Secure Content Delivery with AWS

© 2016 AWS and affiliates, all rights reserved
Security Architecture Loft
Secure Content Delivery with AWS
Andrew Kiggins
Security Solutions Architect

Agenda
• Amazon CloudFront
• AWS Certificate Manager (ACM)
• Deep Dive: Secure Content Delivery
• AWS WAF

Amazon CloudFront

CloudFront: Global Content Delivery Network
 Accelerate your application and APIs
 Including static content such as images and video
 Massively scalable
 Highly secure
 Self service
 Priced to minimize cost

Our growing global footprint…
North America South America EMEA APAC
POPs
Cities
Countries
Continents
AWS Region CloudFront Edge Location

Dynamic
Static
Video
User
Input
SSL
Amazon CloudFront: Whole Site Delivery

Accelerate ALL Types of Content
ALB/ELB
Dynamic Content
Amazon EC2
Static Content
Amazon S3 Custom Origin
OR
OR
Custom Origin
Amazon CloudFront
example.com
*.jpg
*.php

Can Dynamic Content Be Optimized?
Application is Not Cachable: Dynamic
Proxied to the Origin and Back
How to Accelerate Applications?

Application Acceleration
• CloudFront latency-based routing
• TCP/IP optimizations for the network path
• Keep-alive connections to reduce RTT
• AWS backbone network
• SSL/TLS optimizations

Choose your own security
• Half bridge or full bridge termination
• Only encrypt what’s really necessary
Amazon
CloudFront
HTTP
region
Amazon
CloudFront
HTTPS
region
Half bridge termination Full bridge termination

What’s new in Amazon CloudFront?
• IPv6 support
• HTTP/2 support
• Query string whitelisting
• Cost allocation tagging
• New edge locations, making the total now 63 globally
• Learn more here:
https://aws.amazon.com/cloudfront/whats-new/

AWS Certificate Manager

What is AWS Certificate Manager (ACM)?
AWS Certificate Manager (ACM) is a service which makes
it easy to provision, manage, deploy, and renew SSL/TLS
certificates on the AWS platform.

ACM Benefits
• Provision certificates quickly and easily
• Protect and secure websites and applications
• Managed certificate renewal
• Secure key management
• Centrally manage certificates on the AWS Cloud
• Integrated with other AWS Cloud Services
• Free

Amazon CloudFront and ACM integration
1. Request
certificate
2. Validate
Request
3. Use
• Easy to procure new certificate
• (Directly from CloudFront console)
• Fast turn around (minutes)
• Immediately available for use
in CloudFront (and ELB)
• SNI support of custom
certs generated with ACM
is free
• Hassle-free automatic certificate renewal
Elastic Load
Balancing
AWS Certificate
Manager
CloudFront

Deep Dive: Secure Content Delivery

History of TLS/SSL
Evolution of Web Encryption Technologies
1995
SSL2.0
1996
SSL3.0
2006
TLS1.1
2008
TLS1.2
2014/09
POODLE
2011
BEAST
2014/04
Heartbleed
2016/03
DROWN
Battle Against Vulnerabilities
1999
TLS1.0
2015
FREAK
2013
Planning of
TLS1.3 starts

Greater Enforcement by Industry/Vendors
Battle Against Vulnerabilities
2014/09
POODLE
2011
BEAST
2014/04
Heartbleed
2016/03
DROWN
Industry Enforcement
2015
FREAK
2015/12
Indexing
HTTPS Pages
by Default
2016/04
PCI DSS v3.2
2016/07
Mandatory
ATS
2016/08
HTTP Strict
Transport
Security (HSTS)
2017/06/30
Mandatory
TLS1.2

Shifting to the Era of Complete HTTPS
Industry Enforcement
HTTP/HTTPS
Hybrid
2016/04
PCI DSS v3.2
Complete HTTPS
Increase in
Marketing Benefits
Lower Costs
Increase in
User Benefits
2015/12
Indexing
HTTPS Pages
by Default
2016/07
Mandatory
ATS
2017/06/30
Mandatory
TLS1.2
2016/08
HTTP Strict
Transport
Security (HSTS)

iOS App Transport Security (ATS)
• Mandatory for AppStore applications from Jan. 1, 2017
• Supported in iOS 9.0 and later and in OS X v10.11 and later
• iOS developers can meet ATS requirements
1. Enable HTTPS on connecting servers with the following exclusions:
• Web page loads (e.g., browsers)
• Bulk encoded streaming
2. Use best practices for secure communications
• TLS 1.2
• Server Cert: 2048bit RSA Key, SHA2 Hash
• Cipher Suite must support Forward Secrecy

CloudFront Supports Apple ATS
• Required Jan 2017
• TLS1.2 (supported via MinimumProtocolVersion option)
• Perfect Forward Secrecy
• Server Certificates
• 2048-bit RSA keys
RSA Certificates
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

CloudFront can protect Data in Transit

edge location
CloudFront Protects Data in Transit
• Deliver content over
HTTPS to protect data
in transit
• HTTPS Authenticates
CloudFront to Viewers
• HTTPS Authenticates
Origin to CloudFront
Origin
User Request A

HTTPS Delivery on CloudFront
• HTTP/HTTPS using our entire global network
• No need for major re-planning of capacity and performance
• No restrictions in use cases
• Data Transfer Out fees are the same for HTTP/HTTPS*
• Available SSL/TLS Certs
• CloudFront Default Domain (*.cloudfront.net), at no additional cost
• Custom Domain Certs – SNI-only, at no additional cost
• Custom Domain Certs – Dedicated IP, with a monthly fee
• Free SSL/TLS certs in minutes with ACM integration
* Request pricing may vary

