More Related Content Similar to How Dow Jones uses AWS to create a secure perimeter around its web properties - SDD316 - AWS re:Inforce 2019 (20) More from Amazon Web Services (20) How Dow Jones uses AWS to create a secure perimeter around its web properties - SDD316 - AWS re:Inforce 2019 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How Dow Jones uses AWS to create a
secure perimeter
Kamal Verma
Sr. Principal
Dow Jones and Company
S D D 3 1 6
2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dow Jones brings together world-leading data, media, membership and
intelligence solutions to power the most ambitious companies and professionals.
https://www.dowjones.com
https://dowjones.jobs
3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Why ?
1. Forming a protective ring around our applications, like saturn
2. Being nimble - alternative to current edge provider
3. Application security
4. Operational security
5. Certificate management and automation
6. Inclement state alarms
7. Advanced SIEM
8. Monitoring and operations
9. Error pages - standard error pages for 50x errors
10. Performance
4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
1. Layer 4 – Shield Advanced
2. Layer 7 – AWS WAF OWASP top 10
3. Monitoring – Error rates and web-attack alarms
4. Logging – Using Amazon Athena to search cloud-front logs
5. Performance – out of band abuse processing and reporting
6. AWS Lambda @Edge – JWT validation
7. Simplified SPA patterns – Simplification of an app
5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Icon by Freepik from www.flaticon.com
6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Edge computing
7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Edge computing layers
8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Edge computing layers
9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Edge computing layers
10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Edge computing layers
11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Edge computing layers
12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Edge computing layers
13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Edge computing layers
14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS WAF: application security
15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Edge computing layers
16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
High rate abuse case and rate control
● IP based rate controls fail
○ NAT IPs – One abuser punishes all the users
○ Rerouted traffic is not controlled
● Unauthenticated session
○ If you don’t have one – you get one
○ Rate control apply on this session
● Tie unauthenticated session to authenticated one
17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Bots protection
● Bots’ signature is identified
● Adjust the AWS WAF to keep the bots’ out
18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Edge computing layers
19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
SQL query
select * from example.cf
where time_taken > 4
limit 5
20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
SQL query
WITH ds AS
(SELECT *,
parse_datetime( concat( concat( format_datetime(date,
'yyyy-MM-dd'), '-' ), time ),'yyyy-MM-dd-HH:mm:ss') AS datetime
FROM ”table1"."cf"
WHERE src=’example.com'
and uri = ’/content/search'
and date = date('2019-04-12')
and method = 'GET')
SELECT *
FROM ds
WHERE datetime
BETWEEN timestamp '2019-04-12 18:00:00'
AND timestamp '2019-04-12 18:05:00'
order by time
21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Edge computing layers
22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Alarms and integration with Slack
23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Application pattern evolution
24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Poor communication hygiene
Chrome
browser
tls
1
tls
2
tls
3
tls
4
25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Serverless SPA
tls
1
tls
2
Chrome
browser
26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Serverless SPA – Amazon Simple Service (Amazon S3)
27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Performance
28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Performance of HTTPS/TCP
29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Performance of HTTPS/TCP
30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Performance of HTTPS/TCP
31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
High availability