--- title: CloudFront without WAF description: Datadog, the leading service for cloud-scale monitoring. breadcrumbs: >- Docs > Datadog Security > Code Security > Infrastructure as Code (IaC) Security > IaC Security Rules > CloudFront without WAF --- # CloudFront without WAF {% callout %} # Important note for users on the following Datadog sites: app.ddog-gov.com, us2.ddog-gov.com {% alert level="danger" %} This product is not supported for your selected [Datadog site](https://docs.datadoghq.com/getting_started/site.md). ({% placeholder "user-datadog-site-name" /%}). {% /alert %} {% /callout %} ## Metadata{% #metadata %} **Id:** `cloudformation-aws-cloudfront-without-waf` **Provider:** AWS **Platform:** CloudFormation **Severity:** Medium **Category:** Networking and Firewall #### Learn More{% #learn-more %} - [Provider Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-cloudfront-distribution-distributionconfig.html#cfn-cloudfront-distribution-distributionconfig-webaclid) ### Description{% #description %} CloudFront distributions should be associated with an AWS WAF web ACL to block common web exploits and reduce exposure to application-layer attacks such as SQL injection, cross-site scripting, and automated bot abuse. For enabled distributions (resources of type `AWS::CloudFront::Distribution` where `DistributionConfig.Enabled` is not explicitly `false`), the `DistributionConfig.WebACLId` property must be defined and set to a non-empty value. Resources missing `WebACLId` or with `WebACLId` set to an empty string will be flagged. `WebACLId` should contain the ARN of an AWS WAF or AWS WAFv2 web ACL (for CloudFront, use the global AWS WAFv2 ARN) or a CloudFormation reference to an existing web ACL. Secure configuration example: ```yaml MyDistribution: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: Enabled: true WebACLId: arn:aws:wafv2:us-east-1:123456789012:global/webacl/my-webacl/11111111-1111-1111-1111-111111111111 ``` ## Compliant Code Examples{% #compliant-code-examples %} ```yaml AWSTemplateFormatVersion: 2010-09-09 Resources: cloudfrontdistribution: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: Enabled: true CacheBehaviors: - LambdaFunctionAssociations: - EventType: string-value LambdaFunctionARN: string-value DefaultCacheBehavior: LambdaFunctionAssociations: - EventType: string-value LambdaFunctionARN: string-value IPV6Enabled: boolean-value Origins: - CustomOriginConfig: OriginKeepaliveTimeout: integer-value OriginReadTimeout: integer-value WebACLId: string-value Tags: - Key: string-value Value: string-value ``` ## Non-Compliant Code Examples{% #non-compliant-code-examples %} ```yaml AWSTemplateFormatVersion: 2010-09-09 Resources: cloudfrontdistribution: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: Enabled: true CacheBehaviors: - LambdaFunctionAssociations: - EventType: string-value LambdaFunctionARN: string-value DefaultCacheBehavior: LambdaFunctionAssociations: - EventType: string-value LambdaFunctionARN: string-value IPV6Enabled: boolean-value Origins: - CustomOriginConfig: OriginKeepaliveTimeout: integer-value OriginReadTimeout: integer-value Tags: - Key: string-value Value: string-value ``` ```yaml AWSTemplateFormatVersion: 2010-09-09 Resources: cloudfrontdistribution: Type: AWS::CloudFront::Distribution Properties: DistributionConfig: Enabled: true CacheBehaviors: - LambdaFunctionAssociations: - EventType: string-value LambdaFunctionARN: string-value DefaultCacheBehavior: LambdaFunctionAssociations: - EventType: string-value LambdaFunctionARN: string-value IPV6Enabled: boolean-value Origins: - CustomOriginConfig: OriginKeepaliveTimeout: integer-value OriginReadTimeout: integer-value WebACLId: "" Tags: - Key: string-value Value: string-value ```