Whether you are building an e-commerce site or a business application, security is a key consideration when architecting your website or application. In this session, you will learn more about some of the things CloudFront does behind the scenes to protect the delivery of your content such as OCSP Stapling and Perfect Forward Secrecy. We will also share best practices on how you can use CloudFront to securely deliver content end-to-end, control who accesses your content, how to shield your origins from the Internet, and getting a A+ on SSL labs.

1. © 2015, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Alex Dunlap, GM, Amazon CloudFront
Matthew Baldwin, Sr. Software Development Engineer, Amazon CloudFront
October 2015
Secure Content Delivery
Using Amazon CloudFront
STG205

2. What to expect from the session
In this session we will talk about:
• Why security matters
• Key aspects of security
• How CloudFront can help
• Best practices for secured delivery on Amazon CloudFront

3. Overview: Why security matters
• Customer trust
• Regulatory compliance
• Data privacy

4. How AWS can help
Infrastructure
Security
Application
Security
Services Security
In the cloud, security is a shared responsibility
Encrypt data in transit
Encrypt data at rest
Protect your AWS credentials
Rotate your keys
Secure your application, OS,
stack and AMIs
Enforce AWS IAM policies
Use MFA, Amazon VPC,
leverage Amazon S3
bucket policies
Amazon EC2 security
groups
SOC 1,2,3
ISO 27001/2 Certification
PCI DSS 2.0 Level 1-5
HIPAA/SOX Compliance
FedRAMP, FISMA &
DIACAP ITAR
How we secure our
infrastructure
How can you secure your
application?
What security options and
features are available to you?

5. How Amazon CloudFront can help
Infrastructure
Security
Application
Security
Services Security
Security on Amazon CloudFront
SSL/TLS options
Private content
Origin access identities
AWS WAF
AWS CloudTrail
AWS IAM policies
Origin protection
Rotate keys
Rotate certificates
PCI DSS 2.0 Level 1

6. How Amazon CloudFront can help
What
Amazon CloudFront
does automatically
What you can do
using Amazon
CloudFront features
+ =
What should you do?
Secured content
delivery

7. Infrastructure security
How we secure our infrastructure
Infrastructure
Security Application
Security
Services Security

8. Infrastructure security
Facilities
Physical security
Cache infrastructure
Network infrastructure + =
What should you do?
Secured content delivery

9. Amazon CloudFront
edge location
Infrastructure security
• Bastion hosts for maintenance
• Two-factor authentication
• Encryption
• Separation to enhance containment
• Testing & metrics
x

10. Infrastructure security

11. Services security
Security options and features available on Amazon CloudFront
Infrastructure
Security
Application
Security
Services Security

12. Services security
High security ciphers
PFS
OCSP stapling
Session tickets
SSL/TLS options
Private content
Trusted signers
AWS WAF
AWS CloudTrail
+ =
What should you do?
Secured content delivery

13. Amazon CloudFront can protect
“data in transit”

14. Amazon CloudFront protects data in transit
Origin
Edge
location
User request A
• Deliver content over HTTPS
to protect data in transit
• HTTPS Authenticates
Amazon CloudFront to
viewers
• HTTPS authenticates origin
to Amazon CloudFront

15. Amazon CloudFront enables advanced
SSL features automatically

16. Advanced SSL/TLS
Improved security
• High security ciphers
• Perfect forward secrecy
Improved SSL performance
• Online Certificate Status Protocol
(OSCP stapling)
• Session tickets

17. Advanced SSL/TLS: Improved security
• Amazon CloudFront uses high
security ciphers
• Employs ephemeral key
exchange
• Enables perfect forward
secrecy
Amazon
CloudFront
edge location

18. Advanced SSL/TLS: Improved performance
• Session tickets
• Online Certificate Status Protocol (OSCP stapling)

19. Session tickets
• Session tickets allows client
to resume session
• Amazon CloudFront sends
encrypted session data to
client
• Client does an abbreviated
SSL handshake
Amazon
CloudFront
edge location

