My Setup
I have Elastic Beanstalk application, with a public LoadBalancer and public IPs on EC2. The application is behind CloudFront, which is protected with AWS WAF from different attacks I am experiencing now. Route 53 forwards DNS queries to the CloudFront.
My Problem
WAF is only on the CloudFront. There is still Elastic Beanstalk public dns name, elastic load balancer public dns name, and EC2 instance public IP. Attackers are hitting them, and bypassing the WAF.
My Request
I don't need anything other than the CloudFront to be exposed to the internet. How do I remove all public DNS's and IP's from all, or at least some, of these resources, and still have it working. Ideally CloudFront would forward requests over inner Amazon domain.
What I tried
I tried setting ELB to private in BeanStalk Network Configuration tab, but it failed. When setting Public IP address to false, it just stops working with error 502