Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Andrew Thomas, GM, AWS Perimeter Protection
Marc...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Goal
• Learn about today’s threat landscape and ...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliat...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Typical web applications
Dynamic
applications
Pe...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Web application design considerations
Data
Cente...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Web application design considerations
Data
Cente...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Types of threats that exist today
SQL Injection
...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Common DDoS attacks
SYN Flood
UDP Flood
ICMP Flo...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliat...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Building blocks for baseline defense
Amazon VPC ...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of the AWS Global Edge Network
High Ava...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliat...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What else can we do to…
• Defend against DDoS at...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Four tenets of AWS Shield for DDoS protection
Fr...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of AWS Shield Standard and Shield Advan...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of AWS Shield Standard and Shield Advan...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of AWS Shield Standard and Shield Advan...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of AWS Shield Standard and Shield Advan...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Application Level Protection with AWS WAF
Automa...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Deploying AWS WAF is easy
Amazon CloudFront AWS ...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Regional availability of AWS WAF
and AWS Shield ...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Regional availability of AWS WAF
and AWS Shield ...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tools available within AWS WAF
• SQL Injection
C...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managed Rules for AWS WAF
• Rules written, updat...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security automations using AWS WAF
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security automations using AWS WAF
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty and AWS WAF integration
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager
Ensure Compliance to Mandat...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Regional availability of AWS Firewall Manager
• ...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key benefits for AWS Firewall Manager
 Integrat...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key benefits for AWS Firewall Manager
Ensure Com...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager Key Benefits
 Security adm...
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliat...
Upcoming SlideShare
Loading in …5
×

AWS Edge Security - Cloud-Native Defense Against Diverse Internet Threats

223 views

Published on

Learn how you can defend your applications on AWS against diverse set of Internet threats, like DDoS, Bots or Zero-day attacks. At this session you will learn about how your applications on AWS are inherently secured against common threats. You will also learn about how you can use AWS security services like AWS WAF, Shield and Firewall Manager to build a robust and customised protection specific to your applications.

