Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

How to Secure Sensitive Customer Data Using Amazon CloudFront - AWS Online Tech Talks

1.020 visualizaciones

Publicado el

Learning Objectives:
- Learn how to secure and control the access of critical customer data (e.g., payment instruments, social security numbers, phone numbers, etc.) at rest, in use, or in transit
- Learn how it will help your company abide by the strictest data handling policies such as PCI DSS compliance, and HIPAA
- Learn how to configure Amazon CloudFront

  • Sé el primero en comentar

How to Secure Sensitive Customer Data Using Amazon CloudFront - AWS Online Tech Talks

  1. 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. George John, Product Manager, AWS CloudFront/Lambda@Edge Cristi Ursachi, Software Development Manager, Amazon.com March 1st 2018 How to Secure Sensitive Customer Data Using Amazon CloudFront
  2. 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda • CloudFront Overview • Secure content with CloudFront • CloudFront Field Level Encryption • Demo • Q & A
  3. 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon CloudFront G l o b a l c o n t e n t d e l i v e r y n e t w o r k ( C D N ) A p p l i c a t i o n a c c e l e r a t i o n a n d o p t i m i z a t i o n D i s t r i b u t e d s c a l a b l e i n t e g r a t e d s e c u r i t y c o n t r o l s O p t i m i z e d f o r a l l d e l i v e r y u s e c a s e s O n - d e m a n d , f u l l u s e r c o n t ro l , c o s t e f fe c t i v e E s s e n t i a l c l o u d i n f r a s t r u c t u r e c o m p o n e n t
  4. 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 114 Points of Presence (103 Edge locations + 11 Regional Edge Caches)
  5. 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Four Major Use Cases Accelerate websites Customize user experience Stream live and on-demand media Secure content Customer use cases
  6. 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Secure Content
  7. 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1. Protect Application & Network/Transport layer
  8. 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ✓ Only Accepts valid HTTP/TCP Requests ✓ Automatically drop traffic on non HTTP Ports ✓ Protection Against Slow Reads (Slowloris) ✓ Safeguards Against SSL Abuse (E.g. Perfect Forward Secrecy) ✓ Web Server Offload (E.g., Request Collapsing) AWS Shield AWS WAFCloudFront Built-in Security
  9. 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 2. Access Control
  10. 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 2.1 Securely ser ve private content: Signed URL/Cookie End viewers CloudFront distribution intranet.example.com Path: Default (*) Origin: ALB Forward Cookies: All Restrict Viewer Access: No Application Load Balancer Application Path: videos/ Origin: Amazon S3 Forward cookies: No Restrict viewer access: Yes Amazon S3 bucket User’s application credentials Signed Cookie or URL GET /videos/annual-meeting.m3u8 Cached response Cache behaviors✓ Valid
  11. 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • Create an origin access identity using the CloudFront console or API. • Modify your Amazon S3 bucket policy to limit read access to the origin access identity’s Restricting origin access: Amazon S3 Origin
  12. 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Configure origin custom headers to provide a shared secret in a custom-named header. Restricting origin access: Custom Origin
  13. 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 3. Encryption
  14. 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 3.1 End to End HTTPS CloudFront distributionEnd viewer Origin protocol policy HTTPS only Origin SSL protocol TLSv1.2 Viewer protocol policy Redirect HTTP to HTTPS Security policy TLSv1.2_2018 Certificate Managed by ACM Origin
  15. 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 3.2 CloudFront Field-Level Encryption Secure and control the access of sensitive customer data while accelerating your application • Sensitive data encrypted with RSA key pair • Reduces attack surface for your sensitive data • Eliminates risk with accidental (or incidental) data leakage
  16. 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Why Amazon consumer needs CloudFront Field Level Encryption • Our most valuable asset is customer trust • We need to handle a lot of sensitive information (credit cards, addresses, SSN, etc) • Behind consumer website operate hundreds of teams maintaining different services
  17. 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  18. 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Architecture
  19. 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefits of using Field Level Encryption • Greatly reduces the number of systems we have to audit for PCI compliance • A bug in a pass-through system cannot cause sensitive information leakage • Greatly reduces the number of people that may have access to sensitive information (e.g. card numbers)
  20. 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo
  21. 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo – products/concepts used • Amazon CloudFront (content delivery network) • HTTP forms • Public-key cryptography • AWS API Gateway • AWS Lambda • AWS CloudFormation • AWS KMS • AWS Systems Manager Parameter Store • AWS DynamoDB
  22. 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo Architecture
  23. 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How to configure Field Level Encryption 1. Public Keys: Name , Value 2. Field Level Encryption Profiles: Name , ProviderName, PublicKey.Name, Pattern 3. Field Level Encryption configuration: ContentType, Pass Profile as query argument
  24. 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Demo Walkthrough • Stage the required artifacts (deployed already in US East 1 AWS region) • Generate an RSA key pair • Upload the public key to CloudFront and associate it with the Field Level Encryption configuration • Launch the CloudFormation stack • Add the Field Level Encryption configuration to the CloudFront distribution • Store the private key in Parameter Store
  25. 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Getting Started • Amazon CloudFront getting started https://aws.amazon.com/cloudfront/getting-started/ • Introduction to CloudFront and Lambda@Edge (video) https://www.youtube.com/watch?v=wRaPw1tx6LA • Slack Uses Amazon CloudFront for Secure API Acceleration (video) https://www.youtube.com/watch?v=oVaTiRl9-v0 • AWS Shield https://aws.amazon.com/shield/ • AWS WAF https://aws.amazon.com/waf/
  26. 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Questions?
  27. 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank you!

×