Firewall support for hosted sites - AWS Amplify Hosting
Enabling AWS WAF for an Amplify appDisassociate a web ACL from an Amplify appHow Amplify integrates with AWS WAFFirewall preview limitationsFirewall pricing

Firewall support for hosted sites

Note

Firewall support for hosted applications is a preview release and is subject to change. For more information, see Firewall preview limitations.

Firewall support is available today, in preview, in all AWS Regions in which Amplify Hosting operates, except for the opt-in regions. This integration falls under an AWS WAF global resource, similar to CloudFront. Web ACLs can be attached to multiple Amplify Hosting apps, but they must reside in the same region.

Firewall support for hosted sites enables you to protect your web applications with a direct integration with AWS WAF. AWS WAF allows you to configure a set of rules, called a web access control list (web ACL), that allow, block, or monitor (count) web requests based on customizable web security rules and conditions that you define. When you integrate your Amplify app with AWS WAF, you gain more control and visibility into the HTTP traffic accepted by your app. To learn more about AWS WAF, see How AWS WAF Works in the AWS WAF Developer Guide.

You can use AWS WAF to protect your Amplify app from common web exploits, such as SQL injection and cross-site scripting. These could affect your app's availability and performance, compromise security, or consume excessive resources. For example, you can create rules to allow or block requests from specified IP address ranges, requests from CIDR blocks, requests that originate from a specific country or region, or requests that contain unexpected SQL code or scripting.

You can also create rules that match a specified string or a regular expression pattern in HTTP headers, method, query string, URI, and the request body (limited to the first 8 KB). Additionally, you can create rules to block events from specific user agents, bots, and content scrapers. For example, you can use rate-based rules to specify the number of web requests that are allowed by each client IP in a trailing, continuously updated, 5-minute period.

To learn more about the types of rules that are supported and additional AWS WAF features, see the AWS WAF Developer Guide and the AWS WAF API Reference.

Important

Security is a shared responsibility between AWS and you. AWS WAF isn't the solution to all internet security issues and you must configure it to meet your security and compliance objectives. To help you understand how to apply the shared responsibility model when using AWS WAF, see Security in your use of the AWS WAF service.

Enabling AWS WAF for an Amplify app

You can enable the Firewall capabilities either when you create a new app or by editing the settings for an existing Amplify app. In both workflows, you will associate an AWS WAF web ACL to your Amplify Hosting app.

Use the following procedure to enable AWS WAF for an existing app in the Amplify console.

Enable AWS WAF for an existing Amplify app

  1. Sign in to the AWS Management Console and open the Amplify console at https://console.aws.amazon.com/amplify/.

  2. On the All apps page, choose the name of the deployed app to enable the Firewall feature on.

  3. In the navigation pane, choose Hosting, and then choose Firewall.

    The following screenshot shows how to navigate to the Add firewall page in the Amplify console.

    The Amplify console Add firewall page.

  4. On the Add firewall page, your actions will depend on whether you want to create a new AWS WAF configuration or use an existing one.

    • Create a new AWS WAF configuration.

      1. Choose Create new.

      2. Optionally, enable any of the following configurations:

        1. Turn on Enable Amplify-recommended Firewall protection.

        2. Turn on Restrict access to amplifyapp.com to prevent access to your app on the default Amplify domain.

        3. For IP addresses, turn on Enable IP address protections.

          1. For Action, choose Allow if you want to specify the IP addresses that will have access and all others will be blocked. Choose Block if you want to specify the IP addresses that will be blocked and all others will have access.

          2. For IP version, select either IPV4 or IPV6.

          3. In the IP addresses text box, enter either your allowed or blocked IP addresses, one per line, in CIDR format.

        4. For Countries, turn on Enable country protection.

          1. For Action, choose Allow if you want to specify the countries that will have access and all others will be blocked. Choose Block if you want to specify the countries that will be blocked and all others will have access.

          2. For Countries, select either your allowed or blocked countries from the list.

      The following screenshot demonstrates how to enable a new AWS WAF configuration for an app.

      The Amplify console Add firewall with all of the firewall setting enabled.

    • Use an existing AWS WAF configuration.

      1. Choose Use existing AWS WAF configuration.

      2. Select a saved configuration from the list of web ACLs in AWS WAF in your AWS account.

  5. Choose Add firewall.

  6. On the Firewall page, the Associating status is displayed to indicate that the AWS WAF settings are being propagated. When the process is complete, the status changes to Enabled.

