Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Layered Perimeter Protection for Apps Running on AWS (CTD201-R1) - AWS re:Invent 2018

250 views

Published on

This is a practical demo-driven session where you will learn about the best practice to protect applications on AWS. We will give an overview of the threats on AWS, discuss why perimeter defense helps with these threats, and discuss some key techniques that use services such as Amazon CloudFront, Route 53, and WAF to protect your web applications. Lastly, you will learn about the best practices to protect different types of applications - Web/APIs, TCP-based, or Gaming.

  • Be the first to comment

Layered Perimeter Protection for Apps Running on AWS (CTD201-R1) - AWS re:Invent 2018

  1. 1. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered Perimeter Protection for Apps Running on AWS Ritwik Manan Sr. Product Mgr. Tech AWS Shield C T D 2 0 1 Woodrow Arrington Sr. Product Mgr. Tech Amazon CloudFront
  2. 2. Recording available on YouTube Deck available on SlideShare
  3. 3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. What to expect from this session Layered Security Demos Use Cases
  4. 4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Challenges in web application development
  5. 5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Malicious actors are always probing for weak points
  6. 6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Biggest threats to web applications today App Vulnerabilities Bad Bots DDoS 0 200 400 600 800 1000 1200 1400 1600 1800 Largest DDoS Attacks (Gbps) Mem cached Mirai botnet
  7. 7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security is always the number one priority And it needs to constantly evolve in today’s environment
  8. 8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Three layers of perimeter protection Build a highly scalable, secure, well-monitored, DDoS-protected application Objective: 1. Secure content delivery layer with reduced surface area 2. Firewall layer for common and customer specific exploits 3. DDoS protection layer for mitigating availability impact Software automation of security
  9. 9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered perimeter protection – Basic AWS Application EC2 Instance S3 Bucket Public Subnet Private Subnet ALB
  10. 10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  11. 11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. SECURITY performance & Amazon CloudFront
  12. 12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon CloudFront’s Secure Global Network
  13. 13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon CloudFront’s Secure Global Network Compliance Standards CloudFront CDN A PCI DSS Yes Yes*** ISO 27001 Yes No ISO 27002 Yes Yes ISO 9001 Yes No ISO 27017 Yes No ISO 27018 Yes No SOC 1/2/3 Yes Yes*** HIPAA Yes Yes GDPR Yes Yes Regional audits • Germany C5 • Australia’s IRAP/IRAP Protected • Singapore’s MTCS • Korea’s K-ISMS Yes No
  14. 14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. CloudFront shields your origin Local Edge locations Regional Edge Cache Application Origin Users
  15. 15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. 0 25 50 75 100 CloudFront S3 US East S3 US West EC2 (N. Virginia) EC2 (Ohio) EC2 (N. California) EC2 (Oregon) p50 FBL latency Securing and accelerating your entire application CloudFront S3Static Content Images Javascript HTML
  16. 16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing and accelerating your entire application CloudFront S3 Video Content Video on demand Live streaming video Elemental Media
  17. 17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing and accelerating your entire application CloudFront Dynamic Content User Inputs APIs ALB EC2 0 25 50 75 100 CloudFront S3 US East S3 US West EC2 (N. Virginia) EC2 (Ohio) EC2 (N. California) EC2 (Oregon) p50 FBL latency
  18. 18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Dynamic content - WebSocket support “CloudFront WebSocket support means we can simplify our infrastructure and further improve customer satisfaction. CloudFront Edge locations will now contribute to better user performance in WebSocket apps” Eduard Iskandarov, Team Lead Infrastructure Coins.ph “CloudFront now supporting WebSockets enables us to consolidate both our dynamic and static content delivery under a single distribution, hence improving global reach, enhancing app security, and simplifying our delivery architecture all at the same time. ” Viesturs Proškins, Head of Video R&D Evolution Gaming
  19. 19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Same global network for HTTPS and HTTP Strict TLS policy enforcement Perfect Forward Secrecy OCSP Stapling Much more SSL optimizations and customizable options documented online Encrypting data in transit and at rest 0.0% 10.0% 20.0% 30.0% 40.0% 50.0% 60.0% 70.0% 80.0% Oct 2013 2014 2015 2016 2017 2018 % Traffic SSL
  20. 20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. SNI custom SSL • Bring your own SSL certificate • Relies on the SNI extension of the Transport Layer Security protocol Use case • www.example.com • Some older browsers/OS do not support SNI extension Dedicated IP custom SSL • Bring your own SSL certificate • CloudFront allocates dedicated IP addresses for your SSL content Use case • www.example.com • Supported by all browsers/OS Default CloudFront SSL • CloudFront certificate shared across customers Use case • dxxx.cloudfront.net TLS/SSL options through CloudFront Free SSL certificates for ACM-integrated services like CloudFront
