Successfully reported this slideshow.
Your SlideShare is downloading. ×

AWS re:Invent 2016: Offload Security Heavy-lifting to the AWS Edge (CTD204)

Ad

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Alex Dunlap & Craig Howard
AWS Edge Services
Nov...

Ad

What to expect from the session
In this session we will talk about:
• Why security matters
• Key aspects of security
• How...

Ad

Overview: Why security matters
• Customer trust
• Regulatory compliance
• Data privacy

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Ad

Check these out next

1 of 69 Ad
1 of 69 Ad

AWS re:Invent 2016: Offload Security Heavy-lifting to the AWS Edge (CTD204)

Download to read offline

Whether you are building a secure ecommerce application or developing games, security is a key consideration when architecting your application. In this session, you will learn about edge termination of your end user requests and will dive deep into advanced protocols and ciphers, enforcing end-to-end HTTPS connections with AWS Certificate Manager, access control with AWS WAF.

Whether you are building a secure ecommerce application or developing games, security is a key consideration when architecting your application. In this session, you will learn about edge termination of your end user requests and will dive deep into advanced protocols and ciphers, enforcing end-to-end HTTPS connections with AWS Certificate Manager, access control with AWS WAF.

More Related Content

Slideshows for you (19)

Viewers also liked (20)

Similar to AWS re:Invent 2016: Offload Security Heavy-lifting to the AWS Edge (CTD204) (20)

More from Amazon Web Services (20)

AWS re:Invent 2016: Offload Security Heavy-lifting to the AWS Edge (CTD204)

