Amplify-console: CloudFront with Web Application Firewall?

The Amplify Console provides fully managed hosting so you get features such as instant cache invalidation, atomic deploys, branch-based deployments, easy custom domain setup and more.

There isn't any S3 bucket in your account which you can manage. See:https://aws.amazon.com/amplify/console/pricing/

Do we have any control over the CloudFront distribution? Am I able to utilize AWS Web Application Firewall rules or anything like that?

I am just curious about the security details of the "Managed Hosting".

@blazinaj Hi we have a workaround to enable WAF: Add a new CloudFront distribution from the AWS console and use your amplifyapp.com branch as the origin. Now Go to App settings > Environment variables and add a system variable for _DISABLE_L2_CACHE: true. This will allow you to enable features such as WAF for your domain.

Thank you very much. That is what I needed. What does the _DISABLE_l2_CACHE: true do exactly?

When I'm creating a CloudFront distribution, do I put the full amplify url as the Origin Domain Name?

Thank you very much. That is what I needed. What does the _DISABLE_l2_CACHE: true do exactly?

Disable the L2 cache will disable one layer of CloudFront that AWS Amplify Console used for instant deployment. As CloudFront allows 2 maximum CloudFront chaining together, you have to disable it and add your customize distribution.

For the second question, your settings looks good to me

Thank you!

I got it hooked up through my custom CloudFront distribution. How do I make it so that the production.abcxyz.amplifyapp.com URL doesn't just bypass my custom CloudFront/WAF?

@blazinaj Hi, for the WAF feature the original URL is still public. The workaround can't disable the original domain. Right now, you can only use basic auth to ensure its security.

Ah, thank you very much. That's what I needed to know. I'll submit a feature request for that.

If we are also using a custom domain with our Console app, should this CloudFront/WAF workaround work? If so, what would I use for the Origin in the CloudFront Distribution - our custom domain name or the Console generated domain? I tried our custom domain and traffic did not seem to get routed properly through Cloudfront to get to the Console app. It seems to just go straight to the Console app.

Hi,
I have the same situation of previous message (@dave-moser), custom domain, and I want to protect it with WAF and IpFiltering with IPSet. Could somebody answer if the @garyleefight workaround and the configuration indicated by @blazinaj should work with custom domains added in the Amplify Console?

thank you