How do I configure "Core protections" and "Rate limiting" in CloudFormation template for a CloudFront distribution

Question

So I am trying to configure AWS::CloudFront::Distribution so that the basic security protections are enabled.

At the moment in the AWS Dashboard the Security tab of the distribution looks like this after deployment.

And I am trying to configure these options, but I can't find anything from the documentation that describes how to do it in CloudFormation template.

The following is my base configuration for the CloudFront distribution:

CloudFrontDistribution:
  Type: AWS::CloudFront::Distribution
  Properties:
    DistributionConfig:
      Origins:
        - Id: S3Origin
          DomainName:
            Fn::Join:
              - ''
              - - !Ref FrontendS3Bucket
                - '.s3-${env:REGION}.amazonaws.com'
          S3OriginConfig:
            OriginAccessIdentity: !Sub 'origin-access-identity/cloudfront/${FrontendS3OAI}'
        - Id: ApiGatewayOrigin
          DomainName:
            Fn::Join:
              - ''
              - - !Ref HttpApi
                - '.execute-api.${env:REGION}.amazonaws.com'
          CustomOriginConfig:
            OriginProtocolPolicy: https-only
            OriginSSLProtocols:
              - TLSv1.2
      DefaultRootObject: index.html
      DefaultCacheBehavior:
        TargetOriginId: S3Origin
        CachePolicyId: 658327ea-f89d-4fab-a63d-7e88639e58f6 # Managed-CachingOptimized
        ViewerProtocolPolicy: https-only
      CacheBehaviors:
        - TargetOriginId: ApiGatewayOrigin
          PathPattern: /api/*
          ViewerProtocolPolicy: https-only
          OriginRequestPolicyId: b689b0a8-53d0-40ab-baf2-68738e2966ac # Managed-AllViewerExceptHostHeader
          CachePolicyId: 4135ea2d-6df8-44a3-9df3-4b5a84be39ad # Managed-CachingDisabled
          AllowedMethods:
            - GET
            - HEAD
            - OPTIONS
            - PUT
            - PATCH
            - POST
            - DELETE
      Enabled: true

Answer 1

Core Protections are a console only integration, but you can replicate them in CloudFormation by creating a WebACL in WAF that has the following rules in this order:

1. AWSManagedRulesAmazonIpReputationList
2. AWSManagedRulesCommonRuleSet
3. AWSManagedRulesKnownBadInputsRuleSet

Once you've created your Web ACL, you can pass that WebACLID to CloudFront as mentioned by Rohit.

Although enabling core protections is a console only integration, you will still get access to the CloudFront security dashboard when WAF is enabled on your CloudFront distribution.