Network SecurityAWSCloudFrontWAFSecurityTerraform

CloudFront & WAF Security Dashboard

This use case deploys a complete observability pipeline for an AWS CloudFront distribution protected by WAF. Two Terraform resources — rawtree_waf_ingestion and rawtree_cloudfront_ingestion — provision all the required AWS infrastructure (Firehose, Kinesis, IAM roles, S3 backup buckets) and wire logs into separate RawTree tables. The dashboard combines both data sources: WAF logs provide security visibility (blocked IPs, terminating rules, attack categories, geo-distribution of threats), while CloudFront real-time logs show traffic health (cache hit ratio, latency percentiles, status codes, bandwidth, edge locations). Together they give security and platform teams a single pane of glass for real-time traffic monitoring and attack detection.

terraform-provider-rawtree

View Dashboard

Architecture

CloudFrontCDN Distribution

AWS WAFWeb ACL Rules

WAF Logs

FirehoseDirectPut → HTTP

HTTP API

RawTreewaf_logs

KinesisData Stream

Stream

FirehoseKinesis → HTTP

HTTP API

RawTreecloudfront_logs

DashboardUnified View

Setup Guide

1Prerequisites

You need an existing CloudFront distribution with a WAFv2 Web ACL attached. The Terraform provider will create all the ingestion infrastructure (Firehose, Kinesis, IAM roles, S3 backup buckets).

Requires Terraform 1.0+, AWS credentials with admin-level access, and a RawTree account.

Terraform provider documentation→

2Configure Providers

Set your RawTree credentials as environment variables. The AWS provider uses your default credentials or AWS_PROFILE.

$ export RAWTREE_API_KEY="rw_..."
$ export RAWTREE_ORG="your-org"
$ export RAWTREE_PROJECT="your-project"

3Write Terraform Configuration

Create a main.tf with both ingestion resources. Each resource provisions its own Firehose delivery stream, IAM roles, and S3 backup bucket. WAF logs go to waf_logs, CloudFront real-time logs go to cloudfront_logs.

$ terraform {
$   required_providers {
$     aws     = { source = "hashicorp/aws", version = "~> 5.0" }
$     rawtree = { source = "rawtreedb/rawtree" }
$   }
$ }

$ provider "aws" { region = "us-east-1" }
$ provider "rawtree" {}

$ variable "web_acl_arn"     { type = string }
$ variable "distribution_id" { type = string }

$ resource "rawtree_waf_ingestion" "waf" {
$   table       = "waf_logs"
$   web_acl_arn = var.web_acl_arn
$   region      = "us-east-1"
$ }

$ resource "rawtree_cloudfront_ingestion" "cf" {
$   table           = "cloudfront_logs"
$   distribution_id = var.distribution_id
$   region          = "us-east-1"
$ }

4Apply

Initialize and apply. Terraform will create ~10 AWS resources per ingestion pipeline (IAM roles, policies, Firehose streams, Kinesis stream, S3 buckets, CloudWatch log groups, WAF logging config, and CloudFront real-time log config).

$ terraform init
$ terraform apply \
$   -var web_acl_arn="arn:aws:wafv2:us-east-1:123456789:regional/webacl/my-acl/..." \
$   -var distribution_id="E1ABCDEF123456"

5Generate Traffic

Send mixed legitimate and attack traffic to your CloudFront distribution. The generate-traffic.sh script is included in the terraform-provider-rawtree repository under test/lab/.

  # Mixed traffic (legit + attacks)
$ ./generate-traffic.sh your-distribution.cloudfront.net 20

  # Legitimate only
$ ./generate-traffic.sh your-distribution.cloudfront.net 100 --legit

  # Heavy attack traffic
$ docker run --rm wallarm/gotestwaf \
$   --url https://your-distribution.cloudfront.net \
$   --skipWAFBlockCheck

6Open the Dashboard

Wait 1-2 minutes for Firehose to deliver the first batch of logs, then connect the dashboard with your RawTree API endpoint and key. You should see WAF decisions, status codes, cache performance, and attack patterns populate in real time.

  # Create a read-only API key for the dashboard
$ curl -sSf https://rawtree.com | sh
$ rtree login
$ rtree key create --name waf-dashboard --permission read

Go to the dashboard