Learning Objectives:
- Discover how to secure your cloud infrastructure with Amazon CloudFront, AWS Shield and AWS WAF
- Learn how to offload security heavy-lifting to the AWS Edge
- Learn about the built-in security in Amazon CloudFront
- Get tips on how to develop an adaptive security strategy for your cloud
In this tech talk, you will learn how you can better defend your websites and cloud infrastructure from cyberattacks using edge services from AWS, such as Amazon CloudFront, AWS Shield and AWS WAF. You will go behind the scenes to see how edge services help mitigate common DDoS attacks, how to use advanced protocols and ciphers, and how to enforce end-to-end HTTPS connections. You will also learn how to use additional features like AWS WAF's IP and bot blocking to implement tailored and advanced protection.
3. Agenda
• Anatomy of a typical Web Application
• What are the challenges?
• How can you secure it without compromising on
availability, performance or flexibility?
• Protect your applications with Amazon CloudFront, AWS
Shield and AWS WAF
4. A typical Web Application
Dynamic applications
Personalized
Content
Static assets
API
Corporate Data
Center
End Users
6. Design & Implementation Challenges
Dynamic applications
Personalized
Content
Static assets
API
Corporate Data
Center
End Users
App Servers
Firewalls
Database Servers
Load
Balancers
Traffic Management
Monitoring
Web Servers
Storage Servers
7. How does AWS help …
Offload complexity without losing Flexibility still building
Highly Secure, Highly Available, and a Highly Scalable
application
8. Static Asset Delivery
Dynamic applications
Personalized
Content
Static assets
API
Corporate Data
Center
End Users
• Latency matters
• Scale matters - ability to handle large usage spikes
?
9. Static Assets delivered via CloudFront
AWS Cloud
Corporate Data
Center
Dynamic applications
Personalized Web
applications
Static assets
Un-cacheable API
Amazon
CloudFront
Amazon Route 53
10. Edge Delivery Using CloudFront
High Availability Application
Acceleration
AWS Integration Cost Effective
An Enterprise Class CDN
11. Resiliency for Dynamic Content
Dynamic applications
Personalized Web
applications
Static assets
Un-cacheable API
Amazon
CloudFrontAmazon Route 53
• Business Logic
• Low or Zero TTL
• Secure Connections
?
12. Resiliency for Dynamic Content
Dynamic applications
Personalized Web
applications
Static assets
Un-cacheable API
Amazon
CloudFront
Amazon Elastic
Load Balancer
Amazon Route 53
13. Why use CloudFront to Front Both Static &
Dynamic Content?
1) TLS Termination closer to end users
2) Secure Full Duplex Connections
3) Connection Optimization between Edge and ELB
4) Even the small amounts of caching (Low TTL) provides
significant increase in resiliency in case of request spikes
14. Edge Delivery of Dynamic Content
Application Acceleration – CloudFront in front of ELB
15. Personalized Content
Dynamic applications
Personalized
Web applications
Static assets
Un-cacheable API
Amazon
CloudFront
Amazon Elastic
Load Balancer
Amazon Route 53
?
• Customized Content for every end user
• Scale Matters
• Latency Matters
16. AWS Lambda: Serverless computing
Run code without servers. Pay only for the compute time you consume.
Triggered by events or called from APIs:
• PUT to an Amazon S3 bucket
• Updates to Amazon DynamoDB table
• Call to an Amazon API Gateway endpoint
• Mobile app back-end call
• CloudFront requests
• And many more…
Makes it easy to:
• Perform real-time data processing
• Build scalable back-end services
• Glue and choreograph systems
17. Benefits of AWS Lambda
Continuous
scaling
No servers to
manage
Never pay for idle
– no cold servers
(only happy
accountants)
19. Imagine if you could run code at…
North America South America EMEA APAC
Edge Locations
Cities Countries Continents
20. Introducing Lambda@Edge
• Lambda@Edge is an extension of AWS Lambda that allows you to run
Node.js code at AWS global edge locations.
• Bring your own code to the edge and customize your content very close to
your users, improving end user experience.
Continuous
scaling
No servers
to manage
Never pay for idle
– no cold servers
Globally
distributed
22. Lambda@Edge – Application Security
Visitor Validation
Handling bots
Detect search engine bots and filter traffic from origin
servers by displaying a Captcha page
Confirm valid sessions
View user-agent to confirm legitimacy of request and
add an access-control allow header accordingly
Validate access token to confirm authentication
status
23. Lambda@Edge – Application Security
RFC 6797 - HTTP Strict Transport Security (HSTS)
Strict-Transport-Security: max-age=31536000; includeSubDomains
Browser Support Introduced
Internet Explorer
Internet Explorer 11 on Windows 8.1 and
Windows 7[2]
Firefox 4
Opera 12
Safari Mavericks (Mac OS X 10.9)
Chrome
4.0.211.0
24. Lambda@Edge – Application Security
Authentication and Access Control
Publishers such as the New York Times or HBR want to
restrict the number of free articles each viewer can access a
month before redirecting to a subscription page.