  21. 21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Restricting internal access to your content with Field Level Encryption
  22. 22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Signed URLs • Add signature to the URL query string • Your URL changes Signed cookies • Add signature to a cookie • Your URL does NOT change Use case • Restrict access to multiple files • You don’t want to change URLs Use case • Restrict access to individual files • Users are using a client that doesn't support cookies Restricting external access to your content Geo Restriction • Country based whitelist or blacklist Use case • Broad restriction based on geographical mapping of client IP
  23. 23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. S3 Origin Access Identity • Prevents direct access to your Amazon S3 bucket • No S3 URLs are accessible directly Custom Origin Security Groups • Whitelist ONLY the CloudFront IP range • Protects origin from overload Restricting external access to your origin CloudFront ALB EC2CloudFront S3
  24. 24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  25. 25. Software automation of the secure content delivery
  26. 26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Read our blog for a step-by-step guide “How to Automatically Update Your Security Groups for Amazon CloudFront and AWS WAF by Using AWS Lambda” Automatically update an ALB/EC2 security group for CloudFront using AWS Lambda IAM policy Lambda function SNS subscription
  27. 27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered perimeter protection – Adding secure Content Delivery EC2 Instance S3 Bucket Public Subnet Private Subnet CloudFront ALB
  28. 28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  29. 29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing a Web Application Firewall: 4 key tenets
  30. 30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing a Web Application Firewall: AWS WAF
  31. 31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing a Web Application Firewall: AWS WAF CloudFormation Templates Managed Rules for AWS WAF
  32. 32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Foundational security Managed rules for AWS WAF • Rules written, updated and managed by Security Experts • Pay as you go : No Lock-in / Long term commitment • Easy to Deploy • Choice of Protections • OWASP Top 10 & other web exploits • Common Vulnerabilities and Exposures (CVE) • Bot protection • IP Reputation lists • CMS rules (Wordpress, Joomla and others) • Apache and Nginx vulnerabilities
  33. 33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Automations Managed Rules for AWS WAF Choosing a Web Application Firewall: AWS WAF
  34. 34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS WAF is a powerful rule language framework
  35. 35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing a Web Application Firewall: AWS WAF Security Automations Managed Rules for AWS WAF Multiple Rule Condition Types Combine and build hierarchy Actions : Allow / Block / Count
  36. 36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Automations Managed Rules for AWS WAF Multiple Rule Condition Types Combine and build hierarchy Actions : Allow / Block / Count Choosing a Web Application Firewall: AWS WAF
  37. 37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Analyze security: Visibility & analytics CloudWatch Metrics • Metrics on every Rule • Allowed | Blocked | Counted | Passed Sampled Web Requests • Detailed logs, of a Sample of requests • Automatically available for every Rule Full Logs • Detailed logs, of Every request this word just for spacing • Optionally enabled for your WebACL Use Case Set alarms for notifications Use Case Quickly test AWS WAF Rules Easy triaging on the console Use Case Security analytics, monitoring, automation, auditing, and compliance
  38. 38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS WAF full logs: Key benefits Compliance & Auditing • Every logged request includes Request Headers and RuleIDs that matched • Redact sensitive fields Flexible implementation • Logs streamed in JSON format through Amazon Data Firehose to your destination of choice 3rd Party Integrations • Centralize and analyze logs from AWS WAF and other services Amazon S3 Amazon Redshift Amazon ElasticSearch Splunk Amazon Kinesis Data Firehose
  39. 39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security analytics common use cases 3rd party integrations
  40. 40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Check out our webinar for a step-by-step guide “Enhanced Security Analytics using AWS Full Logging” Enhanced Security Analytics with AWS AWS WAF Amazon Athena Amazon S3 Bucket
  41. 41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Automations Managed Rules for AWS WAF Multiple Rule Condition Types Combine and build hierarchy Actions : Allow / Block / Count CloudWatch Metrics Sampled Web Requests Full Logs Choosing a Web Application Firewall: AWS WAF
