Learn how AWS customers are implementing robust security posture for their AWS environments
•Télécharger en tant que PPTX, PDF•
1 j'aime•285 vues
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Learn how AWS customers are implementing robust security posture for their AWS environments
Similaire à Learn how AWS customers are implementing robust security posture for their AWS environments (20)
Plus de Amazon Web Services
Plus de Amazon Web Services (20)
Learn how AWS customers are implementing robust security posture for their AWS environments
- 1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Andrew Thomas, GM, AWS Perimeter Protection March, 2019 Customer Use Cases
- 2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Threats Application Vulnerabilities Bad BotsDDoS
- 3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Our Customers
- 4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Common Use Cases Web Applications Game ServersAPI & Serverless Web Sockets
- 5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. How customers use our services • Shield Standard – Built-in DDoS protection • Shield Advanced – Advanced DDoS visibility & protection • WAF – Application layer protection for DDoS, Compliance (PCI), and Internet Threats • Security Automations & Bot mitigations
- 6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Shield Standard Automatic detection and mitigation of the most common attacks Comprehensive protection against all known infrastructure layer attacks when using Amazon CloudFront and Amazon Route 53 Available globally on all Internet-facing AWS services Automation Protection built into AWS services
- 7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Slack Uses CloudFront to Secure APIs • Looking for DDoS Protection • Need Highly Reliable API Delivery • Easy Integration with AWS services like ELB
- 9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Slack Uses CloudFront to Secure APIs Slack Enabled CloudFront in Front of ELBs Caching Disabled Forward All Headers, Cookies, & Query strings TLS Termination at Edge
- 10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Slack Uses CloudFront to Secure APIs Learn more: https://aws.amazon.com/cloudfront/getting-started/#slack-video
- 11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Higher fidelity detection Real-time attack Visibility AWS WAF at no additional cost 24X7 DDoS Response Team (DRT) Cost protection to absorb scaling cost Shield Advanced Additional protection against large and sophisticated attacks
- 12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. VPC • Reduced latencies from around the globe for API calls • DDoS protection with the integration of AWS Shield Advanced
- 14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Rovio – CloudFront, Shield Advanced & WAF - Added CloudFront distribution to protect dynamic content - Enabled AWS Shield Advanced and AWS WAF to protect and filter unwanted access. - Removed extra traffic filtering and access control previously required on ELBs
- 15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “We love using Amazon CloudFront as it helps reducing latencies in API usage (i.e. acceleration) and with the integration of AWS Shield and WAF we get strong DDoS protection at the first connection point outside our VPC. We are also future proofing our stack, as Cloudfront provides HTTP/2 and IPv6 support right out of the box” Mika Linnanoja – Senior Continuous Integration Engineer – Rovio Entertainment Ltd.
- 16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Netflix uses AWS Shield Advanced For Additional DDoS Protection
- 17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Challenge Need DDoS Protection for APIs on ELBs Netflix uses Shield Advanced For Additional Protection Benefit Protection Enabled on ELB without any Architectural changes Integrated with AWS: Scrubbing within AWS Same AWS Support team & DRT
- 18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Protects Pearson Against DDoS Attacks & Other Application Vulnerabilities
- 19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. DDoS Challenges in Traditional Data Center • Impacted by several Distributed Denial-of- Service (DDoS) attacks • Volumetric attacks like SYN Floods very common • Performance degradation and operational downtime • Various DDoS mitigation services were employed to protect against continued attacks – On Prem / CSP
- 20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Pearson’s NextGen Assessment Platforms Mitigated DDoS Threats By Building on AWS Cloud platform Amazon CloudFront AWS ShieldAWS WAF
- 21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Protect against attacks like SQL injection, Cross-site attacks, and OWASP Zero-day attacks Customized, application-specific protection Shield Advanced with WAF Protect against Application Vulnerabilities
- 22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
- 23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “PayPlug faced the threat of a DDOS attack but was able to avoid it thanks to the robustness of AWS services and the support of AWS business and technical teams. The AWS team guided PayPlug to enhance the security of its infrastructure, including through a migration to VPC to protect instances by firewall and by enabling Amazon CloudFront”
- 24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “Security is essential for protecting bank card data that pass through its service” Naoufel Salem, Head of PayPlug Architecture, explains: “Our [systems] are processing payment card data that should not be accessible. It is essential to manage access, protect payment card data and ensure also protection against DDOS-type attacks, all of which require fine management of all security parameters.” The security issues have also been at the heart of the audit carried out by the ACPR to grant its certification to PayPlug.
- 25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bots & Brute-force attacks Customized automations using Lambda Integration with GuardDuty Security Automations Protect against bots and synthetic requests
- 26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The Pokémon Bot Challenge Huge increase in new users Massive, disproportional increase in illegitimate users and traffic • Bots • Scanners • DDoS attacks
- 27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security Automation Using AWS WAF
- 28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Switched to CloudFront + AWS WAF & Shield improved stability and performance Improved support and response from Shield DRT team Re:Invent 2017 talk: https://bit.ly/2IRCjGn
- 29. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Notes de l'éditeur
- Many of the largest AWS customers across industries including e-commerce, gaming, media, finance, and public sector use AWS Shield Advanced to protect their applications. Here are a few examples.
- Pokémon Go brought new challenges. Some of them are the kinds you want Increase in new users playing Pokémon Go Some are not so good: Increase in bot accounts used for Scanners Simulate users in order to gather data Account Re-sellers Level up accounts – Impress your friends! DDoS Attacks