2

I have CloudFront serving only images - stored in S3 but served through CloudFront. The Web application is hosted separately.

Do I need AWS WAF? Or What does WAF add when only images served?

neuro
  • 14,948
  • 3
  • 36
  • 59
Sun
  • 2,110
  • 2
  • 21
  • 28

1 Answers1

1

There's a few things WAF adds, depending on your requirements:

  1. It can help keep bots or other automated clients away from your images.
  2. Any GET request to S3 (even a 404) will incur a fee. So WAF can step in and help prevent these excessive charges caused by bots scanning for vulnerabilities or any sort of attack that involves excessive requests. Cloudfront may buffer you to an extent, but I think WAF would do a better job of blocking things.

So I think having an ACL that includes (at least) rate limiting, and maybe the baseline rule groups would be good. You could through in geo-blocking as well, but CF has that separately.

It is also worth mentioning that it is important to take advantage of origin access control (OAC) which is a newer (as of August 2022) way to keep your bucket private and prevent direct requests to S3.

Jason Capriotti
  • 1,836
  • 2
  • 17
  • 33