A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security Services - AWS Summit Sydney

© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Shane Baldacchino
Solutions Architect, Amazon Web Services
Self Defending Borders
Protect Your Web-facing Workloads With AWS Security Services

What To Expect From The Session
Together, we will:
• Dive right in!
• Explore a use case of edge transformation using AWS
WAF, AWS Shield, & AWS Guard Duty in conjunction
with other AWS services.
• Walk through a demo of how a self defending AWS
architecture will increase your security posture.
• Take a deep dive into the architecture behind the
demonstration.

Increased
Frequency
Low Capital
Investment
Rules and
Regulations
Disparate
Non Connected
System
Modern Business Challenges

Threats Facing Online Assets?
There Are Many

OWASP Style
Attacks
Critical Web
Application Security
Risks

OWASP - Injection
User Input DatabaseWebsite
SELECT * FROM Users
WHERE Name = "Shane" AND Pass = "XXXX"
User = "Shane"
Pass = "XXXX"
SELECT Statement

SELECT * FROM Users
WHERE Name ="" or ""="" AND Pass ="" or ""=""
Malicious Actor Website
User = " or ""="
Pass = " or ""="
SELECT Statement
Database
OWASP - Injection

OWASP Style
Attacks
Critical Web
Application Security
Risks
Hacktivists &
Crime Syndicates
External Threats

Control
Server
Victim Website
Bots
Malicious
Actor
Botnets And DDoS

We Use Controls
How Are We Fighting These Threats Today?

L3 – L7
Firewalls
Monitoring
Static Analysis
DDoS
Mitigation
Source Destination
Checks
BGP Announcements
Traffic Rerouting
Static Application
Security Testing
Log File Analysis

Expensive False PositivesLack
Automation
CAPEX Heavy
Over Provisioning
License Locked
Integration Challenges
With DevSecOps
Models
Content Changes
Often Require New
Rules

Let’s Make This Real…

• N-Tier Architecture
• ERP and CRM Integration
• Quickly Growing
• Limited IT resources
The Snowy Unicorn Elevator Company

Availability Zone A Availability Zone B
Auto Scaling Group
EC2
instances
EC2
instances
Application
Load Balancer
MySQL DB MySQL DB
Application
Load Balancer
Amazon
Route 53
Bastion
Host
Online Architecture

• Designed For Penetration Testing
and Security Auditing
• Contains Several Hundred Tools
• Available in AWS Marketplace
Kali Linux

Architecture Of Attacks - Discovery

Architecture Of Attacks - Crawl

Architecture Of Attacks - OWASP

Architecture Of Attacks - DOS

Architecture Of Attacks - Brute Force

Demo

What’s Wrong With Our Architecture?
L7 Attacks Scale, Cost &
Reputation
Traditional security
control were
ineffective
ASG Elasticity
Network Bandwidth
Flew under the radar
Visibility

We Need A Smarter Approach
And New Tools

Standard Protection Advanced Protection
Paid service that provides
additional, comprehensive
protections from large and
sophisticated attacks
Available to ALL AWS
customers at No
Additional Cost
AWS Shield

Control
Server
Bots
Malicious
Actor
Botnets And DDoS
Victim Website

Comprehensive
API Integration
Leverage IP
Reputation Lists
Mitigate OWASP
Vulnerabilities
AWS WAF

Step 2
Amazon CloudFront
checks if request
requires WAF
Step 1
HTTP/HTTPS Request
made for content to
Amazon CloudFront
AWS WAF Request Process

Error Page Delivered by Amazon CloudFront
Step 1
HTTP/HTTPS Request
made for content to
Amazon CloudFront
Step 3
WAF reviews request;
instructs Amazon
CloudFront to allow/deny
Step 2
Amazon CloudFront
checks if request
requires WAF

Step 3
instructs Amazon
Step 2
Amazon CloudFront
checks if request
requires WAF
Content Delivered via Amazon CloudFront
Step 1
HTTP/HTTPS Request
made for content to
Amazon CloudFront

