Avoid CPDoS in CloudFront
CPDos or Cache-Poisoned Denial-of-Service is a type of attack where a crafted request triggers a “bad” response from the server (for example an error page). The request/response also tricks the caching layer to re-use this “bad” response for subsequent normal client requests.
Making the application or website unreachable for a certain amount of time (cache TTL) to other end-users.
Recommended solutions
Using the AWS (managed) cache/origin policies for CloudFront
Cache policies for CloudFront work differently than the standard legacy caching option. By default, legacy caching still allows all headers to continue to your origin (even if you have not whitelisted them).
The new caching policy does not do that, you have to explicitly indicate which headers continue to the origin, the rest of the headers that are not in the whitelist are therefore thrown away on CloudFront and never reach the underlying origins.
Previously, most of the forwarded data would automatically modify the cache key. Now, you can forward most request elements without affecting the cache key (unless you specifically want to). You can now configure any combination of headers, cookies, and query string parameters to be included or excluded from cache key consideration, or forwarded as needed.
As told in this blog post: Amazon CloudFront Announces Cache and Origin Request Policies
Do not cache error response codes
Caching error responses are prone to CPDoS issues. Google also mentions that you should not cache errors (except if necessary). https://cloud.google.com/apigee/docs/api-platform/antipatterns/caching-error
You can disable error caching on your CloudFront distribution by navigating to the “Error pages” tab and setting the “Minimum TTL” to 0 on all of the available HTTP error codes.