  42. 42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security Automations Managed Rules for AWS WAF Multiple Rule Condition Types Combine and build hierarchy Actions : Allow / Block / Count CloudWatch Metrics Sampled Web Requests Full Logs Choosing a Web Application Firewall: AWS WAF
  43. 43. Software automation of the firewall
  44. 44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Software Automation of Security: Lambda-based AWS WAF Automations Bad Bot / Scanner / Known attackers AWS WAF Integration with Amazon GuardDuty DevOps friendly: Full Featured APIs and Fast Rule Updates Blog / Webinar : “Automate Threat Mitigation Using AWS WAF and Amazon GuardDuty” AWS Answers: “AWS WAF Security Automations”
  45. 45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Software automation: Config based AWS WAF Policies Ensure Compliance to Mandatory Rules Across Organization Simplify Management of Rules Across Accounts & Applications with security policies Enable Rapid Response to Internet Attacks Customize policy scope to resource type and accounts (include/exclude)
  46. 46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  47. 47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Automating web application security Create honeypot protections across apps A bad bot identified on one application can be easily blocked from organizations’ other applications as well To quickly create a honeypot automation on an account Read our step by step guide: “AWS WAF Security Automations”
  48. 48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing a Web Application Firewall: AWS WAF Security Automations Managed Rules for AWS WAF Multiple Rule Condition Types Combine and build hierarchy Actions : Allow / Block / Count CloudWatch Metrics Sampled Web Requests Full Logs Lambda Automations AWS Firewall Manager
  49. 49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing a Web Application Firewall: AWS WAF Security Automations Managed Rules for AWS WAF Multiple Rule Condition Types Combine and build hierarchy Actions : Allow / Block / Count CloudWatch Metrics Sampled Web Requests Full Logs Lambda Automations AWS Firewall Manager
  50. 50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered perimeter protection – Adding a Firewall EC2 Instance S3 Bucket Public Subnet Private Subnet CloudFront WAF ALB Firewall Manager
  51. 51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  52. 52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing a DDoS protection provider: 4 key tenets
  53. 53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing a DDoS protection provider: AWS Shield Standard & Advanced
  54. 54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing a DDoS protection provider: AWS Shield Standard & Advanced Built-in DDoS Protection for Everyone Point and Protect Wizard
  55. 55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield detects and mitigates 1,000’s of DDoS Attacks Daily Source: AWS Global Threat Dashboard (Available for AWS Shield Advanced customers)
  56. 56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing a DDoS protection provider: AWS Shield Standard & Advanced Built-in DDoS Protection for Everyone Point and Protect Wizard
  57. 57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing a DDoS protection provider: AWS Shield Standard & Advanced Automatic Protection across customers Enhanced Protection baselined to you 24x7 access to DDoS Response Team (DRT) Built-in DDoS Protection for Everyone Point and Protect Wizard
  58. 58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.  Baselining and anomaly detection across all AWS  Mitigation with proprietary packet filtering stacks using suspicion based scoring  Automatic defense against the most common network and transport layer DDoS attacks for any AWS resource, in any AWS Region  Comprehensive defense against all known network and transport layer attacks when using Amazon CloudFront and Amazon Route 53 AWS Shield Standard: Layer 3/4 protection for everyone Automatic Protection across customers
  59. 59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield Advanced: Enhanced protection • Enhanced Layer 3/4 attack detection baselined to you • Layer 7 attack detection • Pre-configured mitigations scoped to resource type • Advanced mitigations like SYN Throttling • Customer defined L3/4 Mitigations (for regional svcs) Detection Mitigation • Help in Incident triaging and mitigation • Automatically engaged for availability impacting L3/L4 events. • Customer driven support cases through AWS Support or Shield Engagement Lambda Enhanced Protection baselined to you 24x7 access to DDoS Response Team (DRT)
  60. 60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Recent significant attacks March 2018: Web application targeted by 1.4 Tbps memcached reflection attack, mitigated with Amazon CloudFront and AWS Shield Advanced November 2018: Web application running on Amazon CloudFront targeted by 20 million requests per second, automatically mitigated by Amazon CloudFront and AWS Shield Advanced
  61. 61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing a DDoS protection provider: AWS Shield Standard & Advanced Automatic Protection across customers Enhanced Protection baselined to you 24x7 access to DDoS Response Team (DRT) Built-in DDoS Protection for Everyone Point and Protect Wizard
