Many AWS Amplify Web Applications do not have a firewall attached at all, simply because the integration with AWS WAF does not exist natively. Thus, this template can be a quick and effective way to improve the security of your web application.
Following the steps in this pattern will allow users to create an Amazon CloudFront Distribution associated with an AWS WAFv2 WebACL configured with basic AWS Managed Rulesets. It will also demonstrate how an extra layer of security can be applied to the AWS Amplify application to stop users from circumventing the AWS WAFv2 configuration. All traffic into the application must now go through the new Amazon CloudFront Distribution.
The pattern is supplied with a self-contained sample CDK construct which can be used as-is or modified to enable WAF integration on an existing Amplify web application. The code also enables automated cache invalidation of the newly created CloudFront distribution every time new code is deployed for the Amplify-hosted Web App.
Deploying the supplied CDK code will deploy the architecture seen below into the target AWS account. The Amplify Application is not created by the CDK code and is expected to pre-exist within the target AWS account.
Deploying an AWS WAF using the supplied CDK code is optional, you can integrate an existing WAF as long as its attachable to a CloudFront distribution.
This pattern provides deployment through AWS CDK which can easily be automated in CI/CD pipelines.
Note : The deployment of this CDK code adds configuration to existing Amplify App. This should not create issues for the IaC operations performed on the Amplify resource outside this stack.
Follow below steps to enable WAF on existing Amplify Application using AWS CDK constructs
Download the source code from Github and setup virtual env
We recommend using AWS Cloud9 as the IDE for this pattern, but you can also use another IDE (for example, Visual Studio Code or IntelliJ IDEA).
git clone https://github.com/aws-samples/aws-cdk-amplify-with-waf.git
To create the virtualenv for the CDK application its required that there is a python3 (or python for Windows) executable in your path with access to the venv package.
python3 -m venv .venv
source .venv/bin/activate
python -m venv .venv
.venv\Scripts\activate.bat
Additionally on Windows change the
python3
topython
in the entry point (app
key) incdk.json
pip install -r requirements.txt
Bootstrap the CDK app
--profile PROFILE_NAME
in all cdk commands cdk bootstrap aws://ACCOUNT-NUMBER/REGION-1 aws://ACCOUNT-NUMBER/REGION-2
Region-1 must be the
us-east-1
region to deploy the Web ACLRegion-2 will be the region in which Amplify App exists
Update below parameters in cdk.json
file.
app_id : Amplify App Id for the existing amplify app to which you want to associate the WAF.
This is the last part of the Amplify App Arn
usually in the format arn:PARTITION:amplify:REGION:ACCOUNT_ID:apps/APP_ID
.
The Amplify App Arn can be found from the AWS Console.
branch_name : Branch corresponding to the deployment which needs to be protected using WAF
web_acl_arn : Provide ARN of existing WebACL if you want an existing WebACL associated with the Amplify App. If you do not have an existing WebACL to attach, deploy the CustomWebAcl stack from this cdk app to create a WebACL with a pre-defined set of AWS Managed rules.
(Optionally) Deploy WebACL stack
cdk deploy CustomWebAclStack
Deploy Custom Amplify Distribution stack
cdk deploy CustomAmplifyDistributionStack
Verify the deployment
Use the output from the CustomAmplifyDistribution stack to test the Web Application. The Web Application should now be accessible using the CloudFront URL.
Try accessing the direct Amplify endpoint for the Web App which should now prompt for basic authentication.
Update the Web Application and commit changes to verify that Amplify deploys the app successfully and the Custom CloudFront distribution is invalidated automatically.
Read our contributing guide to learn about our development process, how to propose bugfixes and improvements, and how to integrate your changes in this repository
This library is licensed under the MIT-0 License. See the LICENSE file.