Securing CloudFront with WAF and OAC

CloudFront is often the first thing users hit when accessing your application. Getting security right at this layer is critical. Let's walk through the key controls.

Origin Access Control (OAC)

OAC replaces the legacy Origin Access Identity (OAI) and is the recommended way to restrict S3 access. It uses SigV4 signing, supports SSE-KMS, and provides IAM-based access control:

resource "aws_cloudfront_origin_access_control" "main" {
  name                              = "my-oac"
  origin_access_control_origin_type = "s3"
  signing_behavior                  = "always"
  signing_protocol                  = "sigv4"
}

The S3 bucket policy then grants access only to requests signed by your specific CloudFront distribution, using a condition on AWS:SourceArn.

AWS WAF Managed Rules

AWS WAF provides managed rule groups that protect against common threats without writing custom rules. The AWSManagedRulesCommonRuleSet covers:

• Cross-site scripting (XSS) patterns
• SQL injection attempts
• Known bad inputs and request patterns
• Size constraint violations

Attach the Web ACL to your CloudFront distribution and let the managed rules handle the heavy lifting.

TLS Best Practices

Always enforce HTTPS by setting viewer_protocol_policy to redirect-to-https. Use TLSv1.2_2021 as the minimum protocol version — it drops support for older, vulnerable cipher suites while maintaining broad client compatibility.

Access Logging

Enable CloudFront access logs to a dedicated S3 bucket. These logs capture every request hitting your distribution — invaluable for security investigations, traffic analysis, and compliance audits. Set a lifecycle policy to expire logs after 90 days to control storage costs.