aws-amplify
Geo restricting with AWS Amplify and AWS CloudFront
** Please describe which feature you have a question about? ** Since AWS Amplify already uses CloudFront. Why isn't there an option to restrict web apps under the Amplify console?
** Provide additional details** Is it even possible? If yes, how do I achieve this? I have an application on AWS Amplify and it's working perfectly. However, I need to geo restrict access to the application!
@arximughal have you tried this: https://docs.aws.amazon.com/amplify/latest/userguide/redirects.html#region-based-redirects
Understanding the requirements better: The ask is to provide a way to restrict access to a certain geography.
Yeah. The problem I was facing was that I wanted to geo-restrict the access to the application deployed via Amplify. I still can't find an option inside AWS Amplify console where I can do just that!
I'm facing this problem too, I need to restrict access for users from some countries
I have this in my Rewrites and redirects rules:
[
{
"source": "<*>",
"target": "/access_denied.html",
"status": "200",
"condition": "<MA>"
},
{
"source": "<*>",
"target": "/access_denied.html",
"status": "200",
"condition": "<KE>"
},
{
"source": "<*>",
"target": "/access_denied.html",
"status": "200",
"condition": "<TN>"
},
{
"source": "<*>",
"target": "/access_denied.html",
"status": "200",
"condition": "<NG>"
},
{
"source": "</^[^.]+$|\\.(?!(css|gif|ico|jpg|js|png|txt|svg|woff|ttf|map|json)$)([^.]+$)/>",
"target": "/index.html",
"status": "200",
"condition": null
},
{
"source": "/<*>",
"target": "/index.html",
"status": "404",
"condition": null
}
]
But it doesn't seem to be working, It works for some countries, for example, if I put US or RU it works, but not fo Morocco for example
Any update on this? We're facing the same issue, we need to restrict certain countries from using the app.
This is a much needed feature - if Amplify allowed exposing most of the configs for the underlying CloudFront distro that would be perfect for a lot of these issues
Hello there! I need to georestrict my Amplify deployment to US only. I'm considering creating a new CloudFront distribution with my custom domain so I can set up the georestriction. I'd need to associate the new CloudFront distribution with the AWS Amplify app somehow... I imagine there's a way to do so using "Origins" tab in the CloudFront distro. Can someone sanity check this approach? Thank you!
@vighnesh1987 this might help: https://docs.aws.amazon.com/amplify/latest/userguide/redirects.html#region-based-redirects
I have yet to discover any other concurrent way to achieve this within the Amplify console.
I figured out how to do this properly. When I deployed my app via Amplify, a Cloudfront distribution was automatically created. I confirmed that my app was loading on the URL of that CloudFront distribution. I believe that this is the underlying CloudFront distro that Amplify is using. This is was something I was able to verify when I saw the CloudFront distro URL inside my "Rewrites and Redirects" settings tab in Amplify.
Then I removed my custom domain from the Amplify domain management settings screen. And ported over the custom domain to Route53 and pointed it to the CloudFront distro. Then I set georestrictions inside the CloudFront distro settings to achieve the georestrictions I wanted. I was able to verify those georestrictions on my custom domain.
tldr; Amplify does expose all of the underlying CloudFront settings however it doesn't clearly link back to the CloudFront distro it's using under the hood (but hints at it inside the Rewrites and Redirects panel)
Major unknown here is whether Amplify guarantees that the CloudFront distro will remain the same across deploys – I hope so!
With the new OFAC law put forth in June this year, and going into effect September 12th, Amplify really does need a way to allow us to block countries (in this case, Russia). Businesses on AWS will be on the hook for providing cloud services to Russia.
@mauerbac Is this something you can fast-track to the Amplify team? It's critical from a legal standpoint.
Just spoke with the team. As mentioned in other GitHub issues, we are working on a proper AWS WAF integration but we don't have an exact timeline for this. I'm hoping by end of year. with WAF you can setup geo restrictions.
in the meantime -- you could create a Redirect Rule using Country Codes. This is already supported today. For example you can create the following rule to redirect users coming from Russia to a blocked.html page.
{
"source": "/<*>",
"status": "302",
"target": "/blocked.html",
"condition": "<RU>"
}
This site should block you from the USA: https://cmh.fdingler.com/.
I will callout that anything regarding rules and regulations is up to your organization to make that call if it covers that restriction properly. So I'm not 100% sure if this will meet your needs. I think our WAF integration is the easiest solution here, but I know it's not available yet.
@mauerbac Thanks, Matt! I'll give the above redirect rule a try and test it out. As long as we have some mechanism to block, that'll be perfect.
Unfortunately, the solution you gave results in an infinite redirect loop, but maybe it has to do with us having multiple redirect rules (we need this other one since our app is an SPA):
[
{
"condition": "<RU>",
"source": "/<*>",
"status": "302",
"target": "/blocked.html"
},
{
"source": "</^[^.]+$|\\.(?!(css|gif|ico|jpg|js|png|txt|svg|woff|woff2|ttf|map|json|xml|webmanifest)$)([^.]+$)/>",
"status": "200",
"target": "/index.html"
}
]
Any guidance would be appreciated!
Could you try this?
[
{
"source": "/blocked.html",
"status": "200",
"target": "/blocked.html"
},
{
"condition": "<RU>",
"source": "/<*>",
"status": "302",
"target": "/blocked.html"
},
{
"source": "</^[^.]+$|\\.(?!(css|gif|ico|jpg|js|png|txt|svg|woff|woff2|ttf|map|json|xml|webmanifest)$)([^.]+$)/>",
"status": "200",
"target": "/index.html"
}
]
Geo restricting using redirects stopped working very recently. It has worked successfully for years. This week I've had 10 hits to my site from the only country code I have configured to be redirected:
Can you comment on why it stopped working and what will be done to resolve this? (Preferably first class support for Cloudflare WAF rules?)
We have about two weeks until the new US OFAC rules go into effect, and companies can be held liable. I'm glad that one of our apps served up via CloudFront + Lambda can take advantage of CloudFlare's geo blocking, but our Amplify app cannot.
It's not a huge deal, as we can manually code this block into our application. But our tiny dev team is kinda tied up at the moment and it'll be challenging to make it happen.
I'm going to open an AWS support ticket, and I'll report back if I arrive at a solution.
@ffxsam I was able to setup the rules as recommended by @mauerbac and redirect successfully the traffic from the US to blocked.html .
You can try it by accessing this app from the US: https://mainline.dvmbd00x72868.amplifyapp.com
I wonder what could be going on with your app. Is it possible that you have local routing on the web browser (e.g. react router) that is messing up the redirects?
@mbacchi it shouldn't have stopped working. Are you saying that you had a rule that redirected traffic away from your site, but now it doesn't?
@ferdingler So I would have a hard time saying it "stopped working" because I don't know how many requests are actually being made from RU to my site. But it certainly has allowed some requests to get through when that didn't happen in the past. As shown in my 2nd screenshot above the redirect rule exists (sending it to an external site,) and I haven't changed the rule since I created it at some point in the last few years. But I noticed these 10 requests that were from the RU even with this rule in place. It hasn't increased from 10 requests, but something happened where these requests were not in fact redirected.
@ffxsam I was able to setup the rules as recommended by @mauerbac and redirect successfully the traffic from the US to
blocked.html.
I'll give it another go! I went to your URL and saw a beer. Was that your block page? I would figure beer would be a positive thing. 😆
@ferdingler Actually it appears to be that the rule is no longer working. Another 6 requests from RU in the last 2 days. Should I open a separate issue?