1. Serve JavaScript from a Cloudflare-Proxied Domain

Start by hosting your JavaScript file behind a custom domain, such as static.yourdomain.com, and point this domain to your EC2 server, S3 bucket, or API Gateway endpoint.

Then, onboard this domain into Cloudflare and enable proxying (orange cloud icon in DNS settings). This ensures all requests to the JS file go through Cloudflare’s edge network.

2. Block Direct Access to the Origin

To prevent bypassing Cloudflare and directly hitting your origin (e.g., EC2 public IP or API Gateway URL), restrict access to only allow Cloudflare traffic.

a. On EC2 (Web Server IP Filtering)

Use Cloudflare’s IP ranges to configure your server or firewall. Only allow traffic from these ranges and deny everything else.

allow 173.245.48.0/20;
allow 103.21.244.0/22;
deny all;
  

You can apply these rules in your web server configuration (e.g., Nginx) or in your AWS EC2 security group inbound rules.

b. On API Gateway

Set up a CloudFront distribution in front of your API Gateway, and configure it so that only Cloudflare can reach CloudFront. You can enforce this using AWS WAF or Lambda@Edge to check for Cloudflare-specific headers (such as cf-connecting-ip).

3. Use a Firewall or AWS WAF to Enforce Cloudflare Traffic Only

Implement additional protections by verifying that incoming requests come from Cloudflare’s IP ranges or include a custom header added by Cloudflare (like X-From-Cloudflare: yes).

Using AWS WAF, you can block any request that doesn’t match these criteria.

4. Add Token or Cookie Validation for Extra Security

You can make the JavaScript file accessible only when a valid token or Cloudflare-managed cookie is present. This is useful if you want to require a challenge like CAPTCHA before download.

Use Cloudflare tools such as:

• Cloudflare Bot Management
• Firewall Rules with Cookie or Header matching
• Page Rules for rate limiting or access control

Summary

The post How to Ensure All Client Browsers Go Through Cloudflare to Access JavaScript appeared first on AWS Security Architect.

1. Use AWS IAM Policies (Identity and Access Management)

Amazon Connect Chat APIs are often called from client applications using AWS credentials (temporary or otherwise). IAM policies allow you to control who can access which API operations.

Control who can call the API:

• Create IAM roles or use Cognito Identity Pools
• Restrict permissions by API actions (e.g., StartChatContact, SendMessage)
• Limit access to specific Connect instances
• Restrict by source IP using conditions

Example condition to limit access by IP address:

{
  "Condition": {
    "IpAddress": {
      "aws:SourceIp": "203.0.113.0/24"
    }
  }
}

2. Use Amazon Cognito for Authenticated Chat Clients

When embedding chat into web or mobile apps, Amazon Connect often uses Amazon Cognito to manage access. Cognito can be configured to:

• Authenticate and authorize users or guests
• Restrict sign-ups or logins to specific domains or email patterns
• Apply custom validation logic such as geofencing or captchas

3. Restrict API Calls by Region and Origin

a. Geo-blocking using AWS WAF

If you’re exposing the API via API Gateway or CloudFront, add WAF rules to:

• Block or allow specific countries or IP ranges
• Protect from bots and known malicious actors

b. CORS Policies

For browser-based clients, configure CORS (Cross-Origin Resource Sharing) headers to limit which domains can make requests to the API.

4. Use VPC Endpoints (If Using Private Integrations)

If integrating Amazon Connect with other AWS services inside a VPC (e.g., Lambda), restrict access through:

• VPC endpoints
• Security groups and routing tables
• Resource-based policies that allow traffic only from specific VPCs or subnets

5. Rate Limiting and API Throttling

Amazon Connect has built-in throttling, but you can also enforce limits via API Gateway:

• Define custom rate limits per user, IP, or application
• Monitor usage via Amazon CloudWatch or AWS X-Ray

6. Use Signed API Requests

All Amazon Connect API calls must be signed using AWS Signature Version 4. This ensures:

• Only clients with valid AWS credentials can call the API
• Requests are encrypted and authenticated
• You can rotate or revoke credentials at any time

Summary

The post Controlling Access to Amazon Connect Chat Public API appeared first on AWS Security Architect.