Web Application Firewall Integration

[blazinaj]

Is your feature request related to a problem? Please describe. We are trying to use an Amplify-CLI / Amplify-Console powered app in Production. A business (security) requirement is that we use a Web Application Firewall. Currently there is no way to implement that with the Amplify Console, so we will have to host our production app using a different service.

See: #8

We are a little sad about this, as the Amplify Console has 90% of the functionality needed for hosting a production level app, but "Only Basic Auth security" is a major deal breaker for us.

Describe the solution you'd like Allow us to create our own CloudFront distribution, with an associated WAF, and direct the Amplify Console Hosting through that domain, instead of the automatically generated "always public" domain (e.g. production.abcxyz.amplifyapp.com)

[garyleefight]

We have cut a feature request in our backlog. Thanks for your feedback

[swaminator]

@blazinaj: what if we were to implement an IP whitelisting feature? Would that be sufficient vs WAF support?

[blazinaj]

@blazinaj: what if we were to implement an IP whitelisting feature? Would that be sufficient vs WAF support?

Not quite sufficient for our use. We won't be able to fully restrict access based on IP address, but we would like to incorporate WAF rules like restricting access to only the United States.

Other WAF features like pattern matching and logging are also important to us.

Following your workaround and creating a custom CloudFront distribution (with WAF), and using the amplifyapp url as the Origin seems like a legitimate (and fairly simple to set up) way to incorporate a firewall, but we would need to be able to configure the original domain.

I may be wrong, but I believe that having a firewall in place is a Must for many applications, even if the URL needs to be publicly accessible.

[danieladams456]

We would like to use AWS Amplify to host apps for our internal users. For that use case, IP whitelist would be sufficient.

[connor-rw]

Just wanted to add that using a WAF is a requirement for my team as well, so this would be a huge feature / value-add for us.

Thanks for all of your great work!

[neilbts]

WAF would be fantastic but IP whitelisting would be sufficient. Thanks!

[rkaplan]

+1 for IP whitelisting, this would be extremely helpful

[swaminator]

@rkaplan @neilbts @connor-rw @danieladams456 @blazinaj thanks for all the feedback. So far we've received requirements along a spectrum:

1. IP Whitelisting: Ability to restrict access based on IP addresses.
2. WAF: Ability to setup a firewall to use features such as geographic restriction, pattern matching.
3. VPC: While we haven't heard it here, we've had customers ask us to offer a managed hosting in their internal VPC.

We will update you when we make progress on these!

[danieladams456]

@swaminator VPC would be awesome as we could then easily put it behind ALB OIDC auth. That would simplify things over having static on Amplify, which then has to trap denies/login redirects on ajax calls and do the appropriate action to kick off the login flow.

It also would mostly do away with the need for #184

[LechuckThePirate]

Yes ... in my company we definitely need VPC integration, since our webportal is not accesible from the Internet, but from a VPN connection from clients

[abhishekdixit1508]

@swaminator Thanks for taking this up to the next level. Just checking if you have any updates on the implementation? Regards Abhi

[teemuniiranen]

I thought that this could be done by just specifying WebACLId to the generated CloudFormation template under CloudFront distribution but seems like it is not used when requested through amplifyapp.com URLs (although it was created correctly).

[IsaacTrevino]

+1 This feature would definitely help our company's web app allowing certain networks gain access like covid-19 work from home situation, and a automated WAF since I am quite new to firewalls.

[toritroniks]

+1 I also would love to have ip whitelisting.

[rrsai]

Just to add to the use case here:

Whenever I develop an app, I initially don't want to fully expose it to the world, but I do want to share it directly with stakeholders so that they can see the work and progress. So I need a WAF from day 1 (or, suboptimally, ip whitelisting).

Cloudfront sites currently allow for using WAF (even if I had to manually incorporate it, but amplify hosting does not appear to).

[jabrennem]

I also have a similar situation where I could heavily use Amplify for many projects at work for quick deployments, but unfortunately cannot use it because they are for an internal facing audience as well. Is there any progress on this feature?

[tchalvak]

One approach I found to get a waf in play is to set up hosting with the cloudfront & s3 option and then attach a waf to that cloudfront.

[denonade]

One approach I found to get a waf in play is to set up hosting with the cloudfront & s3 option and then attach a waf to that cloudfront. @tchalvak, Is it feasible that pointing the public domain name of Amplify app in Cloudfront as orgin? If so, is the traffic pass through internet back and forth to Amplify ?

[tchalvak]

As long as you pick the non-amplify, cloudfront hosting, you can attach a waf to that cloudfront. If you use the amplify as an origin for a cloudfront, I haven’t tried that, and would expect it to get very annoying because I expect amplify hosting is an invisible cloudfront of theirs. With amplify hosting you do not have a bucket under your control.

So then you would be pointing a cloudfront origin at cloudfront edges, I imagine the caching would get very hard to manage. But easy to try it, I suppose.

[blazinaj]

As long as you pick the non-amplify, cloudfront hosting, you can attach a waf to that cloudfront.

