Learning Objectives: - Get an inside look into Managed Rules for AWS WAF - Learn how to set up Managed Rules for AWS WAF and the best practices - Learn about the security experts that offer Managed Rules for AWS WAF

1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Sundar Jayashekar, Sr. Product Manager (AWS)
Jarrod Levitan, Chief Cloud Officer (TriNimbus)
Mike Fisher, Solutions Architect (TriNimbus)
January 30th, 2018
Managed Rules on AWS WAF
A Customer Story

2. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What to expect from this session
1. Service Introduction
2. Key Benefits
3. New Announcement!
4. Customer Story - TriNimbus

3. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What is a WAF?
Web Application Firewall –
Monitors HTTP/S requests and protects
web applications from malicious
activities
Layer 7 inspection and mitigation tool

4. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What can we do with AWS WAF?
• Rate based rules
• IP Match & Geo-IP filters
• Regex & String Match
• Size constraints
• CloudWatch
Metrics/Alarms
• Sampled Logs
• Count Action mode
• SQLi
• XSS
• IP Blacklists
Malicious traffic
blocking
Web traffic filtering Active monitoring
& tuning

5. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Threats AWS WAF can help with
Application
Layer
Bad BotsDDoS OWASP type attacks
HTTP floods
Abusive users
Content scrapers
Scanners & probes
CrawlersSQL injection
XSS
Application exploits

6. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS WAF available on
Amazon CloudFront Application Load Balancer
(ALB)

7. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What do customers like about AWS WAF?
Fast Incidence
Response
Easy to deploy Affordable
Full API Support Managed platform

8. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How are Customers using AWS WAF?
1. Custom Rules 3. Security Automation2. Managed Rules
You can combine all three!

9. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
New capabilities since June 2017
1. Rate Based Rules
2. OWASP Top 10 templates
3. Geo IP based restriction
4. RegEx Support
5. Managed Rules
6. Additional Regions for WAF/Shield
We listen to our customers and iterate quickly

10. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What customers asked?
“I don’t want expensive Pro-Serv engagements to
write and tune my rules”
“I want to focus on writing web applications and
not security rules”
“I don’t have the resources to write rules that keep
up with the bad guys”

11. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
So at re:Invent 2017 we announced…
Managed Rules on AWS WAF
with 5 Featured Sellers and 11 new Products!

12. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What are Seller Managed Rules?
• A set of WAF-Rules (sometimes in the 100’s) written
and managed by trusted security vendors
• Available on AWS Marketplace and the WAF Console
• Deployed on AWS WAF
• Pay-As-You-Go pricing

13. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
At Launch we said …
We will continue to add security vendors and
provide more Rule choices to customers ….

14. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
We are happy to Pre-Announce today!
Coming soon …
3 New Products!

15. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Featured Sellers

16. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
F5 Managed Rules for AWS WAF
SQLi, XSS, command
injection, No-SQLi
injection, path traversal,
and predictable resource
Apache, Apache Struts, Bash,
Elasticsearch, IIS, JBoss, JSP,
Java, Joomla, MySQL,
Node.js, PHP, PHPMyAdmin,
Perl, Ruby On Rails, and
WordPress.
Vulnerability scanners,
web scrapers, DDoS
tools, and forum spam
tools.

17. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key Benefits of Managed Rules
1. Rules managed by security experts
2. Choice of protections
3. Auto-updates
4. Pay as you go
5. Easy to Deploy

18. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Deploy in 3 easy steps
Find rules on AWS WAF
console or AWS
marketplace
Click and
subscribe
Associate rules in
AWS WAF

19. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
TriNimbus – Customer Story

20. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Born in the Cloud in 2013
• AWS Premier Consulting Partner
• Offices in Vancouver, Calgary, Toronto, Montreal and
Macedonia
• Top 50 fastest growing startups in Canada (Canadian
Business Magazine)
About TriNimbus

21. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Our Core Capabilities
• Expert team of Solution Architects
and DevOps Engineers
• Co-sourcing: Integrating with your
Agile teams
• 24/7 DevOps and DevSecOps
managed services
• Architecture, operations,
migrations, disaster recovery, cost
optimization, compliance
About TriNimbus

22. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Growing the AWS User Groups
Community Across Canada
• Organize AWS User Groups in 9
cities across Canada
• 4000+ members and growing
• Education focused presentations
by AWS customers, evangelists
and best-of-breed technology
partners
• Creating opportunities to
learn, interact, and share ideas
About TriNimbus

23. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The ActiveDEMAND Story

24. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
About ActiveDEMAND
ActiveDEMAND is a marketing
technology company that provides
Marketing Automation to SMBs and
marketing agencies globally
• Call tracking
• Email marketing
• Social media marketing
• KPI dashboards

25. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Problem
• Suffering from intermittent DDoS attacks from a
small number of bad actors
• Attacks would quickly overwhelm their fixed
number of compute resources
• Web services would become completely
unavailable during attacks

26. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Original Architecture
• Amazon CloudFront in
front of static assets
only
• Elastic Load Balancer
in front of a fixed
number of Amazon
EC2 instances

27. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC and EC2 Best Practices

28. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS WAF and Dynamic Content Delivery

29. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why we Chose AWS WAF
• Very easy to add due to the
client already using Amazon
CloudFront
• DDoS were typically from a
small number of source IP
addresses; This made them
easy to block with IP match
conditions
• Very cost effective to
implement for a few rules

30. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Results
• ActiveDEMAND rolled out this
updated infrastructure
architecture for all new
customers
• There have been no detected
service interruptions for any
customers on this new
platform during the year it has
been in production

31. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Restrict ELB Access to
Amazon CloudFront IP Addresses
Going Forward
• AWS publishes IP ranges for
their services in JSON format
• Also publish updates to an
SNS topic they manage
• Subscribe to the SNS topic
with a Lambda function which
processes the JSON and
updates the ELB's security
group

32. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Take advantage of new AWS capabilities
• Use AWS WAF rate-based rules
instead of manually updating
blacklisted IP addresses
• Dedicated DDoS protection with AWS
Shield Advanced
• Subscribe to a managed rule group
instead of manually implementing SQL
injection and size constraint conditions
Going Forward

33. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Blog: Revisiting the AWS WAF
Take a look back at the all
improvements that have been
released for AWS WAF on its
journey from Minimal Viable
Product to Most Valuable Player
https://goo.gl/R37X6g
Further Reading

34. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
For more details on Managed Rules
https://aws.amazon.com/mp/security/WAFManagedRules/

35. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!