On my 3rd party analytics I am noticing a lot of hits by amazon, not to my domain, but to the preview deploys, is this normal or is this bot activity trying to figure out or glean build or other sensitive info?
If example.com was my domain, then; https://67b43f576ed0e400074170e1--example.netlify.app the times do not correlate to my build times.
this is for all my sites hosted with netlify, same pattern. I prefer to block most traffic, what should I do?
Hi @ewww ,
Thank you for taking the time to report your concern about Amazon-related traffic accessing your preview deploys. I’ve looked into this and I think I know what might be going on here. It’s intriguing that you’re seeing traffic from Amazon IPs like this. Based on the details you’ve provided, here’s a possible explanation and steps to address this situation.
What’s happening:
Netlify generates unique preview URLs (e.g., https://67b43f576ed0e400074170e1--example.netlify.app) for each deploy. These URLs are publicly accessible by default, even if unlinked or unused, unless explicitly restricted. This allows external systems, including bots (including AWS-hosted crawlers) scan the internet for vulnerabilities, test deployments, or index content.
Netlify’s Infrastructure: Netlify runs on AWS, so some traffic may originate from AWS IPs (e.g., internal health checks, security scanners, or bots).
Is This Normal?
Common, but Not Ideal: While some traffic is benign (e.g., Netlify/AWS internal checks), malicious bots often target preview URLs because:
Risks of Unrestricted Preview Deploys
-Exposed Sensitive Data: If your preview deploys include:
-Resource Abuse: Bots can trigger unnecessary compute usage, increasing costs or slowing builds.
Since the traffic does not correlate with your build times, it’s unlikely to be caused by Netlify itself. Instead, it appears to be external traffic accessing publicly exposed URLs.
To address this issue and secure your preview deploys, consider the following measures:
Enable Password Protection for Preview Deploys: Restrict access to your preview URLs using Netlify’s built-in password protection feature. This ensures that only authorized users can access the deploys. Secure access to sites | Netlify Docs
Use Robots.txt to Block Crawlers and block traffic by IP or ASN: Use Netlify edge functions or serverless functions to block traffic from specific IP ranges or ASNs, such as Amazon’s ASN (AS16509).
https://developers.netlify.com/guides/blocking-ai-bots-and-controlling-crawlers/
Disable Preview Deploys if Unnecessary: If preview deploys are not essential, you can disable them entirely in your Netlify project settings.
Deploy Previews | Netlify Docs
Use Firewall Rules: Introducing Netlify Web Application Firewall (WAF) Traffic Rules
Rate limiting rule by Cloudflare: Rate limiting rules · Cloudflare Web Application Firewall (WAF) docs
Disclaimer:
These solutions are based on documentation and practices publicly available online. While they are designed to help mitigate the issue, results may vary depending on your specific setup.
I’d love to hear how these recommendations work for you! If you encounter additional challenges or discover alternative solutions, please share your feedback to help others who might face similar situations.
Thank you!