Layered Perimeter Protection for Apps Running on AWS (CTD201-R1) - AWS re:Invent 2018

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Layered Perimeter Protection for
Apps Running on AWS
Ritwik Manan
Sr. Product Mgr. Tech
AWS Shield
C T D 2 0 1
Woodrow Arrington
Sr. Product Mgr. Tech
Amazon CloudFront

Recording available on YouTube
Deck available on SlideShare

What to expect from this session
Layered
Security
Demos
Use
Cases

Challenges in web application development

Malicious actors are
always probing for
weak points

Biggest threats to web applications today
App
Vulnerabilities
Bad Bots
DDoS
0
200
400
600
800
1000
1200
1400
1600
1800
Largest DDoS Attacks (Gbps)
Mem
cached
Mirai
botnet

Security is always the
number one priority
And it needs to
constantly evolve in
today’s environment

Three layers of perimeter protection
Build a highly scalable, secure, well-monitored,
DDoS-protected application
Objective:
1. Secure content delivery layer with reduced surface area
2. Firewall layer for common and customer specific exploits
3. DDoS protection layer for mitigating availability impact
Software
automation
of security

Layered perimeter protection – Basic AWS Application
EC2 Instance
S3 Bucket
Public
Subnet
Private
Subnet
ALB

SECURITY
performance
&
Amazon
CloudFront

Amazon CloudFront’s Secure Global Network

Amazon CloudFront’s Secure Global Network
Compliance Standards CloudFront CDN A
PCI DSS Yes Yes***
ISO 27001 Yes No
ISO 27002 Yes Yes
ISO 9001 Yes No
ISO 27017 Yes No
ISO 27018 Yes No
SOC 1/2/3 Yes Yes***
HIPAA Yes Yes
GDPR Yes Yes
Regional audits
• Germany C5
• Australia’s IRAP/IRAP
Protected
• Singapore’s MTCS
• Korea’s K-ISMS
Yes No

CloudFront shields your origin
Local Edge
locations Regional Edge
Cache Application
Origin
Users

0
25
50
75
100
CloudFront S3 US East S3 US West EC2 (N.
Virginia)
EC2 (Ohio) EC2 (N.
California)
EC2 (Oregon)
p50 FBL latency
Securing and accelerating your entire application
CloudFront S3Static Content
Images
Javascript
HTML

CloudFront S3
Video Content
Video on demand
Live streaming video
Elemental Media

CloudFront
Dynamic Content
User Inputs
APIs
ALB EC2
0
25
50
75
100
CloudFront S3 US East S3 US West EC2 (N.
Virginia)
EC2 (Ohio) EC2 (N.
California)
EC2 (Oregon)
p50 FBL latency

Dynamic content - WebSocket support
“CloudFront WebSocket support means we
can simplify our infrastructure and further
improve customer satisfaction.
CloudFront Edge locations will now
contribute to better user performance
in WebSocket apps”
Eduard Iskandarov, Team Lead Infrastructure
Coins.ph
“CloudFront now supporting WebSockets
enables us to consolidate both our dynamic
and static content delivery under a single
distribution, hence improving global reach,
enhancing app security, and simplifying our
delivery architecture all at the same time. ”
Viesturs Proškins, Head of Video R&D
Evolution Gaming

Same global network for
HTTPS and HTTP
Strict TLS policy enforcement
Perfect Forward Secrecy
OCSP Stapling
Much more SSL optimizations
and customizable options
documented online
Encrypting data in transit and at rest
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
80.0%
Oct
2013 2014 2015 2016 2017 2018
% Traffic SSL

SNI custom SSL
• Bring your own SSL certificate
• Relies on the SNI extension of
the Transport Layer Security
protocol
Use case
• www.example.com
• Some older browsers/OS do
not support SNI extension
Dedicated IP custom SSL
• Bring your own SSL certificate
• CloudFront allocates dedicated
IP addresses for your SSL
content
Use case
• www.example.com
• Supported by all browsers/OS
Default CloudFront SSL
• CloudFront
certificate shared
across customers
Use case
• dxxx.cloudfront.net
TLS/SSL options through CloudFront
Free SSL certificates for ACM-integrated services like CloudFront

Restricting internal access to your content with
Field Level Encryption

Signed URLs
• Add signature to the
URL query string
• Your URL changes
Signed cookies
• Add signature to a
cookie
• Your URL does NOT
change
Use case
• Restrict access to
multiple files
• You don’t want to
change URLs
Use case
• Restrict access to
individual files
• Users are using a client
that doesn't support
cookies
Restricting external access to your content
Geo Restriction
• Country based
whitelist or blacklist
Use case
• Broad restriction
based on
geographical
mapping of client IP

S3 Origin Access Identity
• Prevents direct access to your
Amazon S3 bucket
• No S3 URLs are accessible directly
Custom Origin Security Groups
• Whitelist ONLY the
CloudFront IP range
• Protects origin from overload
Restricting external access to your origin
CloudFront ALB EC2CloudFront S3

