Whether you are building an e-commerce site or a business application, security is a key consideration when architecting your website or application. In this session, you will learn more about some of the things CloudFront does behind the scenes to protect the delivery of your content such as OCSP Stapling and Perfect Forward Secrecy. We will also share best practices on how you can use CloudFront to securely deliver content end-to-end, control who accesses your content, how to shield your origins from the Internet, and getting a A+ on SSL labs.
2. What to expect from the session
In this session we will talk about:
• Why security matters
• Key aspects of security
• How CloudFront can help
• Best practices for secured delivery on Amazon CloudFront
4. How AWS can help
Infrastructure
Security
Application
Security
Services Security
In the cloud, security is a shared responsibility
Encrypt data in transit
Encrypt data at rest
Protect your AWS credentials
Rotate your keys
Secure your application, OS,
stack and AMIs
Enforce AWS IAM policies
Use MFA, Amazon VPC,
leverage Amazon S3
bucket policies
Amazon EC2 security
groups
SOC 1,2,3
ISO 27001/2 Certification
PCI DSS 2.0 Level 1-5
HIPAA/SOX Compliance
FedRAMP, FISMA &
DIACAP ITAR
How we secure our
infrastructure
How can you secure your
application?
What security options and
features are available to you?
5. How Amazon CloudFront can help
Infrastructure
Security
Application
Security
Services Security
Security on Amazon CloudFront
SSL/TLS options
Private content
Origin access identities
AWS WAF
AWS CloudTrail
AWS IAM policies
Origin protection
Rotate keys
Rotate certificates
PCI DSS 2.0 Level 1
6. How Amazon CloudFront can help
What
Amazon CloudFront
does automatically
What you can do
using Amazon
CloudFront features
+ =
What should you do?
Secured content
delivery
14. Amazon CloudFront protects data in transit
Origin
Edge
location
User request A
• Deliver content over HTTPS
to protect data in transit
• HTTPS Authenticates
Amazon CloudFront to
viewers
• HTTPS authenticates origin
to Amazon CloudFront
19. Session tickets
• Session tickets allows client
to resume session
• Amazon CloudFront sends
encrypted session data to
client
• Client does an abbreviated
SSL handshake
Amazon
CloudFront
edge location
20. OCSP stapling
1
2 3
4
5
Client
OCSP responder
Origin server
Amazon
CloudFront
1) Client sends TLS Client Hello
2) Amazon CloudFront requests certificate
status from OCSP responder
3) OCSP Responder sends certificate status
4) Amazon CloudFront completes TLS
handshake with client
5) Request/response from origin server
21. OCSP stapling
…
OCSP stapling
Client-side revocation checks
0 50 100 150 200 250 …
(time in milliseconds)
0 50 100 150 200 250 …
(time in milliseconds)
TCP handshake
Client Hello
Server Hello
DNS for OCSP responder
TCP to OCSP responder
OCSP request/response
… Follow certificate chain
Complete handshake
Application data
30%
Improvement
120 ms faster
22. Validate origin certificate
Amazon CloudFront validates SSL certificates to origin
Origin domain name must match Subject Name on
certificate
Certificate must be issued by a Trusted CA
Certificate must be within expiration window
24. Deliver content using HTTPS
• Amazon CloudFront makes it easy
• Create one distribution, and deliver both
HTTP and HTTPS content
• There are other options as well:
• Strict HTTPS
• HTTP to HTTPS redirect
25. Amazon CloudFront TLS Options
Default Amazon
CloudFront SSL
domain name
Amazon CloudFront
certificate shared across
customers
When to use?
Example: dxxx.cloudfront.net
SNI custom SSL
Bring your own SSL certificate
Relies on the SNI extension of
the Transport Layer Security
(TLS) protocol
When to use?
Example: www.mysite.com
Some older browsers/OS do not
support SNI extension
Dedicated IP custom
SSL
Bring your own SSL certificate
Amazon CloudFront allocates
dedicated IP addresses to
serve your SSL content
When to use?
Example: www.mysite.com
Supported by all browsers/OS
27. MapBox uses SNI custom SSL
• They wanted to use a custom domain
xxxxx.mapbox.com
• Their clients support TLS
• They wanted to use an economical option
29. Better performance by leveraging HTTP connections to origin
Half bridge TLS termination
Amazon
CloudFront
HTTP
Region
30. Full bridge TLS termination
Amazon
CloudFront
HTTPS
• Secured connection all the way to origin
• Just configure Amazon CloudFront to “Match Viewer” protocol
Region
31. MapBox uses multiple origins
• Have multiple API end points (origin servers)
• One with half bridge: HTTP from edge to origin
• Second with full bridge: HTTPS from edge to origin
32. You are not done yet…
You need to protect content cached at
the edge
33. Access control
What if you want to…
• Deliver content only to selected customers
• Allow access to a content only until “time n”
• Allow only certain IPs to access content
34. Access control: Private content
Signed URLs
• Add signature to the Querystring in URL
• Your URL changes
When should you use it?
• Restrict access to individual files
• Users are using a client that doesn't
support cookies
• You want to use an RTMP distribution
Signed cookies
• Add signature to a cookie
• Your URL does not changes
When should you use it?
• Restrict access to multiple files
• You don’t want to change URLs
40. MapBox uses AWS WAF to protect
from bots
Good Users
Bad guys
Serve
r
AWS
WAF
Logs
Threat
analysis
Rule updater
41. AWS WAF Example:
A Technical Implementation
Blocking bad bots dynamically with AWS WAF Web ACLs
42. AWS WAF example: Blocking bad bots
What we need…
• IPSet: Contains our list of blocked IP addresses
• Rule: Blocks requests if requests match IP in our IPSet
• WebACL: Allows requests by default, contains our Rule
And…
• Mechanism to detect bad bots
• Mechanism to add bad bot IP address to IPSet
43. AWS WAF example: Detecting bad bots
• Use robots.txt to specify which
areas of your site or webapp should
not be scraped
• Place file in your web root
• Ensure there are links pointing to
non-scrapable content
• Hide a trigger script that normal
users don’t see and good bots
ignore
$ cat webroot/robots.txt
User-agent: *
Disallow: /honeypot/
<a href="/honeypot/"
class="hidden" aria-
hidden="true">click me</a>
44. AWS WAF example: Blacklist bad bots
• Bad bots (ignoring your robots.txt) will
request the hidden link
• Trigger script will detect the source IP
of the request
• Trigger script requests change token
• Trigger script adds source IP to IPSet
blacklist
• WebACL will block subsequent
request from that source
$ aws --endpoint-url
https://waf.amazonaws.com/ waf get-
change-token
{
"ChangeToken": "acbc53f2-46db-4fbd-
b8d5-dfb8c466927f”
}
$ aws --endpoint-url
https://waf.amazonaws.com/ waf update-ip-
set --cli-input-json '{ "IPSetId": ”<<IP
SET ID>>", "ChangeToken": "acbc53f2-46db-
4fbd-b8d5-dfb8c466927f", "Updates": [ {
"Action": "INSERT", "IPSetDescriptor": {
"Type": "IPV4", "Value": ”<<SOURCE
IP>>/32" } } ] }’
{
"ChangeToken": "acbc53f2-46db-4fbd-
b8d5-dfb8c466927f”
}
45. AWS CloudTrail
Record Amazon CloudFront API calls history for:
• Security analysis
• Resource change tracking
• Compliance auditing
Amazon
CloudWatch Alarm
AWS
CloudTrail
Amazon CloudFront
distribution updates
46. Application security
How can you secure your application and origin
Infrastructure
Security
Application
Security
Services Security
49. Access control: Restricting origin access
Amazon S3
Origin Access Identify (OAI)
• Prevents direct access to your Amazon
S3 bucket.
• Ensure performance benefits to all
customers.
Custom origin
Block by IP address
• Whitelist Only the CloudFront IP Range
• Protects origin from overload
• Ensure performance benefits to all
customers.
50. Object Access Identity (OAI)
• Only Amazon CloudFront can
access Amazon S3 bucket
• We make it simple for you
Amazon CloudFront
Region
Amazon S3
bucket
Custom origin
51. Shield custom origin
• Shield your custom origin
• Whitelist Amazon CloudFront IP range
Amazon CloudFront
Region
Amazon S3
bucket
Custom origin
52. Shield custom origin
• Subscribe to Amazon SNS notifications on changes to
IP ranges
• Automatically update security groups
AWS Lambda
Amazon CloudFront
Amazon SNS
Security group
Web app
server
Web app
server
AWS IP ranges
Update IP range
SNS message
53. Services security: IAM
• AWS managed policies or create custom policies
• Regulate access to Amazon CloudFront APIs
• Describe user role or permissions
54. Services security : IAM examples
• Example 1: Create groups with just access to create
invalidations
• Example 2: Just read access to your distributions and
configuration
58. Related Sessions
STG206:
Using Amazon CloudFront to Improve
the Performance, Availability, and
Cacheability of Your Website or
Application
Thursday, Oct 8, 5:30 PM - 6:30 PM
Marcelo 4506
SEC323:
Securing Web Applications with AWS
WAF
Friday, Oct 9 at 9:00 AM – 10:00 AM
Lando 4301B