Securing a Public Website in AWS Using a Layered Defense Model

When deploying a public website in AWS, the real work begins after the infrastructure is live. Hosting is simple. Securing it properly requires intention, architecture, and continuous visibility.

Recently, a layered security model was implemented for a website hosted in AWS. The objective was not just to enable AWS WAF, but to design prevention, monitoring, and alerting directly into the environment. This article walks through the approach and explains the purpose behind each control.

Step 1: Placing the Website Behind CloudFront

The website is delivered through Amazon CloudFront rather than directly exposing the S3 origin. This provides several immediate benefits:

• TLS termination at the edge
• Global content delivery
• Built-in DDoS protection via AWS Shield Standard
• Reduced origin exposure

By routing all traffic through CloudFront, the origin bucket is no longer directly reachable from the public internet. This significantly reduces attack surface and enforces centralized traffic inspection.

CloudFront becomes the controlled gateway.

Step 2: Enforcing Inspection with AWS WAF

The next layer involved attaching an AWS WAF Web ACL directly to the CloudFront distribution. This ensures that every incoming request is evaluated before reaching the application.

The Web ACL was configured using AWS Managed Rule Groups, including:

• Amazon IP reputation list
• Known bad inputs rule set
• Common exploit pattern detection

These managed rule groups automatically block common threats such as SQL injection attempts, malicious payload injections, exploit signatures, and traffic from known malicious IP addresses.

The purpose of using managed rules is to benefit from continuously updated threat intelligence without manually maintaining detection patterns. Rules were configured to block malicious requests rather than only count them. This shifts protection from passive monitoring to active prevention.

Step 3: Enabling Advanced Distribution Protections

Enhanced distribution-level protections were enabled to ensure the CloudFront distribution enforces attached security policies. This configuration ensures that a Web ACL must be attached, traffic cannot bypass inspection, and enforcement stays centralized at the edge.

This guarantees that security rules are not optional or accidentally detached.

Step 4: Logging for Visibility

Blocking traffic without visibility creates blind spots. To address this, WAF logging was enabled and directed to CloudWatch Logs. This allows review of blocked and allowed requests, pattern identification, auditability, and threat analysis.

Visibility is a core component of modern cloud security. Prevention alone is not enough without insight into what is being blocked.

Step 5: Monitoring with CloudWatch Metrics

Monitoring was configured using the WAFv2 metric BlockedRequests. A CloudWatch alarm was created to trigger when blocked requests exceed a defined threshold within a five minute evaluation period.

The purpose of this threshold-based monitoring is to detect abnormal spikes in malicious activity, avoid alert fatigue, and identify coordinated attack attempts. Monitoring transforms static protection into a dynamic detection system.

Step 6: Automated Alerts with SNS

An Amazon SNS topic was integrated with the CloudWatch alarm to send real time email notifications when the alarm enters an alert state. This completes the detection and response loop.

• Blocks malicious traffic
• Logs activity
• Monitors attack trends
• Notifies immediately when abnormal behavior occurs

Prevention and awareness work together.

Defense in Depth in Practice

This layered approach includes edge protection through CloudFront, threat filtering through AWS WAF, managed rule intelligence, centralized logging, metric-based monitoring, and automated alerting.

Each layer serves a specific purpose. Together, they create resilience. Cloud security is not about adding a single service. It is about designing systems where controls reinforce one another.

Why This Matters

Public-facing applications are continuously scanned and probed. Even small personal or portfolio websites are not invisible to automated reconnaissance. Building layered protection from the beginning establishes reduced attack surface, continuous visibility, measurable detection capability, and automated response triggers.

Security should not be an afterthought. It should be part of the architecture.

Final Thoughts

Deploying a website in AWS is straightforward. Designing a secure, monitored, and enforceable architecture requires deeper thinking. By combining CloudFront, AWS WAF, managed rule policies, logging, monitoring, and alerting, it is possible to build a strong and scalable baseline for web application protection.

Security is not a feature you enable. It is a posture you design.

Resources and Documentation