  1. 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Alex Dunlap & Craig Howard AWS Edge Services November 30, 2016 CTD 204 Offload Security Heavy-Lifting to the AWS Edge
  2. 2. What to expect from the session In this session we will talk about: • Why security matters • Key aspects of security • How CloudFront, ACM and AWS WAF can help
  3. 3. Overview: Why security matters • Customer trust • Regulatory compliance • Data privacy
  4. 4. How CloudFront can help Infrastructure Security Application Security Services Security Security on CloudFront SSL/TLS options Private content Origin access identities Web Application Firewall CloudTrail IAM policies Origin protection ACM integration Rotate keys/certificates PCI DSS 2.0 Level 1 ISO 9001, 27001, 27017, 27018
  5. 5. How CloudFront can help What CloudFront does automatically What you can do using CloudFront features + = What should you do? Secured content delivery
  6. 6. Infrastructure security How we secure our infrastructure Infrastructure Security Application Security Services Security
  7. 7. Infrastructure security Facilities Physical security Cache infrastructure Network infrastructure + = What should you do? Secured content delivery
  8. 8. Infrastructure security • Bastion hosts for maintenance • Two-factor authentication • Encryption • Testing and metrics CloudFront edge location x
  9. 9. Services security Security options and features available on CloudFront Infrastructure Security Application Security Services Security
  10. 10. Services Security High security ciphers PFS OCSP stapling Session tickets SSL/TLS options Private content Trusted signers Web Application Firewall AWS CloudTrail AWS Certificate Manager + = What should you do? Secured content delivery
  11. 11. Amazon CloudFront
  12. 12. Our growing global footprint… North America South America EMEA APAC POPs Cities Countries Continents AWS Region CloudFront edge location Regional edge caches
  13. 13. Dynamic Static Video User input SSL CloudFront delivers ALL types of content
  14. 14. Can dynamic content be optimized? Application is not cacheable: dynamic Proxied to the origin and back How to accelerate applications?
  15. 15. Application acceleration  CloudFront latency-based routing  TCP/IP optimizations for the network path  Keep-alive connections to reduce RTT  AWS backbone network  SSL/TLS optimizations
  16. 16. edge location CloudFront protects data in transit • Deliver content over HTTPS to protect data in transit • HTTPS authenticates CloudFront to viewers • HTTPS authenticates origin to CloudFront Origin User Request A
  17. 17. Deep dive: Secure content delivery
  18. 18. History of TLS/SSL Evolution of Web Encryption Technologies 1995 SSL2.0 1996 SSL3.0 2006 TLS1.1 2008 TLS1.2 2014/09 POODLE 2011 BEAST 2014/04 Heartbleed 2016/03 DROWN Battle Against Vulnerabilities 1999 TLS1.0 2015 FREAK 2013 Planning of TLS1.3 starts
  19. 19. Greater enforcement by industry/vendors Battle Against Vulnerabilities 2014/09 POODLE 2011 BEAST 2014/04 Heartbleed 2016/03 DROWN Industry Enforcement 2015 FREAK 2015/12 Indexing HTTPS pages by default 2016/04 PCI DSS v3.2 2016/07 Mandatory ATS 2016/08 HTTP Strict Transport Security (HSTS) 2017/06/30 Mandatory TLS1.2
  20. 20. Shifting to the era of complete HTTPS Industry Enforcement HTTP/HTTPS Hybrid 2016/04 PCI DSS v3.2 Complete HTTPS Increase in marketing benefits Lower costs Increase in user benefits 2015/12 Indexing HTTPS pages by default 2016/07 Mandatory ATS 2017/06/30 Mandatory TLS1.2 2016/08 HTTP Strict Transport Security (HSTS)
  21. 21. Services Security High security ciphers PFS OCSP stapling Session tickets SSL/TLS options Private content Trusted signers Web Application Firewall AWS CloudTrail AWS Certificate Manager + = What should you do? Secured content delivery
  22. 22. CloudFront enables advanced SSL features automatically
  23. 23. Built-in SSL/TLS optimizations Improved security • High security ciphers • Perfect forward secrecy Improved SSL performance • Online Certificate Status Protocol (OCSP stapling) • Session tickets • TCP fast open
  24. 24. Advanced SSL/TLS: Improved security • Handles secure authentication • Enables perfect forward secrecy • CloudFront uses strong ciphers CloudFront edge location
  25. 25. Validate origin certificate CloudFront validates SSL certificates to origin • Origin domain name must match subject name on certificate • Certificate must be issued by a trusted CA • Certificate must be within expiration window
  26. 26. Advanced SSL/TLS: Improved performance • Session tickets • TCP Fast Open • Online Certificate Status Protocol (OCSP stapling)
  27. 27. Session tickets • Session tickets allow client to resume session • CloudFront sends encrypted session data to client • Client does an abbreviated SSL handshake CloudFront edge location
