Whether you are building an e-commerce site or a business application, security is a key consideration when architecting your website or application. In this session, you will learn more about some of the things CloudFront does behind the scenes to protect the delivery of your content such as OCSP Stapling and Perfect Forward Secrecy. We will also share best practices on how you can use CloudFront to securely deliver content end-to-end, control who accesses your content, how to shield your origins from the Internet, and getting a A+ on SSL labs.

1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Secure Content Delivery Using Amazon
CloudFront
Ken Chan
Business Development Manager, GCR
kenchan@amazon.com

2. What to Expect from the Session
In this session we will talk about:
• Why security matters
• Key aspects of security
• How Amazon CloudFront can help
• Best practices for secured delivery on Amazon
CloudFront

3. Overview: Why Security Matters
• Customer Trust
• Regulatory Compliance
• Data Privacy

4. How AWS Can Help
Infrastructure
Security
Application
Security
Services Security
In the cloud, security is a shared responsibility
https://aws.amazon.com/compliance/shared-responsibility-model/
Encrypt data in transit
Encrypt data at rest
Protect your AWS Credentials
Rotate your keys
Secure your application, OS,
Stack and AMIs
Enforce IAM policies
Use MFA, VPC, Leverage
S3 bucket policies
EC2 Security groups
EFS in EC2, ACM, etc.
SOC 1,2,3
ISO 27001/2 Certification
PCI DSS 2.0 Level 1-5
HIPAA/SOX Compliance
FedRAMP, FISMA &
DIACAP ITAR
How we secure our
infrastructure
How can you secure your
application?
What security options and
features are available to you?

5. How CloudFront Can Help
Infrastructure
Security Application
Security
Services Security
Security on CloudFront
SSL/TLS Options
Private Content
Origin Access Identities
Web Application Firewall
AWS CloudTrail
IAM Policies
Origin Protection
Rotate Keys
Rotate Certificates
PCI DSS 2.0 Level 1
ISO 9001, 27001,
27017, 27018

6. How CloudFront Can Help
What CloudFront
does automatically
What you can do
using CloudFront
features
+ =
What should you do?
Highly secure content
delivery

7. Infrastructure Security
How we secure our infrastructure
Infrastructure
Security
Application
Security
Services Security

8. Infrastructure Security
Facilities
Physical Security
Cache Infrastructure
Network Infrastructure + =
What should you do?
Highly Secure Content
Delivery

9. Infrastructure Security
• Bastion hosts for maintenance
• Two-factor authentication
• Encryption
• Separation to enhance containment
• Testing & metrics
CloudFront Edge Location
x

10. Infrastructure Security

11. Services Security
Security options and features available on CloudFront
Infrastructure
Security
Application
Security
Services Security

12. Services Security
High Security Ciphers
PFS
OCSP Stapling
Session Tickets
SSL/TLS Options
Private Content
Trusted Signers
Web Application Firewall
AWS CloudTrail
AWS Certificate Manager
+ =
What should you do?
Highly Secure Content
Delivery

13. CloudFront can protect ‘Data in Transit’

14. CloudFront Protects Data in Transit
Origin
Edge
Location
User Request A
• Deliver content over
HTTPS to protect data
in transit
• HTTPS Authenticates
CloudFront to Viewers
• HTTPS Authenticates
Origin to CloudFront

15. CloudFront enables advanced SSL
features automatically

16. Validate Origin Certificate
CloudFront validates SSL certificates to origin
 Origin domain name must match Subject Name on
certificate
 Certificate must be issued by a Trusted CA
 Certificate must be within expiration window

17. But there are things you need to do

18. Deliver Content using HTTPS
• CloudFront makes it easy
• Create one distribution, and deliver both
HTTP & HTTPS content
• There are other options as well:
• Strict HTTPS
• HTTP to HTTPS redirect

19. CloudFront TLS Options
Default CloudFront
SSL Domain Name
CloudFront certificate
shared across customers
When to use?
Example: dxxx.cloudfront.net
SNI Custom SSL
Bring your own SSL certificate
OR use AWS Certificate Manager
Relies on the SNI extension of the
Transport Layer Security protocol
When to use?
Example: www.mysite.com
Some older browsers/OS do not support
SNI extension
Dedicated IP Custom
SSL
Bring your own SSL certificate
OR use AWS Certificate
Manager
CloudFront allocates dedicated
IP addresses to serve your SSL
content
When to use?
Example: www.mysite.com
Supported by all browsers/OS

20. Before (time-consuming & complex)
3rd Party
Certificate
Authority
3-5 days
Upload to IAM
via AWS CLI
Connect to CloudFront
via AWS CLI
After (simple & automated & super fast)
AWS
Certificate
Manager
End-to-end process
within minutes
Using a couple of
mouse clicks on the
console
Integrated with AWS Certificate Manager

21. You are not done yet…
You need to protect content cached at
the Edge

22. Access Control
What if you want to…
• Deliver content only to selected customers
• Allow access to content only until ‘time n’
• Allow only certain IPs to access content

23. Access Control: Private Content
Signed URLs
• Add signature to the Querystring in URL
• Your URL changes
When should you use it?
• Restrict access to individual files
• Users are using a client that doesn't
support cookies
• You want to use an RTMP distribution
Signed Cookies
• Add signature to a cookie
• Your URL does not change
When should you use it?
• Restrict access to multiple files
• You don’t want to change URLs

