CloudFront without WAF

Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > CloudFront without WAF

Metadata

Id: 22c80725-e390-4055-8d14-a872230f6607

Cloud Provider: AWS

Platform: Ansible

Severity: Medium

Category: Networking and Firewall

Learn More

Provider Reference

Description

CloudFront distributions must be associated with an AWS WAF Web ACL to filter malicious HTTP traffic and reduce the risk of application-layer attacks such as SQL injection, cross-site scripting, and automated bot abuse.

For Ansible tasks using the community.aws.cloudfront_distribution or cloudfront_distribution module, the web_acl_id property must be defined and set to the ARN of a WAFv2 Web ACL (global scope). This rule flags distributions where web_acl_id is missing or undefined. Ensure the attached WAFv2 Web ACL ARN is compatible with CloudFront.

Secure example (Ansible):

- name: create cloudfront distribution with WAF
  community.aws.cloudfront_distribution:
    state: present
    alias:
      - example.com
    web_acl_id: arn:aws:wafv2:global:123456789012:regional/webacl/example-web-acl/abcd1234-ef56-7890-gh12-ijklmnopqrst
    # other required distribution properties...

Compliant Code Examples

- name: create a basic distribution with defaults and tags
  community.aws.cloudfront_distribution:
    state: present
    default_origin_domain_name: www.my-cloudfront-origin.com
    tags:
      Name: example distribution
      Project: example project
      Priority: '1'
    web_acl_id: my-web-acl-id

Non-Compliant Code Examples

- name: create a basic distribution with defaults and tags
  community.aws.cloudfront_distribution:
    state: present
    default_origin_domain_name: www.my-cloudfront-origin.com
    tags:
      Name: example distribution
      Project: example project
      Priority: '1'