Dedicated custom IP SSL vs SNI Custom SSL
• Dedicated custom IP SSL (Legacy SSL/TLS)
• Only one Global IP can handle one domain for SSL/TLS →
Sacrifice system scalability and cannot allocate servers in realtime
• Pro-rated monthly fee
• SNI (Server Name Indication)
• One Global IP can handle multiple domain names for SSL/TLS →
System scalability can increase
• No additional charge to “Bring Your Own Certificate”
• Standard rates for data transfer; regular HTTPS request fees apply

Benefits of SSL/TLS on Amazon CloudFront
Ease of Use
• Integrated with AWS
Certificate Manager (ACM)
Economical
• Free SSL/TLS Certificate
• SNI Custom SSL
• Default CloudFront
Certificate
Security and
Performance
• Built-in SSL/TLS
Optimizations

CloudFront enables Advanced SSL
features automatically

Built-in SSL/TLS Optimizations
Improved Security
• High security ciphers
• Perfect forward secrecy
Improved SSL Performance
• Online Certificate Status Protocol
(OCSP stapling)
• Session tickets

Advanced SSL/TLS: Improved Security
CloudFront
• Uses high-security ciphers
• Employs ephemeral key exchange
• Enables perfect forward secrecy
CloudFront
Edge location

Advanced SSL/TLS: Improved Performance
• Session Tickets
• Online Certificate Status Protocol (OCSP Stapling)

Session Tickets
• Session tickets allow client to resume
session.
• CloudFront sends encrypted session
data to client.
• Client does an abbreviated SSL
handshake.
CloudFront
Edge location

OCSP Stapling
1
2 3
4
5
Client
OCSP Responder
Origin Server
Amazon
CloudFront
1. Client sends TLS Client Hello.
2. CloudFront requests certificate status from
OCSP responder.
3. OCSP responder sends certificate status.
4. CloudFront completes TLS handshake with
client.
5. Request/response from origin server.

OCSP Stapling
…
OCSP Stapling
Client Side Revocation Checks
0 50 100 150 200 250 …
(time in milliseconds)
0 50 100 150 200 250 …
(time in milliseconds)
TCP Handshake
Client Hello
Server Hello
DNS for OCSP Responder
TCP to OCSP Responder
OCSP Request/Response
… Follow Certificate Chain
Complete Handshake
Application Data
30%
Improvement
120 ms faster

Validate Origin Certificate
• CloudFront validates SSL certificates to origin.
• Origin domain name must match Subject Name on certificate.
• Certificate must be issued by a Trusted CA.
• Certificate must be within expiration window.

AWS WAF

What is a WAF?
• Web Application Firewall (WAF) is an appliance, server plugin, or
filter that applies a set of rules to HTTP traffic
• WAFs Come in Four Flavors
• Pure Play: stand alone appliance or software
• CDN: bundled with Content Delivery Network
• Load Balancer: bundled with a load balancer
• Universal Threat Manager (UTM): catch-all for misc. security

Why use a WAF?
• WAFs help protect web sites & applications against attacks that
cause data breaches and downtime.
• General WAF use cases
• Protect from SQL Injection (SQLi) and Cross Site Scripting (XSS)
• Prevent Web Site Scraping, Crawlers, and BOTs
• Mitigate DDoS (HTTP/HTTPS floods)
• Gartner reports that main driver of WAF purchase (25-30%) is
PCI compliance

What is AWS WAF?
• AWS WAF is a CDN bundled WAF that will allow customers to
create Web Access Control Lists (ACLs) that can be used to
block malicious requests based on rules:
• Unique aspects of AWS WAF are:
• Customizable rules created by customers to avoid false positives
• Full-feature API: this is a DevOps WAF that can be deployed inline with
new web sites and applications
• Integrated with AWS (CloudFront, CloudWatch with more to come) and
with partners (Alert Logic with more to come)
• Pay as you pricing

Amazon CloudFront
Edge Location
Serving Unnecessary Requests Costs Money
Scraper Bot
Host: www.internetkitties.com
User-Agent: badbot
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.InTeRnEkItTiEs.com/
Connection: keep-alive
AWS WAF
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)…..
Referer: http://www.mysite.com/

Amazon CloudFront
Edge Location
Access Control: Web Application Firewall
Scraper Bot
User-Agent: badbot
Referer: http://www.InTeRnEkItTiEs.com/
AWS WAF
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)…..
Referer: http://www.mysite.com/

MapBox uses WAF to protect from Bots
•
Good Users
Bad Guys
Serve
r
AWS
WAF
Logs
Threat
Analysis
Rule Updater

Amazon Confidential. Under NDA Only
 CloudFront Free Tier
 Competitive pricing
• No Data Transfer charges from S3 and EC2/ELB to CloudFront
• Static and Dynamic cost the same
• Price Classes to further optimize cost
Learn more here https://aws.amazon.com/cloudfront/pricing/
CloudFront Getting Started

aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS

Secure Content Delivery with AWS

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (20)

Similar to Secure Content Delivery with AWS

Similar to Secure Content Delivery with AWS (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Recently uploaded

Recently uploaded (20)

Secure Content Delivery with AWS

Editor's Notes