This tweet highlights a common security misconfiguration when using AWS CloudFront with AWS WAF protection. Many users enable AWS WAF at the CloudFront edge to filter and block malicious requests. However, if the origin server behind CloudFront remains publicly accessible, attackers can bypass the CloudFront distribution and its WAF protections by sending requests directly to the origin server. This essentially defeats the security benefit of AWS WAF and CloudFront's edge protection.

Key Points:
– AWS WAF is a web application firewall that helps protect your web applications by filtering malicious traffic at the CloudFront edge.
– CloudFront is a content delivery network (CDN) service that can be used to distribute content, along with AWS WAF.
– If the origin server is accessible publicly (e.g., via its IP address or domain) outside of CloudFront, traffic can bypass the WAF.

Effective Security Practice:
– Restrict direct access to the origin server.
– Configure the origin to accept traffic only from CloudFront by validating the source IP range or using Origin Access Identity (OAI) for S3 origins or appropriate authentication mechanisms for other origins.
– This ensures all traffic to the origin is inspected and filtered by AWS WAF at the CloudFront edge, providing protection against common web attacks like SQL injection, cross-site scripting (XSS), and others.

In summary, the architecture of the deployment matters more than just enabling AWS WAF. Proper configuration to limit origin access is critical to prevent attackers from bypassing the edge security controls.