    The following screenshots show the firewall progress status in the Amplify console, indicating when the AWS WAF configuration is Associating and Enabled.

    The Amplify console Firewall status progress in the Associating state.
    The Amplify console Firewall status progress in the Enabled state.

Disassociate a web ACL from an Amplify app

You can't delete a web ACL that is associated with an Amplify app. You must first disassociate the web ACL from the app in the Amplify console. Then you can delete it in the AWS WAF console.

To disassociate a web ACL from an Amplify app

  1. Sign in to the AWS Management Console and open the Amplify console at https://console.aws.amazon.com/amplify/.

  2. On the All apps page, choose the name of the app to disassociate a web ACL from.

  3. In the navigation pane, choose Hosting, and then choose Firewall.

  4. On the Firewall page, choose Actions, then choose Disassociate firewall.

  5. In the confirmation modal, enter disassociate, then choose Disassociate firewall.

  6. On the Firewall page, the Disassociating status is displayed to indicate that the AWS WAF settings are being propagated.

    When the process is complete, you can delete the web ACL in the AWS WAF console.

How Amplify integrates with AWS WAF

The following list provides specific details about how Firewall support is integrated with AWS WAF and the constraints to consider when creating web ACLs and associating them with Amplify apps.

  • You can enable AWS WAF for any type of Amplify app. This includes any supported framework, server-side rendered (SSR) apps, and fully static sites. AWS WAF is supported for Amplify Gen 1 and Gen 2 apps.

  • You must create web ACLs that you want to associate with an Amplify app in the Global (CloudFront) Region. Regional web ACLs might already exist in your AWS account, but they are not compatible with Amplify.

  • The web ACL and the Amplify app must be created in the same AWS account. You can use AWS Firewall Manager to replicate AWS WAF rules across AWS accounts, to simplify keeping organization rules centralized and distributed across multiple AWS accounts. For more information, see AWS Firewall Manager in the AWS WAF Developer Guide.

  • You can share the same web ACL across multiple Amplify apps in the same AWS account. All of the apps must be in the same Region.

  • When you associate a web ACL with an Amplify app, the web ACL attaches to every branch in the app by default. When you create new branches, the will have the web ACL.

  • When you associate a web ACL to an Amplify app, it is automatically associated with all of the app’s domains. However, you can configure rules that apply to a single domain name using Host-header matching rules.

  • You can't delete a web ACL that is associated with an Amplify app. Before you delete a web ACL in the AWS WAF console, you need to disassociate it from the app.

Amplify web ACL resource policy

To allow Amplify to access your web ACL, a resource policy is attached to the web ACL during association. Amplify constructs this resource policy automatically, but you can view it using the AWS WAFV2 GetPermissionPolicy API. The following IAM permissions are required for associating a web ACL to an Amplify app.

  • amplify:AssociateWebACL

  • wafv2:AssociateWebACL

  • wafv2:PutPermissionPolicy

  • wafv2:GetPermissionPolicy

Firewall preview limitations

The preview Firewall release has the following limitations.

  1. During the preview period, Amplify supports partial integration with CloudTrail. Some management events during web ACL association will not appear in the CloudTrail logs.

  2. During preview, when your web ACL is associated to an Amplify resource, this new Amplify resource will not display in the Associated AWS resources in the AWS WAF console. You can use the Amplify GetApp API to display the web ACL associated to an app. You can associate and disassociate the Amplify resource from the Firewall by navigating to the Firewall page for an app in the Amplify Hosting console.

  3. During preview, AWS Config integration will not be available.

  4. The Firewall feature is not available in the opt-in regions where Amplify exists today: Asia Pacific (Hong Kong)(ap-east-1), Europe (Milan)(eu-south-1), and Middle East (Bahrain)(me-south-1).

Firewall pricing

During the preview, you will only incur utilization-based charges from the AWS WAF service. AWS WAF charges $5/month per web ACL and $1 per rule, among other charges. At a minimum, you will pay $7 for this integration, assuming you have one web ACL with two rules. For pricing details, see AWS WAF Pricing.

The Firewall capabilities will require subscribing to a new Amplify Hosting advanced tier at GA and it will include additional features at launch. During the preview, enabling the Firewall will auto-subscribe you to this advanced tier, but there will be no additional charge until the Firewall feature becomes generally available. At any time, you can remove the Firewall and you will not be charged post GA. The pricing details for this tier will be communicated at GA. There are no commitments or upfront investments.