24. Access Control: Private Content
• Here is an example of a policy statement for signed
URLs

25. Access Control: Private Content
Under development mode?
Make CloudFront accessible only from your
“Internal IP Addresses”

26. You are still not done…
What if you want to restrict access
based on parameters in the request?

27. What is AWS WAF ?
Good Users
Bad Guys
Serve
r
AWS
WAF
Logs
Threat
Analysis
Rule Updater

28. Amazon CloudFront
Edge Location
Serving Unnecessary Requests Costs Money
Scraper Bot
Host: www.internetkitties.com
User-Agent: badbot
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.InTeRnEkItTiEs.com/
Connection: keep-alive
AWS WAF
Host: www.internetkitties.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)…..
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.mysite.com/
Connection: keep-alive

29. Amazon CloudFront
Edge Location
Access Control: Web Application Firewall
Scraper Bot
Host: www.internetkitties.com
User-Agent: badbot
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.InTeRnEkItTiEs.com/
Connection: keep-alive
AWS WAF
Host: www.internetkitties.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)…..
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.mysite.com/
Connection: keep-alive

30. Setting Up AWS WAF
1. Create a web ACL.
ALLOW requests by default,
but…
2. Add a rule.
BLOCK if…
3. Add match
conditions.
the source IP
matches this
list…
4. Assign to
CloudFront.
for any request to
d123.cloudfront.net.

31. But wait, there’s more
Match conditions
• IP
• String
• SQLi
Customizable rules
• AND/OR
• Block, allow, or
count
• Ordered
conditions
Fast feedback
• ~1 minute for
changes
• 1-minute metrics
• Request samples

32. Match conditions: Strings and bytes
Match any part of the web request
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; …
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.example.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “Referrer”
Match Type: Contains
Match: “example.com”
Action: ALLOW
Rule
String match condition
Good users

33. Match conditions: Strings and bytes
Use transforms to stop evasion
Host: www.example.com
User-Agent: badbot
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.example.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “User-Agent”
Match Type: Contains
Match: “badbot”
Action: BLOCK
Rule
String match condition
Scraper bot

34. Match conditions: Strings and bytes
Use transforms to stop evasion
Host: www.example.com
User-Agent: bAdBoT
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.InTeRnEtkItTiEs.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “User-Agent”
Transform: To lower
Match Type: Contains
Match: “badbot”
Action: BLOCK
Rule
String match condition
Scraper bot

35. Match conditions: Strings and bytes
Malicious binary? We can find it.
“iVBORw0KGgoAAAAN”
8950 4e47
0d0a 1a0a
0000 000d
bad.bin
1. Select binary file 2. Base64 encode 3. Set match criteria
$> base64 bad.bin
iVBORw0KGgoAAAAN

36. Match conditions: SQLi
/login?x=test%27%20UNION%20ALL%20select%20NULL%20--
/login?x=test’ UNION ALL select NULL --
Transform: URL Decode
True
Match: SQL Injection
Check your query strings, URL decode

37. Combining conditions
Restrict a rule to specific URIs, such as the login page.
Public Internet
Seattle admins AWS
WAF
/admin/login.cgi
/*

38. Observing rules in action
Finding requests that
match your rules

39. Preconfigured Protection & Tutorials
https://aws.amazon.com/waf/preconfiguredrules/

40. Types of attacks that need automation
HTTP floods Scans & probesIP reputation lists Bots & scrapers
Attackers

41. Application Security
How can you secure your application and origin?
Infrastructure
Security
Application
Security
Services Security

42. Application Security
IAM Policies
Origin Protection
OAI
Rotate Keys
Rotate Certificates
+ =
What should you do?
Highly secure content
delivery

43. Hackers could still bypass CloudFront
to access your origin…

44. Access Control: Restricting Origin Access
Amazon S3
Origin Access Identify (OAI)
• Prevents direct access to your Amazon
S3 bucket
• Ensures performance benefits to all
customers
Custom Origin
Block by IP Address
Pre-shared Secret Header
• Whitelist only CloudFront
• Protects origin from overload
• Ensures performance benefits to all customers

45. Object Access Identity (OAI)
• Only CloudFront can access
Amazon S3 bucket
• We make it simple for you
Amazon CloudFront
Region
Amazon S3
bucket
Custom
Origin

46. Shield Custom Origin
1. Whitelisting CloudFront IP Range
2. Whitelist a pre-shared secret origin header
Amazon CloudFront
Region
Amazon S3
bucket
Custom Origin

47. Shield Custom Origin
• Subscribe to SNS notifications on changes to IP ranges
• Automatically update security groups
• https://github.com/awslabs/aws-cloudfront-samples
AWS Lambda
Amazon CloudFront
Amazon SNS
Security Group
Web app
server
Web app
server
AWS IP Ranges
Update IP Range
SNS Message

48. Services Security: IAM
• AWS Managed Policies or create custom policies
• Regulate access to CloudFront APIs
• Describe user role or permissions

49. Services Security : IAM Examples
• Example 1: Create groups with just access to create
invalidations
• Example 2: Just read access to your distributions &
configuration

50. AWS CloudTrail
Record CloudFront API calls history for:
• Security analysis
• Resource change tracking
• Compliance auditing
CloudWatch Alarm
CloudTrailCloudFront
Distribution Updates

51. How to validate your security configurations