Securing Your AWS Infrastructure with Edge Services

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Pop-up Loft
Securing Your AWS Infrastructure with Edge Services
Tom Witman
Edge Services Business Development

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved
Today’s Objectives
• Overview of Edge Services
• CloudFront Security Components in Practice
• AWS WAF Protections
• AWS Shield Advanced
• Integrations and Security Automations
• Programs to Get Started

So Many Edges…
Amazon CloudFront (CDN)
Route 53 (DNS)
AWS Snowball Edge
AWS IoT
AWS GreenGrass
AWS WAF
AWS Shield
AWS Storage Gateway
AWS Direct Connect
AWS Lambda and Lambda@Edge
...and more!

Today’s Focus…Edge Services
Amazon CloudFront (CDN)
Route 53 (DNS)
AWS WAF
AWS Shield
AWS Lambda and Lambda@Edge
Amazon
CloudFront
AWS WAFAWS Shield
Amazon
Route 53
AWS
Lambda
Lambda
function
edge location
+

The Edge Network – Amazon CloudFront
Locations: 80+
Region Edge Caches: 11+
Services: CDN, DNS, Security, Compute
Integrated: Lambda, API Gateway, ACM,
S3, EC2, ELB/ALB, Route 53, Mobile Hub
Control: On-Demand API + Console
Compliance: PCI, HIPAA
Cost Effective: Data Egress and Ingress

Amazon CloudFront Security Components
• Infrastructure Security
– Physical Edge Locations
• Service Security
– Access Control
– Encryption
– Protocol Enforcement
– Restrictions (Signed URLs and Geo-blocking)
– Logging and Metrics
– Integration with other services at Edge: AWS WAF, AWS Shield, AWS Lambda

Infrastructure Security
• Bastion hosts for maintenance
• Two-factor authentication
• Encryption
• Separation to enhance containment
• Testing and metrics
CloudFront Edge Location
x

Infrastructure Security
• Each edge location is identified by a three-letter code* and an arbitrarily
assigned number, for example, DFW3.
• The three-letter code typically corresponds with the International Air
Transport Association airport code for an airport near the edge location.
• Obtain the list of edge locations from the Amazon CloudFront detail
page: http://aws.amazon.com/cloudfront.
*(These abbreviations might change in the future.)

Service Security: Access Control via Origin Access
Amazon S3
Origin Access Identify (OAI)
• Prevents direct access to your Amazon S3 bucket
• Ensures performance benefits to all customers
Custom Origin
Block by IP address
• Whitelist only the Amazon CloudFront IP range
• Protects origin from overload
• Ensures performance benefits to all customers

Service Security: Update Security Group on IP Address Changes
• Subscribe to Amazon SNS notifications for changes to IP ranges
• Automatically update security groups
AWS Lambda
Amazon CloudFront
Amazon SNS
Security group
Web app
server
Web app
server
AWS IP ranges
Update IP range
SNS message
https://github.com/awslabs/aws-cloudfront-samples

Service Security: Access Control to Origin via Header
• CloudFront will Inject
Custom Header back to
origin
• Origin logic must look for
header and respond
accordingly
• Update header
automatically via API calls
based on vulnerability
detections

Service Security: Access Control to Content via Header + Lambda
Copy
'use strict';
exports.handler = function(event, context, callback) {
/*
* Extract request object in order to preserve httpVersion field.
* This is necessary to match the client's httpVersion. Please
* refer to your CloudFront Distribution's httpVersion configuration for whether to
* specify HTTP 1.1, 2.0 or match-viewer.
*/
const request = event.Records[0].cf.request;
/*
* Authorization can take many forms. However, here we require an "Authorization" header
to be sent
* with the request. We can determine the authority of the caller by evaluating what is passed
in.
*/
if (request.headers['Authorization']) {
let authorized = false;
const authorities = request.headers['Authorization'];
for (let i = 0; i < authorities.length; i++) {
if (authorities[i] === 'secret') {
authorized = true;
}
}
if (authorized) {
callback(null, request);
} else {
callback(null, {status: '401', statusDescription: '401 Unauthorized', httpVersion:
request.httpVersion});
}
} else {
// Client did not send authorization
callback(null, {status: '401', statusDescription: '401 Unauthorized', httpVersion:
request.httpVersion});
}
};

