Ensure Geo-Restriction is enabled within CloudFront distribution

Security & Compliance

To safeguard your web application content, enable AWS CloudFront geo restriction for your Amazon CloudFront CDN distribution. With this feature, you can block or allow users in specific locations from accessing your content by blocking IP addresses based on Geo IP. This can help in preventing Distributed Denial of Service (DDoS) attacks and also provides the ability to limit access to your content in specific geographical regions.


To ensure that your Amazon CloudFront CDN distribution is protected against unauthorized access, follow these steps to enable geo-restriction:

  1. Open the Amazon CloudFront console.
  2. Select the distribution for which you want to enable geo-restriction.
  3. Choose the "Behaviors" tab and click "Create Behavior" or select an existing behavior and click "Edit".
  4. Under "Restrict Viewer Access (Use Signed URLs or Signed Cookies)", choose "Yes".
  5. Select "Geo-Restriction" and choose "Yes, Whitelist or blacklist countries".
  6. Choose the option that suits your requirements, either "Whitelist" to allow access to specific countries, or "Blacklist" to block access from specific countries.
  7. Enter the country codes for the countries you want to allow or block.
  8. Click "Create" or "Save Changes" to save your changes.

Once geo-restriction is enabled, CloudFront will block or allow traffic based on the country of origin of the request. This helps to protect your content from unauthorized access and can also assist in mitigating DDoS attacks.

Enforced Resources
Note: Remediation steps provided by Lightlytics are meant to be suggestions and guidelines only. It is crucial to thoroughly verify and test any remediation steps before applying them to production environments. Each organization's infrastructure and security needs may differ, and blindly applying suggested remediation steps without proper testing could potentially cause unforeseen issues or vulnerabilities. Therefore, it is strongly recommended that you validate and customize any remediation steps to meet your organization's specific requirements and ensure that they align with your security policies and best practices.