• Use CloudFront Geolocation restrictions to allow traffic from only countries where you have business interests. Block requests from all other countries.
• Enable Web Application Firewall (WAF) on the CloudFront Distribution that blocks the most common types of attacks.
• Use field-level encryption for an additional layer of security for sensitive data such as PII or credit card info.
• If ELB or EC2 are Origin resources, allow access to them from CloudFront only. Not one should be able to connect to ELB or EC2 directly. For that:
  • Use AWS managed prefix-list “com.amazonaws.global.cloudfront.origin” in the security group of the Origin. This way, only traffic from CloudFront is allowed.
  • Configure CloudFront to forward a custom header and check for this header in the ELB target rules. Forward the request only if the custom header is present.
• Always use HTTPS connections.
• Restrict access to CloudFront content using signed URLs and cookies.