Cookies can be used to count the number of access
attempts per user, and a Lambda@Edge function can
inspect cookies for access and redirect to a subscription
page when the user reaches their limit
25. Lambda@Edge – Application Personalization
A/B Testing
“Flip a coin” to select a version of content
Set cookies to ensure that users continue to see the
corresponding versions of content
Response Generation
Redirect unauthenticated users to a specific login page
that you create on the fly
Generate custom error pages or static webpages directly
from an edge location closest to the end user
26. Personalized Content at the Edge
Dynamic applications
Personalized
Web applications
Static assets
Un-cacheable API
Amazon Elastic
Load Balancer
Amazon Route 53
Lambda@Edge
Amazon CloudFront
35. Leveraging The Edge For TLS
AWS Cloud
Corporate Data
Center
Dynamic applications
Personalized Web
applications
Static assets
Un-cacheable API
Amazon
CloudFront DDoS
36. Amazon CloudFront: Built-in Security
HTTPS Delivery AWS Certificate Manager
Terminate TLS at Edge
SNI Custom TLS (No Additional Cost)
Advanced Ciphers
Perfect Forward Secrecy
OCSP Stapling
Provision Certificates for Free
Easy to procure new certificate (Directly
on CloudFront console)
Hassle-free automatic certificate
renewal
37. Leveraging The Edge for DDoS Protection
Corporate Data
Center
Dynamic applications
Personalized Web
applications
Static assets
Un-cacheable API
Amazon
CloudFrontDDoS
40. AWS Shield Advanced
AWS Integration
DDoS protection without
infrastructure changes
Affordable
Don’t make trade-offs
between cost and quality
Flexible
Customize protections for
your applications
Always-On Detection
and Mitigation
Minimizes impact on application
latency
Four key pillars…
41. AWS Shield for DDoS Protection
Available in ALL AWS Edge Locations Worldwide
43. AWS Shield
Standard Protection Advanced Protection
Available to ALL AWS customers at
No Additional Cost
Paid service that provides additional
protections, features and benefits.
44. AWS Shield Standard
Layer 3/4 protection
Automatic detection & mitigation
Protection from most common
attacks (SYN/UDP Floods, Reflection
Attacks, etc.)
Built into AWS services
Layer 7 protection
AWS WAF for Layer 7 DDoS attack
mitigation
Self-service & pay-as-you-go
Automatic Protection against
96% of Layer 3/4 attacks
Available globally on all internet-facing AWS services
45. AWS Shield Advanced
Additional Detection & Monitoring
Protection against Large DDoS attacks
Visibility into Attack Detection & Mitigation
AWS WAF at No Additional Cost
24X7 DDoS Response Team
Cost Protection (Absorb DDoS Scaling cost)
46. AWS Shield Advanced
Always-on monitoring &
detection
Advanced L3/4 & L7 DDoS
protection
Attack notification and
reporting
24x7 access to DDoS
Response Team
AWS bill protection
47. Leveraging Firewall the Edge and on ALB
AWS Cloud
Corporate Data
Center
Dynamic applications
Personalized Web
applications
Static assets
Un-cacheable API
Amazon
CloudFront
DDoS
51. How AWS WAF Protects Your App
Flexible Rules Language
Pre-configured Protection
Advanced Security Automation
Partner Rules
AWS WAF
(Web Application Firewall)
52. How AWS WAF Protects Your App
Flexible Rules Language
Pre-configured Protection
Advanced Security Automation
Partner Rules
Quick Incidence Response
Mitigations in < ~1 Min
Inspect Any Part of the Request
53. How AWS WAF Protects Your App
Flexible Rules Language
Pre-configured Protection
Advanced Security Automation
Partner Rules
SQL injection
IP reputation lists
Cross-site scripting
54. How AWS WAF Protects Your App
Flexible Rules Language
Pre-configured Protection
Security Automation
Partner Rules
55. How AWS WAF Protects Your App
Flexible Rules Language
Pre-configured Protection
Security Automation
Partner Rules
Implement AWS WAF
Curated rulesets (in preview)
56. Lambda@Edge
API Gateway
Summary – Building Blocks for a Complete
Web Application
Dynamic applications
Personalized
Web applications
Static assets
Un-cacheable API
Amazon Elastic
Load Balancer
AWS Lambda
Amazon CloudFontRoute 53
DDoS
57. Summary – Key Takeaways
• AWS has built-in Security - Perimeter Protection without
infrastructure changes
• Use CloudFront to front static, dynamic content and APIs
• Lambda@Edge provides you the flexibility for
personalizing content
60. Upcoming Amazon CloudFront Office Hours
CloudFront Office Hours
Thursday, June 29th, 2017 10:00 am PDT
How do you register?
https://aws.amazon.com/cloudfront/events/
@cloudfront