Why You Should be Excited about the Managed Prefix List for CloudFront from AWS

Early this year, AWS announced that the managed prefix list can now be used for Amazon CloudFront to limit the inbound HTTP/HTTPS traffic to origins from only the IP addresses that belong to CloudFront’s origin-facing servers. And this comes at no additional fee. Let’s understand why this is important to you.

A prefix list is a collection of CIDR blocks that makes it easier to configure and maintain security groups and route tables.

Prefix lists are used to permit configured prefixes based on the matching conditions. The prefix list consists of an IP address (which can be a subnet or a single host route) and a bitmask. Now, any traffic that does not match a prefix-list entry is automatically denied. This allows you to limit access to your origins using the Prefix List. Infrastructure architects are calling this “a long-awaited feature” as it simplifies app protection.

This feature means an enterprise no longer has to maintain a prefix list as CloudFront keeps the managed prefix list up-to-date. It also means the managed prefix list can be referenced in Amazon Virtual Private Cloud (VPC) security group rules, subnet route table, common security group rules, or any other AWS resource that uses a managed prefix list.

So, what are the benefits of a prefix list?

It simplifies security administration

This feature makes it easier to maintain the security status of your networks, information, systems, and routing behaviors. For example, enterprises can create a prefix list from the IP addresses that are frequently used, and reference them as a set in security group rules rather than do so individually.

It makes audits easier

Because you are consolidating multiple security group rules into a single rule by using a Prefix List you will be auditing a single item. It’s essentially having to deal with fewer moving parts. You can use centrally configure managed Prefix Lists across all AWS accounts.

It offers homogeneity

Incorporating Prefix Lists into your network security policy means you don’t have to update multiple rules in multiple security groups. You just update the Prefix List, and the changes will be applied to all security groups.

It helps with troubleshooting

If a non-existent Prefix List ID is accidentally entered into a security group rule, for example, an error will be triggered, preventing further configuration. This can help prevent hours of troubleshooting. So, though the CIDR block still has to be entered correctly in the Prefix List, you only have to do it once if there is an error, it can be corrected immediately.

It allows for network scaling and hybrid networking

You can also share your Prefix Lists with external principals such as AWS accounts, AWS Organizations, and so on. Also, while you may start with an isolated AWS environment you may find later that you need to integrate with on-premises or non-AWS environments. Prefix Lists help you do that efficiently.

Prefix Lists also allow for easy referencing of external networks, such as the corporate office, branch offices, and data centers.

How can it be used in security groups?

Enterprises can use the managed prefix list as part of inbound rules in security groups that attach to origin resources. This makes it easier and faster to configure and maintain security groups and route tables. You can, for example, create a prefix list from frequently used IP addresses and reference them as a set in security group rules and routes instead of doing so individually.

What about Lambda@Edge customization?

Lambda@Edge is an extension of AWS Lambda, a service that customizes CloudFront content. 

There are primarily three benefits:

• It is possible to automatically scale and run code in several AWS locations without managing multiple origin servers
• High performance and low latency are guaranteed
• Content and execution time are customized based on application performance needs