Security professionals and full-stack engineers will learn how to defend against distributed denial of service (DDoS) attacks and web application exploits by using automation to monitor activity, configure rate limiting, and deploy network filtering rules. This session will show you how to use Lambda functions to automate event response and integrate with your security operations tools. You will become an expert in advanced techniques to help you protect and monitor your AWS networks and resources using services such as Amazon Virtual Private Cloud, Amazon Web Application Firewall, Amazon Shield, and more. You will also learn how to monitor and gain deep visibility into your AWS environment by using highly-scaled solutions such as AWS CloudTrail and AWS CloudWatch. Learn More: https://aws.amazon.com/government-education/
10. What to expect from this session
Types of Threats AWS Shield Amazon VPC AWS WAF
11. Types of Threats
Bad BotsDDoS Application Attacks
Reflection
Layer 4 floods
Slowloris
SSL abuse
HTTP floods
Amplification
Content scrapers
Scanners & probes
Crawlers
SQL injection
Application exploits
Social
engineering
Sensitive data
exposureApplication
Layer
Network /
Transport
Layer
AWS Shield
12. Benefits of AWS Shield
AWS Integration
DDoS protection without
infrastructure changes
Affordable
Don’t force unnecessary
trade-offs between cost and
availability
Flexible
Customize protections
for your applications
Always-On Detection
and Mitigation
Minimize impact on application
latency
13. AWS Shield
Standard Protection Advanced Protection
Available to ALL AWS customers at
no additional cost
Paid service that provides additional
protections, features, and benefits.
14. AWS Shield Standard
Layer 3/4 protection
Automatic detection & mitigation
Protection from most common
attacks (SYN/UDP floods, reflection
attacks, etc.)
Built into AWS services
Layer 7 protection
AWS WAF for Layer 7 DDoS attack
mitigation
Self-service & pay-as-you-go
Automatic protection against 96%
of Layer 3/4 attacks
Available globally on all internet-facing AWS services
15. AWS Shield Advanced
Additional detection & monitoring
Protection against large DDoS attacks
Visibility into attack detection & mitigation
AWS WAF at no additional cost
24X7 DDoS response team
Cost protection (absorb DDoS scaling cost)
17. AWS Shield Advanced
Application Load Balancer Classic Load Balancer Amazon CloudFront Amazon Route 53
Available on ...
Northern Virginia (us-east-1)
Oregon (us-west-2)
Ireland (eu-west-1)
Tokyo (ap-northeast-1)
In the following regions ...
19. What to expect from this session
Types of Threats AWS Shield Amazon VPC AWS WAF
20. Private IP space in AWS
Familiar networking model
Customer-defined networking logic
Strong security controls
What customers asked for…
21. Key Features of VPC
Choosing an
address range
Setting up subnets
in Availability Zones
Creating a route to
the Internet
Authorizing traffic
to/from the VPC
27. What to expect from this session
Types of Threats AWS Shield Amazon VPC AWS WAF
28. Challenges of Web Application Firewalls
Setup is complex
and slow
Too many false
positives
Limited APIs for
automation
Expensive to
implement and
maintain
30. What is AWS WAF
Web traffic filtering
with custom rules
Malicious request
blocking
Active monitoring
and tuning
31. How Does AWS WAF Protect You?
Security
Automations
Preconfigured Protections
Highly Flexible Rule Language
32. Highly Flexible Rule Language
Quick incidence response
Mitigations in < ~1 min.
Inspect any part of the request
Security
Automations
Preconfigured
Protections
Highly Flexible Rule Language
33. Preconfigured Protections
You can get started quickly with built-in rules based on
common use cases.
CloudFormation
template
AWS WAF Configuration
Security
Automations
Preconfigured
Protections
Highly Flexible Rules Engine
Denial of Service attacks attempt to block legitimate users from accessing a web application by overwhelming either the network or server resources serving that application, either with unrelated network traffic or invalid application requests.
*Distributed* Denial of Service attacks are typically launched from a botnet of compromised computers or Internet devices.
Objective is to knock the targeted website or application offline for a period of time, disrupting availability for legitimate users.
Finally,
Sometimes bad actors want to bring down a web site, using application-layer requests.
At the application layer, these usually aren’t the very large volumes of traffic. Highly targeted attacks may go after expense web pages with less than 100 requests per second.
Customers use WAFs to block these requests before they reach web server infrastructure.
First and firemost, WAF is used to prevent Web application bugs from turning into security breaches.
WAFs are an effective tool for blocking bad actors and known back attack signatures when they occur.
Ecommerce customers often fights against bots that scrape pricing details
Customers use AWS WAFs to find and block content abuse cases.
Regardless of which tier you choose, we built AWS Shield Advanced with four key pillars in mind.
First, we want it to seamlessly integrate with your existing AWS infrastructure …
Available in two tiers: Standard and Advanced
Built-in detection and mitigation of Layer 3/4 attacks.
Customers who also want Layer 7 protections against application attacks can subscribe separately to AWS WAF.
Reduce attack surface
What customers wanted for VPC:
Want the flexibility of the cloud but need to keep their data isolated to meet compliance needs
Want to move applications to the cloud but need control over their network space
Build architecture from previous slide (create emtpy SG, create Lambda function, paste code, point to SNS topic via CLI, trigger lambda function manually for first population of SG)
Problems with traditional WAFs
Get slide deck from Sundar:
traditional WAFs don’t have API support, 100% API support in ours,
Too many rules, too many false positives, buying elephant and using a mouse
4-5 talking points about what customers wanted
Answering the questions of what the customer need
WAF can be used for detection and mitigation or just mitigation
Intel might come from Splunk or some other third-party
Propogated in under 1 minute (differentiating feature for our WAF) damage is done in hours
100% API automation
App code devs can dev WAF code/rules
Flex = apache struts
Pre = cfn
Ease of use talking pt during demos
Cfn templates with preconf rules, works with other services like lambda,
Couple of demos (story, rule engine)
AWS Answers Sundar will send this
Consider demoing this for ease of use and flexibility: https://aws.amazon.com/answers/security/aws-waf-security-automations/
Create WAF rule that blocks recent Apache Struts vuln “cmd=”
Ip rep lists, cloudfront logs
Take it one step further
You can go beyond this
You can only do this because of 100% API
Analyzer that looks at highest detail of web logs