Install the CloudFront Agent
To increase the security of your CloudFront Origin server, you can use tCell's agent via Lambda@Edge. This provides tCell support for any web application or static content fronted by AWS CloudFront. When you deploy the agent as a CloudFormation stack into your own AWS account, requests to your CloudFront distributions trigger the tCell agent Lambda function on Origin Requests and Origin Responses.
Static sites and content stored in S3 buckets are often delivered by CloudFront since it's an easy way to get a simple HTML-based website up and running. By leveraging tCell's CloudFront agent, you can add and enforce the use of CSP headers on these sites in order to protect against common attacks like CSRF and XSS.
Leveraging CloudFront as a reverse proxy helps reduce the load on Origin servers which ensures that your web application is serving content to users from around the world as quickly as possible. Adding tCell's CloudFront agent to the CloudFormation stack provides the additional benefit of WAF functionality on Origin Requests and Responses with minimal latency added.
- App Firewall Monitoring and Blocking Note: Error code and response size detections are not supported.
- Prevention of Unvalidated HTTP Redirects
- Content Security Policy (CSP) Enforcement
- Suspicious Actors Detection & Protection
- A tCell account setup with application ID and agent key
- AWS CLI and a system with set AWS credentials
- SAM CLI
Download the agent
- In the top navigation bar, click tCell Admin.
- Click Download Agent.
- Select the CloudFront agent.
- Download the
Install the agent
All AWS resources must be created in the same account and in the us-east-1 region.
- Deploy the tCell Lambda@Edge CloudFormation stack.
- In the extracted agent archive directory, run the following command:
sam deploy --guided
- Follow the prompts and complete the fields as necessary.
Lambda@Edge functions must be deployed in us-east-1
Allow SAM CLI IAM role creation
Use the default option Yes for “Allow SAM CLI IAM role creation”. The agent’s cloud formation stack needs to create a role for its Lambda function to access tCell credentials in AWS Secrets Manager, as well as to allow deployment to Lambda@Edge.
- Create a tCell application and Server Agent API Key for each CloudFront Origin you want to secure.
- Create a secret in AWS Secrets Manager for each application's ID and key. If your CloudFront distribution is managed by CloudFormation, this secret could be created by the same CloudFormation stack. The secret name must be of the format
cloudfrontagent-tcell/<tcell_app_id>and the value must be the Server Agent API Key value.
- Update all desired CloudFront Cache Behaviors with triggers for the tCell Lambda function and add the tCell App ID as an Origin Custom Header for each Origin so the agent reports to the correct app. To support all features, the tCell Agent function must be configured to receive both
origin-responseevent types, and the
origin-requesttrigger must be configured to include the request body in the event.
Creating a secret in AWS Secrets Manager using the AWS CLI:
1aws secretsmanager create-secret --region us-east-1 --name cloudfrontagent-tcell/<tcell_app_id> --secret-string <tcell_api_key>
Adding Lambda@Edge triggers and Origin Custom Headers to a CloudFront distribution, using a CloudFormation template:
1...2Type: "AWS::CloudFront::Distribution"3Properties:4Origins:5- ...6OriginCustomHeaders:7- HeaderName: 'X-TCELL-APP-ID'8HeaderValue: '<tcell_app_id>'9DefaultCacheBehavior:10...11LambdaFunctionAssociations:12- EventType: origin-request13IncludeBody: true14LambdaFunctionARN: !ImportValue 'cloudfrontagent-tcell:tcellAgentFunction'15- EventType: origin-response16LambdaFunctionARN: !ImportValue 'cloudfrontagent-tcell:tcellAgentFunction'
Additional Configuration Using Origin Custom Headers
In addition to the App ID, several Server Agent Options can be configured using Origin Custom Headers.
|Server Agent Option||Header Name|
|Reverse Proxy IP Address Header||X-TCELL-REVERSE-PROXY-IP-ADDRESS-HEADER|
Recommended CloudFront Configuration
Managed-AllViewer Origin Request Policy
To maximize the tCell agent's capabilities, we recommend using the Managed-AllViewer Origin Request Policy which will forward all request attributes to the Origin when a CloudFront cache miss occurs. This helps ensure that the CloudFront agent has all the information it needs to correctly apply your tCell configuration policy.
CloudFront Cache Policy
We recommend using a CloudFront Cache Policy that includes as many request attributes as possible in the cache key to increase the usefulness of data reported by the Agent. For example, if an attacker is requesting the same URL with many different attributes, but those attributes are not included in your Cache Policy, CloudFront will return cached content and not trigger the tCell agent function, reducing your visibility into attempted attacks on the origin server.
As the number of cache misses increases, the more requests get forwarded to your origin server, which increases page load times. If site performance is too slow with a large cache key, try removing attributes from the key until performance is acceptable.