Skip to content

Instantly share code, notes, and snippets.

@jonjack

jonjack/cloudfront-function-to-block-distribution-url.md

Last active August 6, 2024 12:45
Show Gist options
  • Save jonjack/485f2b18a3b632cbacf0ee9f6ba380a7 to your computer and use it in GitHub Desktop.
Save jonjack/485f2b18a3b632cbacf0ee9f6ba380a7 to your computer and use it in GitHub Desktop.
Download ZIP
CloudFront function that blocks access to a CloudFront distribution's public URL
Raw
cloudfront-function-to-block-distribution-url.md

By default, CloudFront distribution URLs (eg. https://d2kl2vxl3xne45.cloudfront.net) are publicly accessible. So if you are using CloudFront to serve a static website out of S3, for example, then your site shall also be accessible via the CF URL as well as any custom domain you are using. If you are using Signed URLs or Signed Cookies to restrict access to your content then this is not an issue, but if you are serving your content publicly then it might bother you.

I am not sure if CloudFront URLs are easily discoverable (probably not) but if we want to ensure that our web application cannot be accessed via the CF URL then we need to block access to it.

AWS Docs Tutorial: Create a simple function with CloudFront Functions

WAF - an alternative solution may be to use AWS WAF custom rules (assuming you are using WAF that is). You would also only probably want to explore this option if you are using WAF at the CloudFront edge rather than on your Load Balancers.

To create a CloudFront function

  1. Go to CloudFront in the console and choose Functions > Create Function. Note that a function exists outside the scope of any distributions so you don't create them under any specific distribution - this allows any generic functions to be used across multiple distributions.

  2. Enter the following function.

    function handler(event) {
var request = event.request;
var host = request.headers.host.value;
if (host.includes('cloudfront.net')) {
    return {
        statusCode: 403,
        statusDescription: 'Forbidden',
        headers: {
            'content-type': { value: 'application/xml' }
        },
        body: {
            'encoding': 'text',
            'data': '<?xml version="1.0" encoding="UTF-8"?><Error>
            <Code>AccessDenied</Code><Message>Access Denied</Message></Error>'
        }
    };
}
return request;
}

    Note that the body contains XML but we could have set the content-type to be text/html and returned a HTML body. The XML body in our version above mimics the forbidden page that AWS natively presents when you try and access a forbidden resource so it looks more native.

  3. Save changes.

  4. Now Publish > Publish function.

  5. Now Associated distributions > Add association.

    • Choose the distribution, and Event type: Viewer Request, Cache behaviour: Default.
    • Add association.

  6. The associated distribution will automatically redeploy. Wait a few minutes for the redeployment to complete before testing.

  7. Now try and request the CF distribution directly and you should see the response sent by the function - https://d2kl2vxl3xne45.cloudfront.net/

A note on function updates
If you update a function you only have to republish it to make the changes live, you do not need to redeploy any associated distributions.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment