Contenu connexe Similaire à Layered Perimeter Protection for Apps Running on AWS (CTD201-R1) - AWS re:Invent 2018 (20) Plus de Amazon Web Services (20) Layered Perimeter Protection for Apps Running on AWS (CTD201-R1) - AWS re:Invent 20182. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Layered Perimeter Protection for
Apps Running on AWS
Ritwik Manan
Sr. Product Mgr. Tech
AWS Shield
C T D 2 0 1
Woodrow Arrington
Sr. Product Mgr. Tech
Amazon CloudFront
4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What to expect from this session
Layered
Security
Demos
Use
Cases
5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Challenges in web application development
6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Malicious actors are
always probing for
weak points
7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Biggest threats to web applications today
App
Vulnerabilities
Bad Bots
DDoS
0
200
400
600
800
1000
1200
1400
1600
1800
Largest DDoS Attacks (Gbps)
Mem
cached
Mirai
botnet
8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security is always the
number one priority
And it needs to
constantly evolve in
today’s environment
9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Three layers of perimeter protection
Build a highly scalable, secure, well-monitored,
DDoS-protected application
Objective:
1. Secure content delivery layer with reduced surface area
2. Firewall layer for common and customer specific exploits
3. DDoS protection layer for mitigating availability impact
Software
automation
of security
10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Layered perimeter protection – Basic AWS Application
EC2 Instance
S3 Bucket
Public
Subnet
Private
Subnet
ALB
11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SECURITY
performance
&
Amazon
CloudFront
13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudFront’s Secure Global Network
14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon CloudFront’s Secure Global Network
Compliance Standards CloudFront CDN A
PCI DSS Yes Yes***
ISO 27001 Yes No
ISO 27002 Yes Yes
ISO 9001 Yes No
ISO 27017 Yes No
ISO 27018 Yes No
SOC 1/2/3 Yes Yes***
HIPAA Yes Yes
GDPR Yes Yes
Regional audits
• Germany C5
• Australia’s IRAP/IRAP
Protected
• Singapore’s MTCS
• Korea’s K-ISMS
Yes No
15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CloudFront shields your origin
Local Edge
locations Regional Edge
Cache Application
Origin
Users
16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
0
25
50
75
100
CloudFront S3 US East S3 US West EC2 (N.
Virginia)
EC2 (Ohio) EC2 (N.
California)
EC2 (Oregon)
p50 FBL latency
Securing and accelerating your entire application
CloudFront S3Static Content
Images
Javascript
HTML
17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securing and accelerating your entire application
CloudFront S3
Video Content
Video on demand
Live streaming video
Elemental Media
18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securing and accelerating your entire application
CloudFront
Dynamic Content
User Inputs
APIs
ALB EC2
0
25
50
75
100
CloudFront S3 US East S3 US West EC2 (N.
Virginia)
EC2 (Ohio) EC2 (N.
California)
EC2 (Oregon)
p50 FBL latency
19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dynamic content - WebSocket support
“CloudFront WebSocket support means we
can simplify our infrastructure and further
improve customer satisfaction.
CloudFront Edge locations will now
contribute to better user performance
in WebSocket apps”
Eduard Iskandarov, Team Lead Infrastructure
Coins.ph
“CloudFront now supporting WebSockets
enables us to consolidate both our dynamic
and static content delivery under a single
distribution, hence improving global reach,
enhancing app security, and simplifying our
delivery architecture all at the same time. ”
Viesturs Proškins, Head of Video R&D
Evolution Gaming
20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Same global network for
HTTPS and HTTP
Strict TLS policy enforcement
Perfect Forward Secrecy
OCSP Stapling
Much more SSL optimizations
and customizable options
documented online
Encrypting data in transit and at rest
0.0%
10.0%
20.0%
30.0%
40.0%
50.0%
60.0%
70.0%
80.0%
Oct
2013 2014 2015 2016 2017 2018
% Traffic SSL
21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
SNI custom SSL
• Bring your own SSL certificate
• Relies on the SNI extension of
the Transport Layer Security
protocol
Use case
• www.example.com
• Some older browsers/OS do
not support SNI extension
Dedicated IP custom SSL
• Bring your own SSL certificate
• CloudFront allocates dedicated
IP addresses for your SSL
content
Use case
• www.example.com
• Supported by all browsers/OS
Default CloudFront SSL
• CloudFront
certificate shared
across customers
Use case
• dxxx.cloudfront.net
TLS/SSL options through CloudFront
Free SSL certificates for ACM-integrated services like CloudFront
22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Restricting internal access to your content with
Field Level Encryption
23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Signed URLs
• Add signature to the
URL query string
• Your URL changes
Signed cookies
• Add signature to a
cookie
• Your URL does NOT
change
Use case
• Restrict access to
multiple files
• You don’t want to
change URLs
Use case
• Restrict access to
individual files
• Users are using a client
that doesn't support
cookies
Restricting external access to your content
Geo Restriction
• Country based
whitelist or blacklist
Use case
• Broad restriction
based on
geographical
mapping of client IP
24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
S3 Origin Access Identity
• Prevents direct access to your
Amazon S3 bucket
• No S3 URLs are accessible directly
Custom Origin Security Groups
• Whitelist ONLY the
CloudFront IP range
• Protects origin from overload
Restricting external access to your origin
CloudFront ALB EC2CloudFront S3
25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Read our blog for a step-by-step guide
“How to Automatically Update Your
Security Groups for Amazon CloudFront
and AWS WAF by Using AWS Lambda”
Automatically update an ALB/EC2 security group for
CloudFront using AWS Lambda
IAM policy Lambda function SNS subscription
28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Layered perimeter protection – Adding secure
Content Delivery
EC2 Instance
S3 Bucket
Public
Subnet
Private
Subnet
CloudFront
ALB
29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing a Web Application Firewall:
4 key tenets
31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing a Web Application Firewall:
AWS WAF
32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing a Web Application Firewall:
AWS WAF
CloudFormation
Templates
Managed Rules
for AWS WAF
33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Foundational security
Managed rules for AWS WAF
• Rules written, updated and managed by Security
Experts
• Pay as you go : No Lock-in / Long term commitment
• Easy to Deploy
• Choice of Protections
• OWASP Top 10 & other web exploits
• Common Vulnerabilities and Exposures (CVE)
• Bot protection
• IP Reputation lists
• CMS rules (Wordpress, Joomla and others)
• Apache and Nginx vulnerabilities
34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security
Automations
Managed Rules
for AWS WAF
Choosing a Web Application Firewall:
AWS WAF
35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS WAF is a powerful rule language framework
36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing a Web Application Firewall:
AWS WAF
Security
Automations
Managed Rules
for AWS WAF
Multiple Rule
Condition Types
Combine and
build hierarchy
Actions : Allow /
Block / Count
37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security
Automations
Managed Rules
for AWS WAF
Multiple Rule
Condition Types
Combine and
build hierarchy
Actions : Allow /
Block / Count
Choosing a Web Application Firewall:
AWS WAF
38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Analyze security:
Visibility & analytics
CloudWatch Metrics
• Metrics on every Rule
• Allowed | Blocked |
Counted | Passed
Sampled Web Requests
• Detailed logs, of a Sample of
requests
• Automatically available for
every Rule
Full Logs
• Detailed logs, of Every request
this word just for spacing
• Optionally enabled for your
WebACL
Use Case
Set alarms for
notifications
Use Case
Quickly test AWS WAF Rules
Easy triaging on the console
Use Case
Security analytics, monitoring,
automation, auditing, and
compliance
39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS WAF full logs:
Key benefits
Compliance & Auditing
• Every logged request includes
Request Headers and RuleIDs that
matched
• Redact sensitive fields
Flexible implementation
• Logs streamed in JSON format
through Amazon Data Firehose to
your destination of choice
3rd Party Integrations
• Centralize and analyze logs from
AWS WAF and other services
Amazon S3 Amazon
Redshift
Amazon
ElasticSearch
Splunk
Amazon Kinesis
Data Firehose
40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security analytics common use cases
3rd party integrations
41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Check out our webinar for a step-by-step guide
“Enhanced Security Analytics using
AWS Full Logging”
Enhanced Security Analytics with AWS
AWS WAF Amazon
Athena
Amazon S3 Bucket
42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security
Automations
Managed Rules
for AWS WAF
Multiple Rule
Condition Types
Combine and
build hierarchy
Actions : Allow /
Block / Count
CloudWatch
Metrics
Sampled Web
Requests
Full Logs
Choosing a Web Application Firewall:
AWS WAF
43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security
Automations
Managed Rules
for AWS WAF
Multiple Rule
Condition Types
Combine and
build hierarchy
Actions : Allow /
Block / Count
CloudWatch
Metrics
Sampled Web
Requests
Full Logs
Choosing a Web Application Firewall:
AWS WAF
45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Software Automation of Security:
Lambda-based AWS WAF Automations
Bad Bot / Scanner / Known attackers AWS WAF Integration with Amazon
GuardDuty
DevOps friendly: Full Featured APIs and Fast Rule Updates
Blog / Webinar : “Automate Threat Mitigation Using AWS
WAF and Amazon GuardDuty”
AWS Answers: “AWS WAF Security Automations”
46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Software automation:
Config based AWS WAF Policies
Ensure Compliance to
Mandatory Rules
Across Organization
Simplify Management
of Rules Across
Accounts &
Applications with
security policies
Enable Rapid
Response to Internet
Attacks
Customize policy
scope to resource type
and accounts
(include/exclude)
47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Automating web application security
Create honeypot protections across apps
A bad bot identified on one application
can be easily blocked from
organizations’ other applications as
well
To quickly create a honeypot automation on
an account
Read our step by step guide: “AWS WAF
Security Automations”
49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing a Web Application Firewall:
AWS WAF
Security
Automations
Managed Rules
for AWS WAF
Multiple Rule
Condition Types
Combine and
build hierarchy
Actions : Allow /
Block / Count
CloudWatch
Metrics
Sampled Web
Requests
Full Logs
Lambda
Automations
AWS Firewall
Manager
50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing a Web Application Firewall:
AWS WAF
Security
Automations
Managed Rules
for AWS WAF
Multiple Rule
Condition Types
Combine and
build hierarchy
Actions : Allow /
Block / Count
CloudWatch
Metrics
Sampled Web
Requests
Full Logs
Lambda
Automations
AWS Firewall
Manager
51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Layered perimeter protection – Adding a Firewall
EC2 Instance
S3 Bucket
Public
Subnet
Private
Subnet
CloudFront
WAF
ALB
Firewall
Manager
52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing a DDoS protection provider:
4 key tenets
54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing a DDoS protection provider:
AWS Shield Standard & Advanced
55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing a DDoS protection provider:
AWS Shield Standard & Advanced
Built-in DDoS
Protection for
Everyone
Point and
Protect Wizard
56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Shield detects and mitigates 1,000’s of DDoS
Attacks Daily
Source: AWS Global Threat Dashboard (Available for AWS Shield Advanced customers)
57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing a DDoS protection provider:
AWS Shield Standard & Advanced
Built-in DDoS
Protection for
Everyone
Point and
Protect Wizard
58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing a DDoS protection provider:
AWS Shield Standard & Advanced
Automatic
Protection across
customers
Enhanced
Protection
baselined to you
24x7 access to
DDoS Response
Team (DRT)
Built-in DDoS
Protection for
Everyone
Point and
Protect Wizard
59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Baselining and anomaly detection across all AWS
Mitigation with proprietary packet filtering stacks using
suspicion based scoring
Automatic defense against the most common network and
transport layer DDoS attacks for any AWS resource, in any
AWS Region
Comprehensive defense against all known network and
transport layer attacks when using Amazon CloudFront and
Amazon Route 53
AWS Shield Standard:
Layer 3/4 protection for everyone
Automatic
Protection across
customers
60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Shield Advanced:
Enhanced protection
• Enhanced Layer 3/4 attack
detection baselined to you
• Layer 7 attack detection
• Pre-configured mitigations scoped to resource type
• Advanced mitigations like SYN Throttling
• Customer defined L3/4 Mitigations (for regional svcs)
Detection Mitigation
• Help in Incident triaging and mitigation
• Automatically engaged for availability impacting L3/L4
events.
• Customer driven support cases through AWS Support or
Shield Engagement Lambda
Enhanced
Protection
baselined to you
24x7 access to
DDoS Response
Team (DRT)
61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Recent significant attacks
March 2018: Web application targeted by 1.4 Tbps
memcached reflection attack, mitigated with Amazon
CloudFront and AWS Shield Advanced
November 2018: Web application running on Amazon
CloudFront targeted by 20 million requests per second,
automatically mitigated by Amazon CloudFront and AWS
Shield Advanced
62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing a DDoS protection provider:
AWS Shield Standard & Advanced
Automatic
Protection across
customers
Enhanced
Protection
baselined to you
24x7 access to
DDoS Response
Team (DRT)
Built-in DDoS
Protection for
Everyone
Point and
Protect Wizard
63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing a DDoS protection provider:
AWS Shield Standard & Advanced
Automatic
Protection across
customers
Enhanced
Protection
baselined to you
24x7 access to
DDoS Response
Team (DRT)
Built-in DDoS
Protection for
Everyone
Point and
Protect Wizard
CloudWatch
Metrics
Attack
Diagnostics
Global Threat
Environment
Dashboard
64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing a DDoS protection provider:
AWS Shield Standard & Advanced
Automatic
Protection across
customers
Enhanced
Protection
baselined to you
24x7 access to
DDoS Response
Team (DRT)
Built-in DDoS
Protection for
Everyone
Point and
Protect Wizard
CloudWatch
Metrics
Attack
Diagnostics
Global Threat
Environment
Dashboard
65. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing a DDoS protection provider:
AWS Shield Standard & Advanced
Automatic
Protection across
customers
Enhanced
Protection
baselined to you
24x7 access to
DDoS Response
Team (DRT)
Built-in DDoS
Protection for
Everyone
Point and
Protect Wizard
AWS WAF at no
additional cost
For protected resources
AWS Firewall
Manager at no
additional cost
Cost Protection
for scaling
CloudWatch
Metrics
Attack
Diagnostics
Global Threat
Environment
Dashboard
66. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Shield Advanced:
Cost Protection for scaling
AWS absorbs scaling cost on protected
resources due to DDoS attack
• Amazon CloudFront
• Elastic Load Balancing (ELB/ALB/NLB)
• Amazon Route 53
• Amazon EC2
67. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Choosing a DDoS protection provider:
AWS Shield Standard & Advanced
Automatic
Protection across
customers
Enhanced
Protection
baselined to you
24x7 access to
DDoS Response
Team (DRT)
Built-in DDoS
Protection for
Everyone
Point and
Protect Wizard
AWS WAF at no
additional cost
For protected resources
AWS Firewall
Manager at no
additional cost
Cost Protection
for scaling
CloudWatch
Metrics
Attack
Diagnostics
Global Threat
Environment
Dashboard
68. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Layered perimeter protection – Adding DDoS
Protection
EC2 Instance
S3 Bucket
Public
Subnet
Private
Subnet
Shield
Shield
Advanced
ALB
CloudFront
WAF
Firewall
Manager
69. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
70. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Specialized component use cases
Different protection needs
I have a serverless
architecture / APIs
I have TCP traffic
(non-HTTP/S)
I run UDP based
games
• Create a unified API
frontend for multiple
micro-services
• Authenticate and
authorize requests
• Throttle, meter, and
monetize API usage by
third-party developers
Amazon API GatewayAWS WAF
• Full AWS WAF features
• Custom and managed
rules
• Visibility through
CloudWatch and logs
• Automate with AWS
Lambda
AWS Shield
Standard
71. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Specialized component use cases
Different protection needs
I have a serverless
architecture / APIs
I have TCP traffic
(non-HTTP/S)
I run UDP based
games
AWS Shield Advanced
Fast Scaling, transparent
load balancer
architected for
performance and
availability
Network Load Balancer
Global Load balancing
across regions with
anycast routing and fine
grained controls
AWS Global Accelerator
• Granular Detection
Thresholds (based on
background architecture)
• Pre-configured /
customized mitigation
templates
• Network ACLs pushed to
the border
72. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Specialized component use cases
Different protection needs
I have a serverless
architecture / APIs
I have TCP traffic
(non-HTTP/S)
I run UDP based
games
AWS Shield Advanced EC2 Instances
Global Load balancing
across regions with
anycast routing and fine
grained controls
AWS Global Accelerator
• Granular Detection
Thresholds (based on
background architecture)
• Pre-configured /
customized mitigation
templates
• Network ACLs pushed to
the border
73. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
74. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Layered perimeter protection – Basic AWS Application
EC2 Instance
S3 Bucket
Public
Subnet
Private
Subnet
ALB
75. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ending with a multi-layered, secured application
EC2 Instance
S3 Bucket
Public
Subnet
Private
Subnet
CloudFront
WAF
Shield
Shield
Advanced
ALB
Firewall
Manager
76. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Ritwik Manan
ritwikm@amazon.com
Woodrow Arrington
arrinw@amazon.com
77. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Deck available on SlideShare & recording available on YouTube
78. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related breakouts
Thursday, November 29th
CTD315 - How Rovio Uses Amazon CloudFront for Secure API Acceleration
1:00 PM - 2:00 PM | Venetian, Level 2, Veronese 2406
Wednesday, November 28th
SEC402 - AWS, I Choose You: Pokemon's Battle against the Bots
1:00 PM - 2:00 PM | Aria East, Level 2, Mariposa 5
Tuesday, November 27th
CTD304 - Secure Your Site: Use CDN Security Features to Protect Your Content &
Infrastructure
5:30 PM - 6:30 PM | Aria West, Level 3, Starvine 10, Table 6