Global presence helps against both infrastructure and application attacks by dispersing the traffic across 52 edge locations. In addition to increased capacity, CloudFront can also allow or disallow access to content on a per country basis. Edge locations have multiple internet connections making sure that they are still able to serve traffic even if one of the connections is saturated. It is very unusual to have more than one connection saturated by a DDoS attack so. Additionally edge locations have filtering capability to ensure that on valid connections and valid requests are made. This ensures that CloudFront will only make valid object fetches from the origin and Route53 will only honor valid requests for your domain name.
With the caching and acceleration technology that CloudFront has, we can deliver all of you content from static images to user inputted content. Static: images, js, html, etc Video: rtmp and http streaming support Dynamic: customizations and non-cachable cotnent User Input: http verb support including Put/Post, etc SSL: Serve the content securely with SSL (https)
High security ciphers improve the security of HTTPS connections. Amazon CloudFront edge servers and clients (e.g. browsers) automatically agree on a cipher as part of the SSL handshake process, and now the connections can use ciphers with advanced features such as Elliptic Curve signatures and key exchanges.
Perfect Forward Secrecy provides additional safeguards against the eavesdropping of encrypted data, through the use of a unique random session key. This prevents the decoding of captured data, even if the secret long-term key is compromised.
Server Certificates identify servers 3 SSL options Default SNI Dedicated IP Full Bridge & Half Bridge We validate SSL certificates to origin
First of all, let’s make sure we are all on the same page. What is a WAF? Quite simply, a WAF is a Web Application Firewall. It is an application layer firewall used to protect web assets from various forms of attack. WAF is an appliance, server plugin or filter that applies a set of rules to HTTP traffic. Another way to look at it, a web security service providing OSI Layer 7 protection by monitoring http and https requests and restricting access to web applications.
Why do IT managers devops engineers buy / implement a WAF? Gartner reports that 25-30% of all WAF implementations are for the protection of eCommerce solutions that require a PCI compliant workflow. While we are offering the WAF as part of CloudFront, which *IS* a PCI Compliant service, the AWS WAF will not obtain PCI compliance until Q3 2016. However, it can still be used as a component in architectures requiring PCI compliance. If you have questions about this, please contact us offline to discuss in more detail.
Common attacks include high volume request traffic for content from a single IP address or a range of IP addresses.
CDN based WAF’s filter requests at edge locations before content is served or requests are forwarded to the origin server