Yeah, we currently are hosting using the Amplify CLI Hosting Category with Cloudfront and attached our WAF and it works fine. We then just manually cloned the Amplify Console CI functionality using AWS Code Pipeline and stopped using Amplify Console.

If you use the amplify as an origin for a cloudfront

You can use the Amplify Console CF as your own Cloudfront Origin, but since you can't configure the Amplify Console managed Cloudfront distribution, there is no way to disable it. Traffic can potentially bypass your Cloudfront+WAF and go through the other one if they can find the domain

[bitemarcz]

Sounds like there is some work arounds that have been attempted using Cloudfront... We are needing to figure out a way to allow a source IP Address to our front-end and validate it's the white listed IP Address if not return to the previous service. Sounds like there isn't a direct way to do this. I'm thinking at this point to have that functionality I'd probably have to migrate away from Amplify and host the front-end on either a container or ec2 instance? Correct me if I'm wrong here.

[denlcy]

Almost half year gone, I wanna check up is the existing Amplify still miss the WAF, IP whitelisting and VPC private endpoint integration?

[ckho-wkcda]

Is it still on roadmap?

[swaminator]

@blazinaj would you be willing to chat with us on requirements? We are (finally) picking this up. Specifically around pattern matching. What are some rules you currently have in place?

[swaminator]

@ckho-wkcda same. Would you be willing to talk to us about the feature?

[denonade]

@swaminator , below are two high level requirements, please check, thanks a lot.

1) For the CloudFront embedded in Amplify implicitly, is it support WAF, IP whitelisting those ingress control features? 2) If the use case is not public-facing, can Amplify integrate with VPN endpoint or private link of API gateway such that the Amplify can be a sub-system from the central system hosted in the VPC landscape.

[swaminator]

@denonade can you elaborate on your 2nd usecase?

[denonade]

Nano URL service

1. End user login and register a long url from the web app developed and hosted by Amplify
2. End user got the nano url from the web app, and share it in the SNS. Other end user browse the tiny url

From the architecture diagram above, you can see that

1. In order to have ingress control, additional Clouldfront with WAF need to placed in front of Amplify
2. As the VPC and private domain name are not supported by AWS Amplify at this moment, private API is not applicable to the REST API calls (POST /stage/resPool) from Amplify to API Gateway. That means the REST API calls have to pass through the public internet to the API Gateway, which may induce some security compliance issue.

Hope the Amplify can enhance to support VPC integration, private domain name as well as WAF and ingress control. Thank you.

[slikk66]

Also found this looking for a way to add WafV2 WebACL against the cloudfront in use by Amplify. I suppose we'll have to generate our own ACM, Cloudfront distro and point to the amplify domain as origin, which decreases the helpfulness of Amplify considerably. Would love to see it added.

[vishwas-mr]

@swaminator, any ETA as to when this feature would be available to users (specifically in ap-south-1)?

[yhminbv]

I need this feature!!!!!!

[apatel-rms]

IP Whitelisting or WAF would be very useful for me right now.

[BitShepherd]

We would also be interested in adding WAF to an Amplify App at my company.

[jfreeley-ninthwave]

+1 here too .. either Whitelisting or full feature waf ..

[ilawson-canojatech]

is there any update to this feature request for any of the scenario described above? We make heavy use of Amplify and are considering alternatives due to lack of security options on ingress traffic.

[grayaii]

We just got bit by this too. We had an Amplify project that had custom domains. We manually created a Cloudfront resource protected by WAF and manually tweaked Route53 to change the A Record from Amplify's internal Cloudfront distro to ours, and it didn't work.

It turns out you get really weird behavior if you do this. For instance, 50% of the time your domain goes to your CDN, the other times it goes to Amplify's endpoint. DNS is not happy at all.

You MUST remove the management of the domain from your Amplify project. BUT, like someone pointed out, the Amplify endpoint is public and if people know about it, they can circumvent your CDN all together. But it's better than nothing!

[ghost]

Any update on this one?

[VasanthV03]

Amplify would be just incomplete without WAF support

[abhijeet-toptal]

Any updates or ETA?

[rosmu]

This FR is pending for about 3 years now. We have put people on the moon with much less time than this. We expect to have this feature released before our next re:Invent

[emrul]

This FR is pending for about 3 years now. We have put people on the moon with much less time than this. We expect to have this feature released before our next re:Invent

Not being funny, but when in history have people been put on the moon in less than 3 years?

[continueai-idan]

will this ever happen ? using amplify without the ability to restrict access by source ip/deploying it internally is not so good for internal apps .

[brian-snyder]

WAF with Amplify apps is highly desired/required feature for me as well. Not just IP whitelisting but full feature set.

[royax88]

Any Updates?

[MaxHXie]

Chipping in on this also

[dgokcin]

any updates?

[justinwiley]

@garyleefight or maybe @swaminator any updates / can you comment on the priority of this feature in the roadmap?

[danfreid]

+1

[rodrigomotta1]

Does anyone know any possible workaround for this integration between Amplify Hosting and WAF?

[omarcardona16]

Any Updates?