edge location
Service Security: Data Protection In Transit
• Deliver content over
HTTPS to protect data
in transit
• HTTPS Authenticates
CloudFront to Viewers
• HTTPS Authenticates
Origin to CloudFront
Origin
User Request A

Service Security: SSL Termination
• Half bridge or full bridge termination
• Only encrypt what’s really necessary
• Let CloudFront Do the Heavy Lifting of SSL Termination
Amazon
CloudFront
HTTP
region
Amazon
CloudFront
HTTPS
region
Half bridge termination Full bridge termination
Use origin ‘Match Viewer’ or ‘HTTPS Only’

Service Security: Dedicated custom IP SSL vs SNI Custom SSL
• Dedicated custom IP SSL (Legacy SSL/TLS)
• Only one Global IP can handle one domain for SSL/TLS → Sacrifice system
scalability and can not allocate servers in real-time
• Pro-rated monthly fee
• SNI (Server Name Indication)
• One Global IP can handle multiple domain names for SSL/TLS → System
scalability can increase
• No additional charge to “Bring Your Own Certificate”
• Standard rates for data transfer; regular HTTPS request fees apply

Service Security: Protocol Enforcement
HTTP and HTTPS: Viewers can use both protocols.
Redirect HTTP to HTTPS: Viewers can use both protocols, but
HTTP requests are automatically redirected to HTTPS requests.
HTTPS Only: Viewers can only access your content if they're using
HTTPS.
HSTS Header Enforcement with Lambda@Edge Example

Lambda@Edge Example: HSTS Header Injection
'use strict';
exports.handler = (event, context, callback) => {
const response = event.Records[0].cf.response;
const headers = response.headers;
headers['Strict-Transport-Security'] = "max-age=31536000; includeSubdomains; preload";
headers['Content-Security-Policy'] = "default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'; object-src 'none'";
headers['X-Content-Type-Options'] = "nosniff";
headers['X-Frame-Options'] = "DENY";
headers['X-XSS-Protection'] = "1; mode=block";
headers['Referrer-Policy'] = "same-origin";
// Pinned Keys are the Amazon intermediate: "s:/C=US/O=Amazon/OU=Server CA 1B/CN=Amazon"
// and LetsEncrypt "Let’s Encrypt Authority X1 (IdenTrust cross-signed)"
headers['Public-Key-Pins'] = 'pin-sha256="JSMzqOOrtyOT1kmau6zKhgT676hGgczD5VMdRMyJZFA="; pin-
sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; max-age=1296001; includeSubDomains';
callback(null, response);
};
Code Courtesy of Tom Cook: https://medium.com/@tom.cook/edge-lambda-cloudfront-custom-headers-3d134a2c18a2
HSTS Ensures All Communication to a Server is Done over HTTPS

Service Security: AWS Certificate Manager for SSL
• Use ACM to Procure New SNI
Certs
• Certs Issues in Minutes
• Apply Certs to CloudFront or ELB
• SNI Support of Custom Certs
Generated from ACM is at no
charge
• Hassle-free Automatic Cert
Renewal

Service Security: SSL/TLS on the Edge Optimizations
• High security ciphers
• Perfect Forward Secrecy (PFS)
• OCSP stapling
• Session tickets
• Origin SSL certificate validation
• Protocol Enforcement

