CDN or WAF deployed with DDoS protection, geo-blocking, rate limiting, and bot detection

ab-001652 · infrastructure-hardening.monitoring-incident-response.cdn-waf-protection

Severity: infoactive

Why it matters

An application served without CDN or WAF absorbs every request directly — a DDoS attack that exceeds origin capacity takes down the service entirely, and malicious bots, scrapers, and credential stuffers operate without any filtering layer. NIST 800-53 SC-5 requires DoS protection; SI-3 requires malicious code protection at entry points. CIS AWS 2.5 requires WAF attachment to CloudFront distributions. Geo-blocking and bot detection are particularly relevant for AI-built projects whose attack surfaces are often discovered quickly via passive DNS enumeration.

Severity rationale

Info because CDN/WAF absence increases vulnerability to volumetric attacks and bots, but direct exploitation still requires finding and hitting origin endpoints without WAF interception.

Remediation

Deploy a CDN with WAF in front of your origin. For AWS, attach WAF to CloudFront in your IaC (terraform/cloudfront.tf):

resource "aws_wafv2_web_acl" "main" {
  name  = "app-waf"
  scope = "CLOUDFRONT"
  default_action { allow {} }

  rule {
    name     = "RateLimitRule"
    priority = 1
    action { block {} }
    statement {
      rate_based_statement {
        limit              = 1000
        aggregate_key_type = "IP"
      }
    }
    visibility_config {
      sampled_requests_enabled   = true
      cloudwatch_metrics_enabled = true
      metric_name                = "RateLimitRule"
    }
  }
}

For Cloudflare users, enable DDoS protection (automatic), create rate limiting rules, enable bot fight mode, and optionally add geo-blocking via Firewall Rules — all configurable without infrastructure changes.

Detection

ID: cdn-waf-protection
Severity: info
What to look for: Check for CDN and WAF configuration files and cloud provider settings (AWS CloudFront + WAF, Azure CDN + DDoS Protection, GCP Cloud CDN + Cloud Armor, Cloudflare). Count the protection features configured: DDoS mitigation, rate limiting rules, geo-blocking rules, and bot detection. At least 3 of these 4 features should be enabled.
Pass criteria: A CDN or WAF is deployed in front of the application. At least 3 of these 4 protection features are configured: DDoS mitigation, rate limiting, geo-blocking, and bot detection. Report even on pass: "CDN/WAF deployed with X of 4 protection features enabled."
Fail criteria: No CDN or WAF deployed, or CDN/WAF is deployed but fewer than 3 of 4 protection features (DDoS, rate limiting, geo-blocking, bot detection) are configured.
Skip (N/A) when: Application is internal-only, or DDoS/WAF protection is managed by upstream infrastructure.
Cross-reference: The tls-enforced check verifies TLS at the ingress, which CDN/WAF typically terminates.
Detail on fail: Quote the CDN config. Example: "Application is served directly without CDN or WAF. No DDoS protection or rate limiting configured." or "CloudFront deployed but AWS WAF is not attached — 1 of 4 features"

Remediation: Deploy a CDN with WAF. Example with AWS:

aws cloudfront create-distribution \
  --origin-domain-name myapp.example.com \
  --default-root-object index.html

aws wafv2 create-web-acl \
  --name MyACL \
  --scope CLOUDFRONT \
  --rules file://rules.json \
  --visibility-config file://visibility.json

External references

nist:rev5 · SC-5 — Denial of Service Protection
nist:rev5 · SI-3 — Malicious Code Protection
external · CIS-AWS-2.5 — CIS AWS Foundations Benchmark — Enable AWS Config

Taxons

operational-readiness

History

2026-04-18·v1.0.0·Initial import from infrastructure-hardening·automated

Why it matters

Remediation

Deploy a CDN with WAF in front of your origin. For AWS, attach WAF to CloudFront in your IaC (terraform/cloudfront.tf):

resource "aws_wafv2_web_acl" "main" {
  name  = "app-waf"
  scope = "CLOUDFRONT"
  default_action { allow {} }

  rule {
    name     = "RateLimitRule"
    priority = 1
    action { block {} }
    statement {
      rate_based_statement {
        limit              = 1000
        aggregate_key_type = "IP"
      }
    }
    visibility_config {
      sampled_requests_enabled   = true
      cloudwatch_metrics_enabled = true
      metric_name                = "RateLimitRule"
    }
  }
}

Detection

ID: cdn-waf-protection
Severity: info
What to look for: Check for CDN and WAF configuration files and cloud provider settings (AWS CloudFront + WAF, Azure CDN + DDoS Protection, GCP Cloud CDN + Cloud Armor, Cloudflare). Count the protection features configured: DDoS mitigation, rate limiting rules, geo-blocking rules, and bot detection. At least 3 of these 4 features should be enabled.
Pass criteria: A CDN or WAF is deployed in front of the application. At least 3 of these 4 protection features are configured: DDoS mitigation, rate limiting, geo-blocking, and bot detection. Report even on pass: "CDN/WAF deployed with X of 4 protection features enabled."
Fail criteria: No CDN or WAF deployed, or CDN/WAF is deployed but fewer than 3 of 4 protection features (DDoS, rate limiting, geo-blocking, bot detection) are configured.
Skip (N/A) when: Application is internal-only, or DDoS/WAF protection is managed by upstream infrastructure.
Cross-reference: The tls-enforced check verifies TLS at the ingress, which CDN/WAF typically terminates.
Detail on fail: Quote the CDN config. Example: "Application is served directly without CDN or WAF. No DDoS protection or rate limiting configured." or "CloudFront deployed but AWS WAF is not attached — 1 of 4 features"

Remediation: Deploy a CDN with WAF. Example with AWS:

aws cloudfront create-distribution \
  --origin-domain-name myapp.example.com \
  --default-root-object index.html

aws wafv2 create-web-acl \
  --name MyACL \
  --scope CLOUDFRONT \
  --rules file://rules.json \
  --visibility-config file://visibility.json