Contenu connexe Similaire à Learn how AWS customers are implementing robust security posture for their AWS environments (20) Plus de Amazon Web Services (20) Learn how AWS customers are implementing robust security posture for their AWS environments1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Andrew Thomas, GM, AWS Perimeter Protection
March, 2019
Customer Use Cases
2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Threats
Application Vulnerabilities Bad BotsDDoS
3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Our Customers
4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Common Use Cases
Web Applications Game ServersAPI & Serverless Web Sockets
5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How customers use our services
• Shield Standard – Built-in DDoS protection
• Shield Advanced – Advanced DDoS visibility & protection
• WAF – Application layer protection for DDoS, Compliance
(PCI), and Internet Threats
• Security Automations & Bot mitigations
6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Shield Standard
Automatic detection and mitigation of
the most common attacks
Comprehensive protection against all
known infrastructure layer attacks when
using Amazon CloudFront and Amazon
Route 53
Available globally on all Internet-facing
AWS services
Automation Protection built
into AWS services
7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Slack Uses CloudFront to Secure APIs
• Looking for DDoS Protection
• Need Highly Reliable API Delivery
• Easy Integration with AWS services like ELB
9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Slack Uses CloudFront to Secure APIs
Slack Enabled CloudFront in Front of ELBs
Caching Disabled
Forward All Headers, Cookies, & Query strings
TLS Termination at Edge
10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Slack Uses CloudFront to Secure APIs
Learn more: https://aws.amazon.com/cloudfront/getting-started/#slack-video
11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Higher fidelity detection
Real-time attack Visibility
AWS WAF at no additional cost
24X7 DDoS Response Team (DRT)
Cost protection to absorb scaling cost
Shield Advanced
Additional protection against large
and sophisticated attacks
12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
VPC
• Reduced latencies from around the globe for API calls
• DDoS protection with the integration of AWS Shield Advanced
14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Rovio – CloudFront, Shield Advanced & WAF
- Added CloudFront distribution to protect
dynamic content
- Enabled AWS Shield Advanced and AWS
WAF to protect and filter unwanted access.
- Removed extra traffic filtering and access
control previously required on ELBs
15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“We love using Amazon CloudFront as it helps reducing latencies in
API usage (i.e. acceleration) and with the integration of AWS Shield
and WAF we get strong DDoS protection at the first connection point
outside our VPC. We are also future proofing our stack, as Cloudfront
provides HTTP/2 and IPv6 support right out of the box”
Mika Linnanoja – Senior Continuous Integration Engineer – Rovio Entertainment Ltd.
16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Netflix uses AWS Shield
Advanced For Additional
DDoS Protection
17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Challenge
Need DDoS Protection for APIs
on ELBs
Netflix uses Shield Advanced For Additional Protection
Benefit
Protection Enabled on ELB without
any Architectural changes
Integrated with AWS: Scrubbing
within AWS
Same AWS Support team & DRT
18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Protects Pearson
Against DDoS Attacks &
Other Application
Vulnerabilities
19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
DDoS Challenges in Traditional Data Center
• Impacted by several Distributed Denial-of-
Service (DDoS) attacks
• Volumetric attacks like SYN Floods very
common
• Performance degradation and operational
downtime
• Various DDoS mitigation services were
employed to protect against continued attacks
– On Prem / CSP
20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Pearson’s NextGen Assessment Platforms
Mitigated DDoS Threats By Building on AWS Cloud platform
Amazon CloudFront AWS ShieldAWS WAF
21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Protect against attacks like SQL injection,
Cross-site attacks, and OWASP
Zero-day attacks
Customized, application-specific protection
Shield Advanced
with WAF
Protect against Application
Vulnerabilities
22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“PayPlug faced the threat of a DDOS attack but was able to
avoid it thanks to the robustness of AWS services and the
support of AWS business and technical teams. The AWS team
guided PayPlug to enhance the security of its infrastructure,
including through a migration to VPC to protect instances by
firewall and by enabling Amazon CloudFront”
24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“Security is essential for protecting bank card data that pass through its
service”
Naoufel Salem, Head of PayPlug Architecture, explains: “Our [systems] are
processing payment card data that should not be accessible. It is essential to
manage access, protect payment card data and ensure also protection against
DDOS-type attacks, all of which require fine management of all security
parameters.” The security issues have also been at the heart of the audit
carried out by the ACPR to grant its certification to PayPlug.
25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bots & Brute-force attacks
Customized automations using Lambda
Integration with GuardDuty
Security Automations
Protect against bots and synthetic
requests
26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
The Pokémon Bot Challenge
Huge increase in new users
Massive, disproportional increase in
illegitimate users and traffic
• Bots
• Scanners
• DDoS attacks
27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security Automation Using AWS WAF
28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Switched to CloudFront + AWS WAF &
Shield improved stability and performance
Improved support and response from Shield
DRT team
Re:Invent 2017 talk: https://bit.ly/2IRCjGn
29. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Notes de l'éditeur Many of the largest AWS customers across industries including e-commerce, gaming, media, finance, and public sector use AWS Shield Advanced to protect their applications. Here are a few examples. Pokémon Go brought new challenges. Some of them are the kinds you want
Increase in new users playing Pokémon Go
Some are not so good:
Increase in bot accounts used for
Scanners
Simulate users in order to gather data
Account Re-sellers
Level up accounts – Impress your friends!
DDoS Attacks