Service Security: SSL/TLS Protocol and Cipher Support
Possible values of the ssl-protocol
include the following:
• SSLv3
• TLSv1
• TLSv1.1
• TLSv1.2
When cs-protocol is http, the value
for ssl-protocol is a hyphen (-)
When cs-protocol is https, ssl-cipher is the
SSL cipher that the client and CloudFront
negotiated for encrypting the request and
response. Possible values of the ssl-cipher
include the following:
When cs-protocol is http, the value for ssl-
cipher is a hyphen (-).
• ECDHE-RSA-AES128-GCM-
SHA256
• ECDHE-RSA-AES128-SHA256
• ECDHE-RSA-AES128-SHA
• ECDHE-RSA-AES256-GCM-
SHA384
• ECDHE-RSA-AES256-SHA384
• ECDHE-RSA-AES256-SHA
• AES128-GCM-SHA256
• AES256-GCM-SHA384
• AES128-SHA256
• AES256-SHA
• AES128-SHA
• DES-CBC3-SHA
• RC4-MD5

Service Security: OCSP Stapling
1
2 3
4
5
Client
OCSP Responder
Origin Server
Amazon
CloudFront
1. Client sends TLS Client Hello
2. CloudFront requests certificate status
from OCSP responder
3. OCSP responder sends certificate status
4. CloudFront completes TLS handshake with
client
5. Request/response from origin server

Service Security: OCSP Stapling
…
OCSP Stapling
Client Side Revocation Checks
0 50 100 150 200 250 …
(time in milliseconds)
0 50 100 150 200 250 …
(time in milliseconds)
TCP Handshake
Client Hello
Server Hello
DNS for OCSP Responder
TCP to OCSP Responder
OCSP Request/Response
… Follow Certificate Chain
Complete Handshake
Application Data
30%
Improvement
120 ms faster

Service Security: Session Tickets
• Session tickets allow client to resume
session
• CloudFront sends encrypted session
data to client
• Client does an abbreviated SSL
handshake
CloudFront
Edge location

Service Security: Advanced SSL/TLS
• CloudFront handles secure
authentication
• CloudFront enables perfect
forward secrecy
CloudFront
Edge location

Service Security: Validate Origin Certificate
• CloudFront validates SSL certificates to origin
• Origin domain name must match Subject Name on certificate
• Certificate must be issued by a Trusted CA
• Certificate must be within expiration window

Service Security: Restricted Access to Content
Signed URLs Geo Restriction
X

Service Security: Signed URL
1) Request for Content first goes to an
authentication server to validate user and
generate a signed URL.
2) A signed URL is sent back as a 302 redirect
from the auth server
3) Request to CloudFront made with signed
URL, authentication with policy statement,
and verification of content freshness (hasn’t
expired)
4) CloudFront authenticates policy statement
for signed URL, sets cache key, and sends
content to requestor

Service Security: Geo-restriction
• Geographical Restriction at Distribution Level
• White List or Black List
• Country Level Granularity
• No Additional Charges

Service Security: Logging & Metrics
Metric Description
Requests
The number of requests for all HTTP methods and for
both HTTP and HTTPS requests.
BytesDownloaded
The number of bytes downloaded by viewers for GET,
HEAD, and OPTIONS requests.
BytesUploaded
The number of bytes uploaded to your origin with
CloudFront using POST and PUT requests.
TotalErrorRate
The (average) percentage of all requests for which
the HTTP status code is 4xx or 5xx.
4xxErrorRate
the HTTP status code is 4xx.
5xxErrorRate
the HTTP status code is 5xx.
• CloudWatch Metrics: Turn
Them On!
• 6 free metrics
• 1 minute intervals
• Covers trailing 2 weeks
Example: Trigger Alarm 4xx error
rate exceeds 1% for 5 minutes,
checking on each 1 minute interval

AWS WAF
Block or Allow web requests Monitor security events

AWS WAF: Components
Match conditions
• IP
• String
• SQLi
• Size
• Rate Based
• Reusable
•Flexible rules
• AND/OR
• Block, allow, or
count
• Ordered
conditions
• Reusable
•Fast feedback
• ~1 minute for
changes
• 1-minute metrics
• Request samples
WebACL
Global Implementation on
CloudFront
Local Implementation at AWS
Regions
AND/OR