  • Be the first to comment

AWS Edge Security - Cloud-Native Defense Against Diverse Internet Threats

  1. 1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Andrew Thomas, GM, AWS Perimeter Protection March, 2019 AWS Edge Security Cloud-Native Defense Against Diverse Internet Threats
  2. 2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Goal • Learn about today’s threat landscape and how these threats can affect your application availability • Learn how easily using AWS services can give you baseline protections • Learn how AWS’s perimeter security services can provide additional application protections, without the need to re-architect
  3. 3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Overview of Threat Landscape
  4. 4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Typical web applications Dynamic applications Personalized Content Static assets API Data CenterEnd Users
  5. 5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Web application design considerations Data Center End Users Dynamic applications Personalized Content Static assets API
  6. 6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Web application design considerations Data Center End Users DDoS Web Exploits Bots • Security • Authentication • Encryption (TLS) • Layered Protection • Availability • Resiliency/Fault Tolerance • Request handling capacity • Blocking bad traffic • Performance • Routing • Throttling • Alerting & Monitoring Dynamic applications Personalized Content Static assets API
  7. 7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Types of threats that exist today SQL Injection Cross-site Scripting (XSS) OWASP Top 10 Common Vulnerabilities and Exposures (CVE) HTTP Floods Reflection Attack Crawlers Content Scrapers Scanners & Probes Denial of Service App Vulnerabilities Bad Bots
  8. 8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Common DDoS attacks SYN Flood UDP Flood ICMP Flood Other Reflection Vectors HTTP Flood DNS Query Flood
  9. 9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building the Baseline Defense
  10. 10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Building blocks for baseline defense Amazon VPC Amazon CloudFront Amazon Route 53 Security Groups Network ACLs Global Presence SSL/TLS Origin Shielding Resilience (TTL) DNS Header Validations Good vs. Bad Resolvers Priority Based Traffic Shaping
  11. 11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefits of the AWS Global Edge Network High Availability Application Acceleration AWS Integration Cost Effective
  12. 12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Leveraging AWS Perimeter Protection Services
  13. 13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What else can we do to… • Defend against DDoS attacks? • Prevent exploits and bots at application level? • Manage and apply security policies across multiple accounts in an organization?
  14. 14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Four tenets of AWS Shield for DDoS protection Frictionless setup with minimal architectural changes Low Operational Overhead for known and edge cases Visibility for dynamic security and compliance Protection from economic vectors AWS Shield
  15. 15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefits of AWS Shield Standard and Shield Advanced Built-in DDoS Protection for Everyone Point and Protect Wizard Low Operational Overhead for known and edge cases Visibility for dynamic security and compliance Protection from economic vectors AWS Shield
  16. 16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefits of AWS Shield Standard and Shield Advanced Automatic Protection across customers Enhanced Protection baselined to you 24x7 access to DDoS Response Team (DRT) Built-in DDoS Protection for Everyone Point and Protect Wizard Visibility for dynamic security and compliance Protection from economic vectors AWS Shield
  17. 17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefits of AWS Shield Standard and Shield Advanced Automatic Protection across customers Enhanced Protection baselined to you 24x7 access to DDoS Response Team (DRT) Built-in DDoS Protection for Everyone Point and Protect Wizard Protection from economic vectors AWS Shield Cloud- Watch Metrics Attack Diagnostics Global Threat Environment Dashboard Quarterly Security Review
  18. 18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Benefits of AWS Shield Standard and Shield Advanced Automatic Protection across customers Enhanced Protection baselined to you 24x7 access to DDoS Response Team (DRT) Built-in DDoS Protection for Everyone Point and Protect Wizard Cloud- Watch Metrics Attack Diagnostics Global Threat Environment Dashboard Quarterly Security Review AWS WAF at no additional cost For protected resources AWS Firewall Manager at no additional cost Cost Protection for scaling AWS Shield
  19. 19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Application Level Protection with AWS WAF Automate using AWS Lambda based security automations Utilize Managed Rules from the AWS Marketplace for hassle free protection and deployment Customize security to your applications using custom rules Monitor using Amazon CloudWatch metrics or third-party log processorsAWS WAF
  20. 20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Deploying AWS WAF is easy Amazon CloudFront AWS Application Load Balancer Amazon API Gateway
  21. 21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Regional availability of AWS WAF and AWS Shield Advanced • N. Virginia (us-east-1) • Ohio (us-east-2) • Oregon (us-west-2) • N. California (us-west-1) • Ireland (eu-west-1) • Frankfurt (eu-central-1) • Tokyo (ap-northeast-1) • Sydney (ap-southeast-2)
  22. 22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Regional availability of AWS WAF and AWS Shield Advanced • N. Virginia (us-east-1) • Ohio (us-east-2) • Oregon (us-west-2) • N. California (us-west-1) • Ireland (eu-west-1) • Frankfurt (eu-central-1) • Tokyo (ap-northeast-1) • Sydney (ap-southeast-2) • London (eu-west-2) • Stockholm (eu-north-1) • Singapore (ap-southeast-1) • Seoul (ap-northeast-2) NEW!
  23. 23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Tools available within AWS WAF • SQL Injection Conditions • XSS Conditions • AWS CloudFormation based Security Automation • AWS Marketplace Managed Rules WebTraffic Filtering • Rate-based Rules • IP-Match & Geo-IP Filters • Regex & String Match Conditions • Size Constraint Conditions Visibility and Debugging • Amazon CloudWatch Metrics and Alarms • Sampled Logs • Comprehensive Logging Malicious Traffic Blocking
  24. 24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Managed Rules for AWS WAF • Rules written, updated and managed by security experts • Pay as you go; available through AWS Marketplace • Choice of protections: • OWASP Top 10 & General Web Exploits • Common Vulnerabilities and Exposures (CVE) • Bot Protection • IP Reputation lists • CMS (e.g. Wordpress, Joomla) • Webservers (e.g. Apache, Nginx)
  25. 25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security automations using AWS WAF
  26. 26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Security automations using AWS WAF
  27. 27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon GuardDuty and AWS WAF integration
  28. 28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Firewall Manager Ensure Compliance to Mandatory Rules Across Organization Simplify Management of Rules Across Accounts & Applications Enable Rapid Response to Attacks AcrossAllAccounts AWS Firewall Manager
  29. 29. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Regional availability of AWS Firewall Manager • N. Virginia (us-east-1) • Ohio (us-east-2) • Oregon (us-west-2) • Ireland (eu-west-1) • Frankfurt (eu-central-1) • Tokyo (ap-northeast-1) • Sydney (ap-southeast-2)
  30. 30. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Key benefits for AWS Firewall Manager  Integrated with AWS Organizations so you can enable AWS WAF rules across multiple AWS accounts.  Firewall Manager Policies can span across Accounts and across resources.  Supports Hierarchical rules - Security administrator can create organization-wide rules, while delegating application-specific rules to individual Account owners. Simplify Firewall Rules Management Across Accounts & Resources
  31. 31. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Key benefits for AWS Firewall Manager Ensure Compliance of Existing and New Applications  Ensure All your resources comply with a mandatory set of security policies  Automatically discover new Accounts, or resources like ALB or CloudFront distribution as they are created  Easily block traffic from embargoed countries across your Organization to adhere to the US Dept. of Treasury’s Office of Foreign Assets Control (OFAC) regulations
  32. 32. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. AWS Firewall Manager Key Benefits  Security administrator have a single console to receive real-time threats, and respond within minutes  Quickly apply CVE Patches across all applications in your Organization, or block malicious IP addresses detected by GuardDuty across entire Organization Enable Rapid Response to Internet Attacks GuardDuty CloudWatch Events Lambda Amazon GuardDuty Amazon CloudWatch CloudWatch Event Lambda Function AWS Lambda Firewall Manager Account 2 Account 3 Account 1 AWS WAF
  33. 33. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Thank You!

×