Step 4
WAF sends metric to
Amazon CloudWatch. Rule
can be updated via API
Step 3
instructs Amazon
Step 2
Amazon CloudFront
checks if request
requires WAF
Step 1
HTTP/HTTPS Request
made for content to
Amazon CloudFront
Content Delivered via Amazon CloudFront

Malicious Actor
SELECT * FROM Users
Website
User = " or ""="
Pass = " or ""="
SELECT Statement
Database
OWASP - Injection

SELECT * FROM Users
SELECT Statement
Malicious Actor Website
User = " or ""="
Pass = " or ""="
Database
OWASP - Injection

Let’s Get Proactive
Self Defending Borders

AWS
WAF
IP Whitelist / Blacklist
HTTP Flood Protection
OWASP Top 10 Protection
AWS ShieldAmazon
CloudFront
Application
Load
Balancer
Application Requests
(Static + Dynamic)

Application
Load
Balancer
Amazon
CloudFront
Amazon S3
Bucket
Access Logs
(Static + Dynamic)
AWS Shield
AWS
WAF

Amazon API
Gateway
Application
Load
Balancer
Amazon
CloudFront
Amazon S3
Bucket
Access Logs
Honey Pot
Endpoint
AWS
WAF
(Static + Dynamic)
AWS Shield

AWS WAF AWS Shield
Demo

Amazon
DynamoDB
Amazon
SQS
Amazon
SNS
Amazon
CloudWatch
AWS Step
Functions
Amazon
ElasticSearch
NoSQL
data store
Run code
without servers
AWS
Lambda
Simple, durable
object store
Monitoring for
cloud resources
Build distributed
applications
Highly scalable
push messaging
Fully managed
message queue
Scalable
ElasticSearch
Service
Integration
Tightknit API
Driven Platform
Amazon
S3

Amazon API
Gateway
Application
Load
Balancer
Amazon
CloudFront
Amazon S3
Bucket
Access Logs
Honey Pot
Endpoint
AWS
WAF
(Static + Dynamic)
AWS Shield
AWS Step
Functions
Access Logs
AWS Lambda
Access Handler
Bad Bot & Scraper Protection

Build and run
applications
without thinking
about servers
Availability and
scalability is
managed by
AWS
Not paying for
idle time
AWS Lambda

Start
FirstState
ChoiceState
NextState
SecondMatchState DefaultStateFirstMatchState
End
AWS Step Functions

Start
FirstState
Decision
{
"StartAt": ”FirstState",
"States":
{
"ManualApproval": {
"Type": "Task",
"Resource": "arn:aws:states:aws-region:xxxxxxxxxxx:activity:ManualStep",
"Next": ”Log_Ticket_InfoSec"
},
”Decision": {
"Type" : "Choice",
"Choices": [
{
"Variable": "$.user_agent",
"NumericEquals": 1,
"Next": "Yes"
},
{
"Variable": "$.user_agent",
"NumericEquals": 0,
"Next": "No"
}
]
},
”Update_AWS_WAF": {
"Type": ”Task",
"Resource": "arn:aws:states:aws-region:xxxxxxxxxxx:activity:UpdateWAF"
"End": true
}
Yes
(Manual Approval)
No
Define in JSON and Then Visualise in the Console
End

Detected Attack
Blacklist
Router
New Attack Type
Manual Approval
Update WAF
Scraper ACL
Update WAF
BadBot ACL
Update EC2
Guest Firewall
Known Attack
Start
End

Detected Attack
New Attack Type
Manual Approval
Known Attack
Start
End
Update WAF
Scraper ACL
Update WAF
BadBot ACL
Update EC2
Guest Firewall
Blacklist
Router