  28. 28. TCP Fast Open CloudFront edge location • TCP cookie returned to client upon establishing TCP session • Client sends cookie next time it connects to the server, along with Client Hello • CloudFront supports this for TLS connections only
  29. 29. OCSP Stapling 1 2 3 4 5 Client OCSP Responder Origin Server Amazon CloudFront 1) Client sends TLS Client Hello 2) CloudFront requests certificate status from OCSP responder 3) OCSP responder sends certificate status 4) CloudFront completes TLS handshake with client 5) Request/response from origin server
  30. 30. OCSP stapling … OCSP stapling Client-side revocation checks 0 50 100 150 200 250 … (time in milliseconds) 0 50 100 150 200 250 … (time in milliseconds) TCP Handshake Client Hello Server Hello DNS for OCSP Responder TCP to OCSP Responder OCSP Request/Response … Follow Certificate Chain Complete Handshake Application Data 30% Improvement 120 ms faster
  31. 31. CloudFront supports Apple ATS • Required January 2017 • TLS1.2 (supported through MinimumProtocolVersion option) • Perfect forward secrecy • Server certificates • 2048-bit RSA keys RSA Certificates TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  32. 32. CloudFront has advanced SSL features you can enable
  33. 33. Services Security High security ciphers PFS OCSP stapling Session tickets SSL/TLS options Private content Trusted signers Web Application Firewall AWS CloudTrail AWS Certificate Manager + = What should you do? Secured content delivery
  34. 34. Deliver content using HTTPS • CloudFront makes it easy • Create one distribution and deliver both HTTP & HTTPS content • There are other options as well: • Strict HTTPS • HTTP to HTTPS redirect
  35. 35. CloudFront TLS options Default CloudFront SSL domain name CloudFront certificate shared across customers When to use? Example: dxxx.cloudfront.net SNI custom SSL Bring your own SSL certificate Relies on the SNI extension of the Transport Layer Security protocol When to use? Example: www.mysite.com Some older browsers/OS do not support SNI extension Dedicated IP custom SSL Bring your own SSL certificate CloudFront allocates dedicated IP addresses to serve your SSL content When to use? Example: www.mysite.com Supported by all browsers/OS
  36. 36. AWS Certificate Manager
  37. 37. What is AWS Certificate Manager (ACM)? AWS Certificate Manager (ACM) makes it easy to provision, manage, deploy, and renew SSL/TLS certificates on the AWS platform.
  38. 38. Amazon CloudFront and ACM integration 1. Request certificate 2. Validate request 3. Use • Easy to procure new certificate (directly from CloudFront console) • Fast turnaround (minutes) • Immediately available for use in CloudFront (and ELB) • SNI support of custom certs generated with ACM is free • Hassle-free automatic certificate renewal Elastic Load Balancing AWS Certificate Manager CloudFront
  39. 39. Before (time-consuming & complex) Third-party certificate authority 3-5 days Upload to IAM through AWS CLI Connect to CloudFront through AWS CLI After (simple & automated & super fast) AWS Certificate Manager End-to-end process within minutes Using a couple of mouse clicks on the console Integrated with AWS Certificate Manager
  40. 40. Choose your own security Amazon CloudFront HTTP region Amazon CloudFront HTTPS region Half bridge termination Full bridge termination
  41. 41. Half bridge TLS termination Better performance by leveraging HTTP connections to origin Amazon CloudFront HTTP region
  42. 42. Full bridge TLS termination • Secured connection all the way to origin • Use origin ‘Match Viewer’ or ‘HTTPS Only’ Amazon CloudFront HTTPS region
  43. 43. Access control What if you want to… • Deliver content only to selected customers • Allow access to content only until ‘time n’ • Allow only certain IP addresses to access content
  44. 44. Access control: Private content Signed URLs • Add signature to the query string in URL • Your URL changes When should you use it? • Restrict access to individual files • Users are using a client that doesn't support cookies • You want to use an RTMP distribution Signed cookies • Add signature to a cookie • Your URL does not change When should you use it? • Restrict access to multiple files • You don’t want to change URLs
  45. 45. Access control: Private content • Here is an example of a policy statement for signed URLs
  46. 46. Access control: Private content Under development mode? Make CloudFront accessible only from your internal IP addresses
  47. 47. Access control: Private content • Serverless signed URL generator
  48. 48. Amazon CloudFront Edge Location Serving unnecessary requests costs money Scraper Bot Host: www.internetkitties.com User-Agent: badbot Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.InTeRnEkItTiEs.com/ Connection: keep-alive AWS WAF Host: www.internetkitties.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)….. Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.mysite.com/ Connection: keep-alive