  62. 62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing a DDoS protection provider: AWS Shield Standard & Advanced Automatic Protection across customers Enhanced Protection baselined to you 24x7 access to DDoS Response Team (DRT) Built-in DDoS Protection for Everyone Point and Protect Wizard CloudWatch Metrics Attack Diagnostics Global Threat Environment Dashboard
  63. 63. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing a DDoS protection provider: AWS Shield Standard & Advanced Automatic Protection across customers Enhanced Protection baselined to you 24x7 access to DDoS Response Team (DRT) Built-in DDoS Protection for Everyone Point and Protect Wizard CloudWatch Metrics Attack Diagnostics Global Threat Environment Dashboard
  64. 64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing a DDoS protection provider: AWS Shield Standard & Advanced Automatic Protection across customers Enhanced Protection baselined to you 24x7 access to DDoS Response Team (DRT) Built-in DDoS Protection for Everyone Point and Protect Wizard AWS WAF at no additional cost For protected resources AWS Firewall Manager at no additional cost Cost Protection for scaling CloudWatch Metrics Attack Diagnostics Global Threat Environment Dashboard
  65. 65. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Shield Advanced: Cost Protection for scaling AWS absorbs scaling cost on protected resources due to DDoS attack • Amazon CloudFront • Elastic Load Balancing (ELB/ALB/NLB) • Amazon Route 53 • Amazon EC2
  66. 66. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Choosing a DDoS protection provider: AWS Shield Standard & Advanced Automatic Protection across customers Enhanced Protection baselined to you 24x7 access to DDoS Response Team (DRT) Built-in DDoS Protection for Everyone Point and Protect Wizard AWS WAF at no additional cost For protected resources AWS Firewall Manager at no additional cost Cost Protection for scaling CloudWatch Metrics Attack Diagnostics Global Threat Environment Dashboard
  67. 67. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered perimeter protection – Adding DDoS Protection EC2 Instance S3 Bucket Public Subnet Private Subnet Shield Shield Advanced ALB CloudFront WAF Firewall Manager
  68. 68. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  69. 69. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Specialized component use cases Different protection needs  I have a serverless architecture / APIs  I have TCP traffic (non-HTTP/S)  I run UDP based games • Create a unified API frontend for multiple micro-services • Authenticate and authorize requests • Throttle, meter, and monetize API usage by third-party developers Amazon API GatewayAWS WAF • Full AWS WAF features • Custom and managed rules • Visibility through CloudWatch and logs • Automate with AWS Lambda AWS Shield Standard
  70. 70. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Specialized component use cases Different protection needs  I have a serverless architecture / APIs  I have TCP traffic (non-HTTP/S)  I run UDP based games AWS Shield Advanced Fast Scaling, transparent load balancer architected for performance and availability Network Load Balancer Global Load balancing across regions with anycast routing and fine grained controls AWS Global Accelerator • Granular Detection Thresholds (based on background architecture) • Pre-configured / customized mitigation templates • Network ACLs pushed to the border
  71. 71. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Specialized component use cases Different protection needs  I have a serverless architecture / APIs  I have TCP traffic (non-HTTP/S)  I run UDP based games AWS Shield Advanced EC2 Instances Global Load balancing across regions with anycast routing and fine grained controls AWS Global Accelerator • Granular Detection Thresholds (based on background architecture) • Pre-configured / customized mitigation templates • Network ACLs pushed to the border
  72. 72. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  73. 73. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Layered perimeter protection – Basic AWS Application EC2 Instance S3 Bucket Public Subnet Private Subnet ALB
  74. 74. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Ending with a multi-layered, secured application EC2 Instance S3 Bucket Public Subnet Private Subnet CloudFront WAF Shield Shield Advanced ALB Firewall Manager
  75. 75. Thank you! © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Ritwik Manan ritwikm@amazon.com Woodrow Arrington arrinw@amazon.com
  76. 76. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Deck available on SlideShare & recording available on YouTube
  77. 77. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Related breakouts Thursday, November 29th CTD315 - How Rovio Uses Amazon CloudFront for Secure API Acceleration 1:00 PM - 2:00 PM | Venetian, Level 2, Veronese 2406 Wednesday, November 28th SEC402 - AWS, I Choose You: Pokemon's Battle against the Bots 1:00 PM - 2:00 PM | Aria East, Level 2, Mariposa 5 Tuesday, November 27th CTD304 - Secure Your Site: Use CDN Security Features to Protect Your Content & Infrastructure 5:30 PM - 6:30 PM | Aria West, Level 3, Starvine 10, Table 6

×