Software automation of the secure
content delivery

Read our blog for a step-by-step guide
“How to Automatically Update Your
Security Groups for Amazon CloudFront
and AWS WAF by Using AWS Lambda”
Automatically update an ALB/EC2 security group for
CloudFront using AWS Lambda
IAM policy Lambda function SNS subscription

Layered perimeter protection – Adding secure
Content Delivery
EC2 Instance
S3 Bucket
Public
Subnet
Private
Subnet
CloudFront
ALB

Choosing a Web Application Firewall:
4 key tenets

AWS WAF

AWS WAF
CloudFormation
Templates
Managed Rules
for AWS WAF

Foundational security
Managed rules for AWS WAF
• Rules written, updated and managed by Security
Experts
• Pay as you go : No Lock-in / Long term commitment
• Easy to Deploy
• Choice of Protections
• OWASP Top 10 & other web exploits
• Common Vulnerabilities and Exposures (CVE)
• Bot protection
• IP Reputation lists
• CMS rules (Wordpress, Joomla and others)
• Apache and Nginx vulnerabilities

Security
Automations
Managed Rules
for AWS WAF
AWS WAF

AWS WAF is a powerful rule language framework

AWS WAF
Security
Automations
Managed Rules
for AWS WAF
Multiple Rule
Condition Types
Combine and
build hierarchy
Actions : Allow /
Block / Count

Security
Automations
Managed Rules
for AWS WAF
Multiple Rule
Condition Types
Combine and
build hierarchy
Actions : Allow /
Block / Count
AWS WAF

Analyze security:
Visibility & analytics
CloudWatch Metrics
• Metrics on every Rule
• Allowed | Blocked |
Counted | Passed
Sampled Web Requests
• Detailed logs, of a Sample of
requests
• Automatically available for
every Rule
Full Logs
• Detailed logs, of Every request
this word just for spacing
• Optionally enabled for your
WebACL
Use Case
Set alarms for
notifications
Use Case
Quickly test AWS WAF Rules
Easy triaging on the console
Use Case
Security analytics, monitoring,
automation, auditing, and
compliance

AWS WAF full logs:
Key benefits
Compliance & Auditing
• Every logged request includes
Request Headers and RuleIDs that
matched
• Redact sensitive fields
Flexible implementation
• Logs streamed in JSON format
through Amazon Data Firehose to
your destination of choice
3rd Party Integrations
• Centralize and analyze logs from
AWS WAF and other services
Amazon S3 Amazon
Redshift
Amazon
ElasticSearch
Splunk
Amazon Kinesis
Data Firehose

Security analytics common use cases
3rd party integrations

Check out our webinar for a step-by-step guide
“Enhanced Security Analytics using
AWS Full Logging”
Enhanced Security Analytics with AWS
AWS WAF Amazon
Athena
Amazon S3 Bucket

Security
Automations
Managed Rules
for AWS WAF
Multiple Rule
Condition Types
Combine and
build hierarchy
Actions : Allow /
Block / Count
CloudWatch
Metrics
Sampled Web
Requests
Full Logs
AWS WAF

Software automation of the firewall

Software Automation of Security:
Lambda-based AWS WAF Automations
Bad Bot / Scanner / Known attackers AWS WAF Integration with Amazon
GuardDuty
DevOps friendly: Full Featured APIs and Fast Rule Updates
Blog / Webinar : “Automate Threat Mitigation Using AWS
WAF and Amazon GuardDuty”
AWS Answers: “AWS WAF Security Automations”

Software automation:
Config based AWS WAF Policies
Ensure Compliance to
Mandatory Rules
Across Organization
Simplify Management
of Rules Across
Accounts &
Applications with
security policies
Enable Rapid
Response to Internet
Attacks
Customize policy
scope to resource type
and accounts
(include/exclude)

Automating web application security
Create honeypot protections across apps
A bad bot identified on one application
can be easily blocked from
organizations’ other applications as
well
To quickly create a honeypot automation on
an account
Read our step by step guide: “AWS WAF
Security Automations”

AWS WAF
Security
Automations
Managed Rules
for AWS WAF
Multiple Rule
Condition Types
Combine and
build hierarchy
Actions : Allow /
Block / Count
CloudWatch
Metrics
Sampled Web
Requests
Full Logs
Lambda
Automations
AWS Firewall
Manager

Layered perimeter protection – Adding a Firewall
EC2 Instance
S3 Bucket
Public
Subnet
Private
Subnet
CloudFront
WAF
ALB
Firewall
Manager

Choosing a DDoS protection provider:
4 key tenets

AWS Shield Standard & Advanced

Built-in DDoS
Protection for
Everyone
Point and
Protect Wizard

AWS Shield detects and mitigates 1,000’s of DDoS
Attacks Daily
Source: AWS Global Threat Dashboard (Available for AWS Shield Advanced customers)

Automatic
Protection across
customers
Enhanced
Protection
baselined to you
24x7 access to
DDoS Response
Team (DRT)
Built-in DDoS
Protection for
Everyone
Point and
Protect Wizard

 Baselining and anomaly detection across all AWS
 Mitigation with proprietary packet filtering stacks using
suspicion based scoring
 Automatic defense against the most common network and
transport layer DDoS attacks for any AWS resource, in any
AWS Region
 Comprehensive defense against all known network and
transport layer attacks when using Amazon CloudFront and
Amazon Route 53
AWS Shield Standard:
Layer 3/4 protection for everyone
Automatic
Protection across
customers