20. OCSP stapling
1
2 3
4
5
Client
OCSP responder
Origin server
Amazon
CloudFront
1) Client sends TLS Client Hello
2) Amazon CloudFront requests certificate
status from OCSP responder
3) OCSP Responder sends certificate status
4) Amazon CloudFront completes TLS
handshake with client
5) Request/response from origin server

21. OCSP stapling
…
OCSP stapling
Client-side revocation checks
0 50 100 150 200 250 …
(time in milliseconds)
0 50 100 150 200 250 …
(time in milliseconds)
TCP handshake
Client Hello
Server Hello
DNS for OCSP responder
TCP to OCSP responder
OCSP request/response
… Follow certificate chain
Complete handshake
Application data
30%
Improvement
120 ms faster

22. Validate origin certificate
Amazon CloudFront validates SSL certificates to origin
 Origin domain name must match Subject Name on
certificate
 Certificate must be issued by a Trusted CA
 Certificate must be within expiration window

23. But there are things you need to do

24. Deliver content using HTTPS
• Amazon CloudFront makes it easy
• Create one distribution, and deliver both
HTTP and HTTPS content
• There are other options as well:
• Strict HTTPS
• HTTP to HTTPS redirect

25. Amazon CloudFront TLS Options
Default Amazon
CloudFront SSL
domain name
Amazon CloudFront
certificate shared across
customers
When to use?
Example: dxxx.cloudfront.net
SNI custom SSL
Bring your own SSL certificate
Relies on the SNI extension of
the Transport Layer Security
(TLS) protocol
When to use?
Example: www.mysite.com
Some older browsers/OS do not
support SNI extension
Dedicated IP custom
SSL
Bring your own SSL certificate
Amazon CloudFront allocates
dedicated IP addresses to
serve your SSL content
When to use?
Example: www.mysite.com
Supported by all browsers/OS

26. MapBox

27. MapBox uses SNI custom SSL
• They wanted to use a custom domain
xxxxx.mapbox.com
• Their clients support TLS
• They wanted to use an economical option

28. HTTPS usage patterns
• Half bridge TLS termination
• Full bridge TLS termination

29. Better performance by leveraging HTTP connections to origin
Half bridge TLS termination
Amazon
CloudFront
HTTP
Region

30. Full bridge TLS termination
Amazon
CloudFront
HTTPS
• Secured connection all the way to origin
• Just configure Amazon CloudFront to “Match Viewer” protocol
Region

31. MapBox uses multiple origins
• Have multiple API end points (origin servers)
• One with half bridge: HTTP from edge to origin
• Second with full bridge: HTTPS from edge to origin

32. You are not done yet…
You need to protect content cached at
the edge

33. Access control
What if you want to…
• Deliver content only to selected customers
• Allow access to a content only until “time n”
• Allow only certain IPs to access content

34. Access control: Private content
Signed URLs
• Add signature to the Querystring in URL
• Your URL changes
When should you use it?
• Restrict access to individual files
• Users are using a client that doesn't
support cookies
• You want to use an RTMP distribution
Signed cookies
• Add signature to a cookie
• Your URL does not changes
When should you use it?
• Restrict access to multiple files
• You don’t want to change URLs

35. Access control: Private content
• Here is an example of a policy statement for signed URLs

36. Access control: Private content
Under development mode?
Make Amazon CloudFront accessible only from
your “internal IP addresses”

37. You are still not done…
What if you want to restrict access
based on parameters in the request

38. Amazon CloudFront
edge location
Block unnecessary requests
Scraper bot
Host: www.internetkitties.com
User-Agent: badbot
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.InTeRnEkItTiEs.com/
Connection: keep-alive
AWS
WAF Host: www.internetkitties.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)…..
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.mysite.com/
Connection: keep-alive

39. Amazon CloudFront
edge location
Access control: AWS WAF
Scraper bot
Host: www.internetkitties.com
User-Agent: badbot
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.InTeRnEkItTiEs.com/
Connection: keep-alive
Host: www.internetkitties.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)…..
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.mysite.com/
Connection: keep-alive
AWS
WAF

