Install the CloudFront Agent

To increase the security of your CloudFront Origin server, you can use tCell's agent via Lambda@Edge. This provides tCell support for any web application or static content fronted by AWS CloudFront. When you deploy the agent as a CloudFormation stack into your own AWS account, requests to your CloudFront distributions trigger the tCell agent Lambda function on Origin Requests and Origin Responses.

Use Cases

Static sites and content stored in S3 buckets are often delivered by CloudFront since it's an easy way to get a simple HTML-based website up and running. By leveraging tCell's CloudFront agent, you can add and enforce the use of CSP headers on these sites in order to protect against common attacks like CSRF and XSS.

Leveraging CloudFront as a reverse proxy helps reduce the load on Origin servers which ensures that your web application is serving content to users from around the world as quickly as possible. Adding tCell's CloudFront agent to the CloudFormation stack provides the additional benefit of WAF functionality on Origin Requests and Responses with minimal latency added.

Supported Features

  • App Firewall Monitoring and Blocking Note: Error code and response size detections are not supported.
  • Prevention of Unvalidated HTTP Redirects
  • Content Security Policy (CSP) Enforcement
  • Suspicious Actors Detection & Protection

Prerequisites

Installation

Download the agent

  1. In the top navigation bar, click tCell Admin.
  2. Click Download Agent.
  3. Select the CloudFront agent.
  4. Download the .zip or the tar.gz file.

Install the agent

All AWS resources must be created in the same account and in the us-east-1 region.

  1. Deploy the tCell Lambda@Edge CloudFormation stack.
  1. In the extracted agent archive directory, run the following command: sam deploy --guided
  2. Follow the prompts and complete the fields as necessary.

Deployment requirements

Lambda@Edge functions must be deployed in us-east-1

Allow SAM CLI IAM role creation

Use the default option Yes for “Allow SAM CLI IAM role creation”. The agent’s cloud formation stack needs to create a role for its Lambda function to access tCell credentials in AWS Secrets Manager, as well as to allow deployment to Lambda@Edge.

  1. Create a tCell application and Server Agent API Key for each CloudFront Origin you want to secure.
  2. Create a secret in AWS Secrets Manager for each application's ID and key. If your CloudFront distribution is managed by CloudFormation, this secret could be created by the same CloudFormation stack. The secret name must be of the format cloudfrontagent-tcell/<tcell_app_id> and the value must be the Server Agent API Key value.
  3. Update all desired CloudFront Cache Behaviors with triggers for the tCell Lambda function and add the tCell App ID as an Origin Custom Header for each Origin so the agent reports to the correct app. To support all features, the tCell Agent function must be configured to receive both origin-request and origin-response event types, and the origin-request trigger must be configured to include the request body in the event.

Examples

Creating a secret in AWS Secrets Manager using the AWS CLI:

 
1
aws secretsmanager create-secret --region us-east-1 --name cloudfrontagent-tcell/<tcell_app_id> --secret-string <tcell_api_key>

Adding Lambda@Edge triggers and Origin Custom Headers to a CloudFront distribution, using a CloudFormation template:

 
1
...
2
Type: "AWS::CloudFront::Distribution"
3
Properties:
4
  Origins:
5
    - ...
6
      OriginCustomHeaders:
7
        - HeaderName: 'X-TCELL-APP-ID'
8
          HeaderValue: '<tcell_app_id>'
9
      DefaultCacheBehavior:
10
        ...
11
        LambdaFunctionAssociations:
12
          - EventType: origin-request
13
            IncludeBody: true
14
            LambdaFunctionARN: !ImportValue 'cloudfrontagent-tcell:tcellAgentFunction'
15
          - EventType: origin-response
16
            LambdaFunctionARN: !ImportValue 'cloudfrontagent-tcell:tcellAgentFunction'

Additional Configuration Using Origin Custom Headers

In addition to the App ID, several Server Agent Options can be configured using Origin Custom Headers.

Server Agent OptionHeader Name
App IDX-TCELL-APP-ID
Allow PayloadsX-TCELL-ALLOW-PAYLOADS
Logging LevelX-TCELL-LOG-LEVEL
Reverse Proxy IP Address HeaderX-TCELL-REVERSE-PROXY-IP-ADDRESS-HEADER

Managed-AllViewer Origin Request Policy

To maximize the tCell agent's capabilities, we recommend using the Managed-AllViewer Origin Request Policy which will forward all request attributes to the Origin when a CloudFront cache miss occurs. This helps ensure that the CloudFront agent has all the information it needs to correctly apply your tCell configuration policy.

CloudFront Cache Policy

We recommend using a CloudFront Cache Policy that includes as many request attributes as possible in the cache key to increase the usefulness of data reported by the Agent. For example, if an attacker is requesting the same URL with many different attributes, but those attributes are not included in your Cache Policy, CloudFront will return cached content and not trigger the tCell agent function, reducing your visibility into attempted attacks on the origin server.

Limitations

As the number of cache misses increases, the more requests get forwarded to your origin server, which increases page load times. If site performance is too slow with a large cache key, try removing attributes from the key until performance is acceptable.