AWS Shield Advanced:
Enhanced protection
• Enhanced Layer 3/4 attack
detection baselined to you
• Layer 7 attack detection
• Pre-configured mitigations scoped to resource type
• Advanced mitigations like SYN Throttling
• Customer defined L3/4 Mitigations (for regional svcs)
Detection Mitigation
• Help in Incident triaging and mitigation
• Automatically engaged for availability impacting L3/L4
events.
• Customer driven support cases through AWS Support or
Shield Engagement Lambda
Enhanced
Protection
baselined to you
24x7 access to
DDoS Response
Team (DRT)

Recent significant attacks
March 2018: Web application targeted by 1.4 Tbps
memcached reflection attack, mitigated with Amazon
CloudFront and AWS Shield Advanced
November 2018: Web application running on Amazon
CloudFront targeted by 20 million requests per second,
automatically mitigated by Amazon CloudFront and AWS
Shield Advanced

Automatic
Protection across
customers
Enhanced
Protection
baselined to you
24x7 access to
DDoS Response
Team (DRT)
Built-in DDoS
Protection for
Everyone
Point and
Protect Wizard
CloudWatch
Metrics
Attack
Diagnostics
Global Threat
Environment
Dashboard

Automatic
Protection across
customers
Enhanced
Protection
baselined to you
24x7 access to
DDoS Response
Team (DRT)
Built-in DDoS
Protection for
Everyone
Point and
Protect Wizard
AWS WAF at no
additional cost
For protected resources
AWS Firewall
Manager at no
additional cost
Cost Protection
for scaling
CloudWatch
Metrics
Attack
Diagnostics
Global Threat
Environment
Dashboard

AWS Shield Advanced:
Cost Protection for scaling
AWS absorbs scaling cost on protected
resources due to DDoS attack
• Amazon CloudFront
• Elastic Load Balancing (ELB/ALB/NLB)
• Amazon Route 53
• Amazon EC2

Layered perimeter protection – Adding DDoS
Protection
EC2 Instance
S3 Bucket
Public
Subnet
Private
Subnet
Shield
Shield
Advanced
ALB
CloudFront
WAF
Firewall
Manager

Specialized component use cases
Different protection needs
 I have a serverless
architecture / APIs
 I have TCP traffic
(non-HTTP/S)
 I run UDP based
games
• Create a unified API
frontend for multiple
micro-services
• Authenticate and
authorize requests
• Throttle, meter, and
monetize API usage by
third-party developers
Amazon API GatewayAWS WAF
• Full AWS WAF features
• Custom and managed
rules
• Visibility through
CloudWatch and logs
• Automate with AWS
Lambda
AWS Shield
Standard

architecture / APIs
(non-HTTP/S)
 I run UDP based
games
AWS Shield Advanced
Fast Scaling, transparent
load balancer
architected for
performance and
availability
Network Load Balancer
Global Load balancing
across regions with
anycast routing and fine
grained controls
AWS Global Accelerator
• Granular Detection
Thresholds (based on
background architecture)
• Pre-configured /
customized mitigation
templates
• Network ACLs pushed to
the border

architecture / APIs
(non-HTTP/S)
 I run UDP based
games
AWS Shield Advanced EC2 Instances
Global Load balancing
across regions with
anycast routing and fine
grained controls
AWS Global Accelerator
• Granular Detection
Thresholds (based on
background architecture)
• Pre-configured /
customized mitigation
templates
• Network ACLs pushed to
the border

Ending with a multi-layered, secured application
EC2 Instance
S3 Bucket
Public
Subnet
Private
Subnet
CloudFront
WAF
Shield
Shield
Advanced
ALB
Firewall
Manager

Thank you!
Ritwik Manan
ritwikm@amazon.com
Woodrow Arrington
arrinw@amazon.com

Deck available on SlideShare & recording available on YouTube

Related breakouts
Thursday, November 29th
CTD315 - How Rovio Uses Amazon CloudFront for Secure API Acceleration
1:00 PM - 2:00 PM | Venetian, Level 2, Veronese 2406
Wednesday, November 28th
SEC402 - AWS, I Choose You: Pokemon's Battle against the Bots
1:00 PM - 2:00 PM | Aria East, Level 2, Mariposa 5
Tuesday, November 27th
CTD304 - Secure Your Site: Use CDN Security Features to Protect Your Content &
Infrastructure
5:30 PM - 6:30 PM | Aria West, Level 3, Starvine 10, Table 6

Layered Perimeter Protection for Apps Running on AWS (CTD201-R1) - AWS re:Invent 2018

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a Layered Perimeter Protection for Apps Running on AWS (CTD201-R1) - AWS re:Invent 2018

Similar a Layered Perimeter Protection for Apps Running on AWS (CTD201-R1) - AWS re:Invent 2018 (20)

Más de Amazon Web Services

Más de Amazon Web Services (20)

Layered Perimeter Protection for Apps Running on AWS (CTD201-R1) - AWS re:Invent 2018