  49. 49. Amazon CloudFront Edge Location Access Control: Web Application Firewall Scraper Bot Host: www.internetkitties.com User-Agent: badbot Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.InTeRnEkItTiEs.com/ Connection: keep-alive AWS WAF Host: www.internetkitties.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)….. Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.mysite.com/ Connection: keep-alive
  50. 50. MapBox uses AWS WAF to Protect from Bots Good Users Bad Guys Serve r AWS WAF Logs Threat Analysis Rule Updater
  51. 51. AWS WAF Example: A Technical Implementation Blocking bad bots dynamically with AWS WAF web ACLs
  52. 52. AWS WAF example: Blocking bad bots What we need… • IPSet: contains our list of blocked IP addresses • Rule: blocks requests if requests match IP in our IPSet • WebACL: allows requests by default, contains our rule and… • Mechanism to detect bad bots • Mechanism to add bad bot IP address to IPSet
  53. 53. AWS WAF example: Detecting bad bots • Use robots.txt to specify which areas of your site or web app should not be scraped • Place file in your web root • Ensure there are links pointing to non-scrapable content • Hide a trigger script that normal users don’t see and good bots ignore $ cat webroot/robots.txt User-agent: * Disallow: /honeypot/ <a href="/honeypot/" class="hidden" aria- hidden="true">click me</a>
  54. 54. AWS WAF example: Blacklist bad bots • Bad bots (ignoring your robots.txt) will request the hidden link • Trigger script will detect the source IP of the request • Trigger script requests change token • Trigger script adds source IP to IPSet blacklist • WebACL will block subsequent requests from that source $ aws --endpoint-url https://waf.amazonaws.com/ waf get- change-token { "ChangeToken": "acbc53f2-46db-4fbd- b8d5-dfb8c466927f” } $ aws --endpoint-url https://waf.amazonaws.com/ waf update-ip- set --cli-input-json '{ "IPSetId": ”<<IP SET ID>>", "ChangeToken": "acbc53f2-46db- 4fbd-b8d5-dfb8c466927f", "Updates": [ { "Action": "INSERT", "IPSetDescriptor": { "Type": "IPV4", "Value": ”<<SOURCE IP>>/32" } } ] }’ { "ChangeToken": "acbc53f2-46db-4fbd- b8d5-dfb8c466927f” }
  55. 55. Preconfigured protection & tutorials https://aws.amazon.com/waf/preconfiguredrules/
  56. 56. Application security How you can secure your application and origin Infrastructure Security Application Security Services Security
  57. 57. Application security IAM policies Origin protection OAI Rotate keys Rotate certificates + = What should you do? Secured content delivery
  58. 58. Hackers could still bypass CloudFront to access your origin…
  59. 59. Access control: Restricting origin access Amazon S3 Origin Access Identify (OAI) • Prevents direct access to your Amazon S3 bucket • Ensures performance benefits to all customers Custom origin Block by IP address Pre-shared secret header • Whitelist CloudFront only • Protects origin from overload • Ensures performance benefits to all customers
  60. 60. Object Access Identity (OAI) • Only CloudFront can access Amazon S3 bucket • We make it simple for you Amazon CloudFront Region Amazon S3 bucket Custom Origin
  61. 61. Protect Custom Origin 1. Whitelist CloudFront IP range 2. Whitelist a pre-shared secret origin header Amazon CloudFront Region Amazon S3 bucket Custom Origin
  62. 62. Protect custom origin • Subscribe to SNS notifications on changes to IP ranges • Automatically update security groups • https://github.com/awslabs/aws-cloudfront-samples AWS Lambda Amazon CloudFront Amazon SNS Security group Web app server Web app server AWS IP ranges Update IP range SNS message
  63. 63. Origin best practices 1. Match viewer origin protocol policy • Enable only TLS 1.1 or 1.2 to origin • Enforce HTTPS-only connections to origin 2. Restrict access using security groups & shared secret 3. Use a SHA-256 certificate security group
  64. 64. Origin best practices 4. Use ELB with custom certificate 5. Use ELB pre-defined policy 6. Send HSTS header *Strict-Transport-Security: max- age=15552000; *X-Frame-Options: SAMEORIGIN *X-XSS-Protection: 1; mode=block Options You can request an SSL certificate from AWS Certificate Manager
  65. 65. How to validate your security configurations
  66. 66. CloudFront resources Amazon CloudFront Office Hours • Last Tuesday of every month (Dec 13, 2016 10:00 am) • Register here https://aws.amazon.com/cloudfront/events/ AWS Whitepaper - Secure Content Delivery with Amazon CloudFront https://d0.awsstatic.com/whitepapers/Security/Secure_content_delivery_with_ CloudFront_whitepaper.pdf
  67. 67. Related Sessions • CTD302 - Taking DevOps to the AWS Edge • CTD301 - Amazon CloudFront Flash Talks: Best Practices on Configuring, Securing and Monitoring your Distribution
  68. 68. Thank you!
  69. 69. Remember to complete your evaluations!

×