AWS WAF AWS ShieldAmazon API GatewayAWS Lambda AWS Step Functions
Demo

Amazon API
Gateway
Application
Load
Balancer
Amazon
CloudFront
Amazon S3
Bucket
Access Logs
Honey Pot
Endpoint
AWS
WAF
(Static + Dynamic)
AWS Shield
AWS Step
Functions
Access Logs
AWS Lambda
Access Handler
Known Attacker Protection
AWS Guard
Duty
Access Logs
AWS Lambda
Guard Duty and 3rd Party IP Lists
Amazon CloudWatch

Generate
findings through
VPC Log Stream
Queries to
questionable
domains
AWS CloudTrail
history of AWS
calls and user
activity
AWS Guard Duty

Amazon GuardDuty Amazon CloudWatch
CloudWatch Event Amazon SNS Amazon SQS
AWS Step
Functions
AWS Lambda
Detection Report Act
AWS Platform
Automating Remediation

Scanner & Probe Protection
Known Attacker Protection
AWS
WAF
Amazon API
Gateway
AWS Step
Functions
AWS Lambda
Log Parser
AWS Guard
Duty
Amazon S3
Bucket
Access Logs
(Static + Dynamic)
Honey Pot
Endpoint
AWS Lambda
Guard Duty and 3rd Party IP Lists
AWS Lambda
Access Handler
Amazon CloudWatch
Application
Load
Balancer
AWS ShieldAmazon
CloudFront

AWS WAF AWS ShieldAmazon API Gateway AWS Lambda AWS Step FunctionsAWS Guard Duty
Demo

AWS WAF Amazon API Gateway AWS Lambda
AWS ShieldAWS Step FunctionsAWS Guard Duty
Our Security Tool Box

Let’s Do The Math
Can I Afford This?

All This For Under $20

AWS WAF
Web ACL and Rules $5 per month per WebACL + $1 per month per rule
Request Charge $0.60 per million requests
$16

Amazon API Gateway
$3.50 per million API calls
$0.05$16

AWS Lambda
$0.20 per million requests
$0.02
$0.05$16

AWS GuardDuty
VPC Flow Log and DNS Log Analysis First 500GB $1.10 per GB
CloudTrail Event Analysis $4.40 per 1 million requests
$1.05$0.02
$0.05$16

AWS Step Functions
$0.025 per 100 state transitions
$1.05$0.02
$0.05$16
$0.10

AWS Shield - Standard
$0.00
$0.00$0.10
$1.05$0.02
$0.05$16

Session Recap
Build Dynamic Security Architectures
Leverage the AWS platform to provide visibility and drive
maturity in to your InfoSec practice

Session Recap
Comprehensive Security Portfolio
Security at AWS is the highest priority. Benefit from security
architecture for the most security-sensitive organisations

Cost Optimised Security
Drive the cost of performing security down whilst providing
full stack automation with the AWS platform
Comprehensive Security Portfolio
Security at AWS is the highest priority. Benefit from security
architecture for the most security-sensitive organisations
Session Recap

AWS WAF AWS ShieldAmazon API Gateway AWS Lambda AWS Step FunctionsAWS Guard Duty
Let AWS do the undifferentiated
heavy lifting for you

WAF Automation - http://amzn.to/2gblvOz
Step Functions Approval Workflow -
http://amzn.to/2hkPOUF
AWS WAF
Product Details -
https://aws.amazon.com/shield/
Tutorial - http://amzn.to/2eS8GK9
How to get Started Today
Product Details - https://aws.amazon.com/waf/
Tutorial - http://amzn.to/2rBdR4Q
AWS Automation
AWS Shield

Thank You
balshane@amazon.com

A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security Services - AWS Summit Sydney

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security Services - AWS Summit Sydney

Similar to A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security Services - AWS Summit Sydney (20)

More from Amazon Web Services

More from Amazon Web Services (20)

A Self-Defending Border: Protect Your Web-Facing Workloads with AWS Security Services - AWS Summit Sydney