'Can Cloudfront be configured to scrub all IP addresses from the incoming request before passing to the origin?

For compliance reasons, we are not able to collect or process IP addresses in our application. With an initial look, it seems that the new(ish) Cloudfront Functions might be able to do what is needed. https://aws.amazon.com/blogs/aws/introducing-cloudfront-functions-run-your-code-at-the-edge-with-low-latency-at-any-scale/

Can the incoming IP addresses be removed entirely so that is not visible even in the X-Forwarded-For header (or any other field) to the origin? As shown in this article:

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/RequestAndResponseBehaviorCustomOrigin.html#RequestCustomIPAddresses

If a viewer sends a request to CloudFront and does not include an X-Forwarded-For request header, CloudFront gets the IP address of the viewer from the TCP connection, adds an X-Forwarded-For header that includes the IP address, and forwards the request to the origin.

Therefore all requests will have the IP address visible in the X-Forwarded-For header. Is there a way to disable this?

amazon-cloudfrontaws-lambda-edge


Solution 1:[1]

Cloudfront Functions can run at the Viewer Request stage to modify incoming request headers, however the client IP will still be appended to X-Forwarded-For when a request is passed on to the origin.

You can however use Lambda@Edge in the Origin Request stage to modify the headers sent to the origin (e.g. delete X-Forwarded-For).

Here is how that would look in Node.js:

exports.handler = async (event, context) => {
    const request = event.Records[0].cf.request;
    const headers = request.headers;
    
    delete request.headers['x-forwarded-for'];
    return request;
};

Or if you want to scramble the last part of the IP:

exports.handler = async (event, context) => {
    const request = event.Records[0].cf.request;
    const headers = request.headers;
    
    request.headers['x-forwarded-for'] = [{
        key: 'X-Forwarded-For',
        value: request.clientIp.replace(/\w+$/, '0')}];
    return request;
};

This could of course be extended to other headers if needed.

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 pjoe

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function