40. MapBox uses AWS WAF to protect
from bots
Good Users
Bad guys
Serve
r
AWS
WAF
Logs
Threat
analysis
Rule updater

41. AWS WAF Example:
A Technical Implementation
Blocking bad bots dynamically with AWS WAF Web ACLs

42. AWS WAF example: Blocking bad bots
What we need…
• IPSet: Contains our list of blocked IP addresses
• Rule: Blocks requests if requests match IP in our IPSet
• WebACL: Allows requests by default, contains our Rule
And…
• Mechanism to detect bad bots
• Mechanism to add bad bot IP address to IPSet

43. AWS WAF example: Detecting bad bots
• Use robots.txt to specify which
areas of your site or webapp should
not be scraped
• Place file in your web root
• Ensure there are links pointing to
non-scrapable content
• Hide a trigger script that normal
users don’t see and good bots
ignore
$ cat webroot/robots.txt
User-agent: *
Disallow: /honeypot/
<a href="/honeypot/"
class="hidden" aria-
hidden="true">click me</a>

44. AWS WAF example: Blacklist bad bots
• Bad bots (ignoring your robots.txt) will
request the hidden link
• Trigger script will detect the source IP
of the request
• Trigger script requests change token
• Trigger script adds source IP to IPSet
blacklist
• WebACL will block subsequent
request from that source
$ aws --endpoint-url
https://waf.amazonaws.com/ waf get-
change-token
{
"ChangeToken": "acbc53f2-46db-4fbd-
b8d5-dfb8c466927f”
}
$ aws --endpoint-url
https://waf.amazonaws.com/ waf update-ip-
set --cli-input-json '{ "IPSetId": ”<<IP
SET ID>>", "ChangeToken": "acbc53f2-46db-
4fbd-b8d5-dfb8c466927f", "Updates": [ {
"Action": "INSERT", "IPSetDescriptor": {
"Type": "IPV4", "Value": ”<<SOURCE
IP>>/32" } } ] }’
{
"ChangeToken": "acbc53f2-46db-4fbd-
b8d5-dfb8c466927f”
}

45. AWS CloudTrail
Record Amazon CloudFront API calls history for:
• Security analysis
• Resource change tracking
• Compliance auditing
Amazon
CloudWatch Alarm
AWS
CloudTrail
Amazon CloudFront
distribution updates

46. Application security
How can you secure your application and origin
Infrastructure
Security
Application
Security
Services Security

47. Application security
IAM policies
Origin protection
OAI
Rotate keys
Rotate certificates
+ =
What should you do?
Secured content delivery

48. Hackers could still bypass Amazon
CloudFront to access your origin…

49. Access control: Restricting origin access
Amazon S3
Origin Access Identify (OAI)
• Prevents direct access to your Amazon
S3 bucket.
• Ensure performance benefits to all
customers.
Custom origin
Block by IP address
• Whitelist Only the CloudFront IP Range
• Protects origin from overload
• Ensure performance benefits to all
customers.

50. Object Access Identity (OAI)
• Only Amazon CloudFront can
access Amazon S3 bucket
• We make it simple for you
Amazon CloudFront
Region
Amazon S3
bucket
Custom origin

51. Shield custom origin
• Shield your custom origin
• Whitelist Amazon CloudFront IP range
Amazon CloudFront
Region
Amazon S3
bucket
Custom origin

52. Shield custom origin
• Subscribe to Amazon SNS notifications on changes to
IP ranges
• Automatically update security groups
AWS Lambda
Amazon CloudFront
Amazon SNS
Security group
Web app
server
Web app
server
AWS IP ranges
Update IP range
SNS message

53. Services security: IAM
• AWS managed policies or create custom policies
• Regulate access to Amazon CloudFront APIs
• Describe user role or permissions

54. Services security : IAM examples
• Example 1: Create groups with just access to create
invalidations
• Example 2: Just read access to your distributions and
configuration

55. How to validate your security configurations?

56. Thank you!

57. Remember to complete
your evaluations!

58. Related Sessions
STG206:
Using Amazon CloudFront to Improve
the Performance, Availability, and
Cacheability of Your Website or
Application
Thursday, Oct 8, 5:30 PM - 6:30 PM
Marcelo 4506
SEC323:
Securing Web Applications with AWS
WAF
Friday, Oct 9 at 9:00 AM – 10:00 AM
Lando 4301B