you require.

To deploy a Wallarm-hosted node for the connector, follow the instructions.

The current self-hosted node deployment has limitations. Full response analysis is not yet supported, which is why:

  • Vulnerability discovery using the passive detection method does not function properly. The solution determines if an API is vulnerable or not based on server responses to malicious requests that are typical for the vulnerabilities it tests.
  • The Wallarm API Discovery cannot explore API inventory based on your traffic, as the solution relies on response analysis.
  • The protection against forced browsing is not available since it requires response code analysis.

To deploy a self-hosted node for the connector:

  1. Allocate an instance for deploying the node.
  2. Choose one of the supported Wallarm node deployment solutions or artifacts for the in-line or out-of-band deployment and follow the provided deployment instructions.

  3. Configure the deployed node using the following template:

    server {
    listen 80;

    server_name _;

    access_log off;
    wallarm_mode off;

    location / {
        proxy_set_header Host $http_x_forwarded_host;
        proxy_pass http://unix:/tmp/wallarm-nginx.sock;
    }
}

server {
    listen 443 ssl;

    server_name yourdomain-for-wallarm-node.tld;

    ### SSL configuration here

    access_log off;
    wallarm_mode off;

    location / {
        proxy_set_header Host $http_x_forwarded_host;
        proxy_pass http://unix:/tmp/wallarm-nginx.sock;
    }
}


server {
    listen unix:/tmp/wallarm-nginx.sock;

    server_name _;

    wallarm_mode monitoring;
    #wallarm_mode block;

    real_ip_header X-REAL-IP;
    set_real_ip_from unix:;

    location / {
        echo_read_request_body;
    }
}

    Please ensure to pay attention to the following configurations:

    • TLS/SSL certificates for HTTPS traffic: To enable the Wallarm node to handle secure HTTPS traffic, configure the TLS/SSL certificates accordingly. The specific configuration will depend on the chosen deployment method. For example, if you are using NGINX, you can refer to its article for guidance.
    • Wallarm operation mode configuration.

  4. Once the deployment is complete, make a note of the node instance IP as you will need it later to set the address for incoming request forwarding.

2. Obtain and deploy the Wallarm Lambda@Edge functions

To connect your CloudFront CDN with the Wallarm node, you need to deploy the Wallarm Lambda@Edge functions on AWS.

There are two Python-based functions: one for request forwarding and analysis, and another for response forwarding and analysis.

  1. Proceed to Wallarm Console → Security EdgeConnectorsDownload code bundle and download a code bundle for your platform.

  2. Proceed to your AWS Console → ServicesLambdaFunctions.

  3. Select the us-east-1 (N. Virginia) region which is required for Lambda@Edge functions.

  4. Create function with the following settings:

    • Runtime: Python 3.x.
    • Execution role: Create a new role from AWS policy templatesBasic Lambda@Edge permissions (for CloudFront trigger).
    • Other settings can remain as default.

  5. Once the function is created, on the Code tab, paste the Wallarm request processing code.

  6. Update the following parameters in the code:

  7. Proceed to ActionsDeploy to Lambda@Edge and specify the following settings:

    • Configure new CloudFront trigger.
    • Distribution: your CDN that routes traffic to the origin you want to protect.
    • Cache behavior: the cache behavior for the Lambda function, typically *.
    • CloudFront event:
      • Origin request: executes the function only when CloudFront CDN requests data from the backend. If CDN returns a cached response, the function will not be executed.
      • Viewer request: executes the function for every request to CloudFront CDN.
    • Check Include body.
    • Check Confirm deploy to Lambda@Edge.

    Cloudfront function deployment

  8. Repeat the procedure for the Wallarm-provided response function, selecting responses as the trigger.

    Ensure the response trigger matches the request trigger (origin response for origin request, viewer response for viewer request).

Testing

To test the functionality of the deployed functions, follow these steps:

  1. Send the request with the test Path Traversal attack to your CloudFront CDN:

    curl http://<CLOUDFRONT_CDN>/etc/passwd

  2. Open Wallarm Console → Attacks section in the US Cloud or EU Cloud and make sure the attack is displayed in the list.

    Attacks in the interface

    If the Wallarm node mode is set to blocking, the request will also be blocked.