AWS WAF and the OWASP Top 10
White Paper Available Here:
https://d0.awsstatic.com/whitepapers/Security/aws-waf-owasp.pdf
Courtesy: www.owasp.org
Out of the Box:
Cross-site scripting
SQL injection
Customize Predicates:
API Control
String Matching
IP addresses
Size constraints
Rate Based Rules

Match conditions: Strings and bytes
Example #1: Whitelist Referrer
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; …
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.example.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “Referrer”
Match Type: Contains
Match: “example.com”
Action: ALLOW
Rule
String match condition
Good users

Example #2: Blacklist User-Agents
User-Agent: badbot
Referrer: http://www.example.com/
AWS
WAF
RAW request headers
CloudFront
Check: Header “User-Agent”
Match: “badbot”
Action: BLOCK
Rule
Scraper bot

Example #2: Blacklist User-Agents
User-Agent: bAdBoT
Referrer: http://www.InTeRnEtkItTiEs.com/
AWS
WAF
RAW request headers
CloudFront
Check: Header “User-Agent”
Transform: To lower
Match: “badbot”
Action: BLOCK
Rule
Scraper bot

AWS Security Automations for Common Attack Patterns
https://aws.amazon.com/answers/security/aws-waf-security-automations/
• One Click Deployment via
CloudFormation
• Customizeable

Observing rules in action
• Finding requests that
match your rules
• Set alarms for WAF
• Provided in near real time

AWS Shield Advanced
• Managed DDoS Protection Service
• In Line Protections on the Edge and within
the AWS Region
• No Architectural Changes Required
• High Visibility Into Incidents and Mitigations
• Dozens of CloudWatch Metrics
• Economic Protection
• 24/7 Access to DDoS Response Team (DRT)
Additional Detection & Monitoring
Protection Against Large DDoS
Attacks
Visibility into Attack Detection &
Mitigation
AWS WAF at No Additional Cost
24x7 DDoS Response Team
Cost Protection (Absorb DDoS
Scaling Cost)

Putting It All Together
• Edge Services Provide Application Architecture Security Controls
• CloudFront Enables:
– Application Performance and Availability Improvements (in-line protections, bandwidth, content
modification)
– Distributed Security Controls on the Edge (behaviors, restrictions, SSL)
– Integration with other AWS services (lambda, waf, shield, origins, etc.)
• AWS WAF Enables:
– Application level protections and reporting
– In line distributed inspection with fast propagation and rule reusability
– Extension of rule from edge to region
• AWS Shield Advanced Enables:
– Managed DDoS Protection
– Visibility in Attacks
– Support for AWS WAF configurations and included at no charge
– Economic Protection

Putting it All Together: Highly Secure Edge Based Architecture
Amazon
Route 53
ALB Security Group
Amazon
EC2
Instances
Application
Load Balancer
Amazon
CloudFront
Public Subnet
Web Application
Security Group
Private Subnet
AWS WAF
Amazon
API Gateway
DDoS
or Web
Application
Attack
Users

Programs to Get You Started
• Edge Based Protection: Amazon CloudFront, AWS WAF, AWS Shield Advanced
• Well Architected Review: Edge Security
• Assistance to Configure, Test, and Deploy (ProServ, Partner)
• Security Operations Account Review
• Integrated IoT Button
• Cost Effective Pricing Options
• CONTACT: Edge-Sales@; witmant@

Pop-up Loft
aws.amazon.com/activate
Everything and Anything Startups
Need to Get Started on AWS

Securing Your AWS Infrastructure with Edge Services

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Securing Your AWS Infrastructure with Edge Services

Similar to Securing Your AWS Infrastructure with Edge Services (20)

More from Amazon Web Services

More from Amazon Web Services (20)

Securing Your AWS Infrastructure with Edge Services