12

does anyone know how to add your cloudfront distro into the security group inbound rules for an ELB?

We have a cloudfront distro setup for a new site which has a whitelisted set of security group rules for its origin. I cant see how to configure the security group to allow requests from the cloudfront distro...

any ideas?

rabs
  • 1,807
  • 3
  • 18
  • 29

5 Answers5

6

If you follow the link provided by Amir Mehler in the comments above, the author of the blog points to an official AWS Lambda function on Github that will update a security group with the CloudFront IPs. I used this, and it works great.

If you don't like Lambda, you could do it manually.

Note When trying to use the sample test config for the first time, update the MD5 to match the hash of the current ip-ranges.json file, or it will error.

Matt Beckman
  • 5,022
  • 4
  • 29
  • 42
  • There is also a step-by-step HOWTO: https://blogs.aws.amazon.com/security/post/Tx1LPI2H6Q6S5KC/How-to-Automatically-Update-Your-Security-Groups-for-Amazon-CloudFront-and-AWS-W – galaxy Jun 01 '16 at 13:50
  • This no longer seems to work, as the number of Cloudfront IP addresses required exceeds the max number of rules a Security Group will allow. ergo, the Lambda will not run. Try : https://aws.amazon.com/blogs/security/automatically-update-security-groups-for-amazon-cloudfront-ip-ranges-using-aws-lambda/ – Leon Mar 02 '21 at 14:13
4

Beginning February 2022, you should use AWS Managed Prefix List. They are a list of IPs managed by AWS, and kept up to date by them, that you can use in your route tables and security groups.

Be advised, the Amazon CloudFront managed prefix list counts as 55 rules in a security group. The default quota is 60 rules, leaving room for only 5 additional rules in a security group. You should request a quota increase for this quota. It counts as 55 routes in a route table. The default quota is 50 routes, so you must request a quota increase before you can add the prefix list to a route table.

rpadovani
  • 7,101
  • 2
  • 31
  • 50
  • Also keep in mind that someone else could create a CloudFront distribution that points to *your* EC2/ELB. Additional measures are recommended if you require stricter access control. – iBug Aug 09 '22 at 13:17
2

When you say "add origin" in Cloudfront distribution and click the "Origin Domain Name" box, it lists all your AWS resources from this account (including ELB). You can just choose it.

However the security group associated with your ELB should allow public access (HTTP/HTTPS, 0.0.0.0/0). This is not any less safe, since anyway you want public to access the ELB via cloudfront. Moment you make things available via a CDN, it is for public access. I have been configuring the ELB security groups this way. Open to other suggestions !

Now for the security group of the EC2s behind the ELB: Here you should not allow public access. Instead allow only access from ELB's security group (you can achive this by selecting the ELB security group from the list, instead of keying in an Inbound IP address.

Now, this can be configured little differently if the origin is S3. Here you need not make the bucket public. Instead restrict access to the bucket using Bucket policy (not any security groups here) allowing only IAM origin access identity. More info here - Serving Private Content through CloudFront - Amazon CloudFront

Sony Kadavan
  • 3,982
  • 2
  • 19
  • 26
  • yeah i can select it ok as an origin, cloudfront however hangs when connecting back to origin (its being blocked by the security group rultes). It still can't find a way to do this :( – rabs Mar 06 '14 at 04:17
  • @rabs - I did some more checks on my setup and have enhanced the answer above. Have a look. Ultimately your exact requirement of "keeping ELB private and cloudfront private" - I dont know a good way to achieve this. – Sony Kadavan Mar 06 '14 at 16:31
  • 9
    I like the idea that only cloudfront can access ELB. For example some one make a DDoS on ELB. ELB start instance until it reach the liimit and your application isn't working anymore. But if some make DDoS on Cloudfront URL Amazon protect your ELB and save you for high costs. So, how to do that? – user1791139 Apr 23 '15 at 11:05
  • 1
    There's no strait forward way currently (at least I didn't find it) but this guy wrote a script that updates a dedicated security group with ALL of CloudFront's IPs. So you can allow only this sg. http://www.24hoursmedia.com/2015/10/08/aws-cloudfront-elb-securitygroup/ – Amir Mehler Jan 17 '16 at 15:34
  • 1
    Since AWS WAF has come out, it's now a bad idea to open your ELB to the world if you are using AWS WAF via CloudFront. Otherwise, people could bypass your WAF settings. We use Terraform to keep our SGs up to date. One thing to note is that you can only have 50 rules per SG, so you may need multiple SGs if you support HTTP and HTTPS at the ELB. – ZiggyTheHamster Aug 26 '16 at 21:42
  • 1
    @SonyKadavan how does CloudFront communicate with the ELB? Is that AWS internal or does the communication happen unencryptedly (if set to http) and vulnerable to man-in-the-middle attacks? – kev Oct 26 '17 at 06:12
1

I have solved it with the help of this post: Automatically update security groups for Amazon CloudFront IP ranges using AWS Lambda

It is a step-by-step tutorial, very detailed, a bit outdated already but you won't get lost.

Only drawback is that each time the Lambda function creates a new security group you will have to attach it to your EC2 instance or ELB manually. Maybe this can also be solved in an efficient way automatically, but the blog post doesn't mention it.

Balazs Szanto
  • 143
  • 2
  • 9
0

This is more of a question than an Answer but embedded in it is how I would do it:

Step 1: Get data from here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html -> http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips

Step 2: Create Security group with data...

Question part: Why the hell does the AWS API has a limit on the number of rules that is LESS than the number of endpoints of its services...

This is what happens when you call the API(which is how I ended up here): HTTP: 400 -> enter image description here

eco
  • 1,254
  • 1
  • 12
  • 22
  • 1
    Here's your reference github bug:https://github.com/aws-samples/aws-cloudfront-samples/issues/8#issuecomment-495434745 -> is from 2017 and they still haven't fixed it. – eco May 24 '19 at 00:58