SlideShare a Scribd company logo

Securing your Public API with AWS WAF

Rafi Putra
Rafi Putra

The slide I presented at AWS User Group Jakarta x Pop-up Loft 2019 (https://www.meetup.com/AWS-User-Group-Indonesia/events/264306777/)

Technology
1 of 17
Do you use any of these? ● API Gateway ● Application Load Balancer ● CloudFront
Securing your Public API with AWS WAF Rafi Kurnia Putra Cloud Infrastructure Engineer Traveloka AWS User Group Jakarta x Pop-up Loft - 22/10/2019 - WeWork, Noble House Kuningan Lv.30
In the last 7 days, we blocked... ● Over millions of DoS attacks. ● Thousands of WAF attacks.
Our Problems ● Centralized WAF management. ● Hard to attribute WAF costs. ● Have large number of public endpoints that: ○ Keep growing. ○ Hosted in multiple AWS Accounts. ○ Owned and maintained by various teams.
What did we do?
What is AWS WAF? ● Designed to helps protect your app from common attacks. ● Controls which traffic to allow or block to your app. ● Allows user to create custom rules.
Example: AWS WAF on ALB
Example: AWS WAF on ALB
Why AWS WAF ● Well integrated with other AWS Services. ● Access control based on AWS IAM. ● Covers common needs. ● Inexpensive. ● Decentralized. ● Cost attribution. ● Easy to set up WAF rules.
AWS WAF Limitations ● Very hard to analyze the WAF logs. ● It is difficult to trace the logs from a single request. ● Getting a dashboard for monitoring requires more setup. ● Can’t parse and validate JSON & XML payload
Bonus: Terraform Modules 1. https://github.com/traveloka/terraform-aws-waf-owasp-top-10-rules
Bonus: Terraform Modules 2. https://github.com/traveloka/terraform-aws-waf-webacl-supporting-resources
Thank you! rafi(dot)kurnia(dot)putra[at]gmail(dot)com for any enquiries!
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved Notes: Startups previously issued AWS Promotional Credit may not be eligible to receive additional credit. Promotional credits will be a one-time offer Exact credit eligibility amount varies by the organization through which you apply. Redeem $1,000 worth of credits: 1. Create a free AWS account here: https://portal.aws.amazon.com/billing/signup#/ 2. Navigate to this link: https://aws.amazon.com/activate/portfolio-signup/ 3. Signup using 0aKL8 as your Organization ID The credits will be in your account upon validation after 1~2 weeks Learn more here : https://aws.amazon.com/activate/portfolio-detail/ AWS ACTIVATE AWS Activate Program provides startups with the resources they need to quickly get started on AWS – including credits, training, and support. Scaling to a unicorn begins with AWS Activate.
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark INDONESIA’S STARTUPS RUN ON AWS Services Used: EC2, RDS, S3 “We found that the cost of an on-premises infrastructure was too high, so we turned to the cloud.” Sofian Hadiwijaya CTO “Before AWS, 20–30 percent of our time would be spent ensuring that servers are responsive. By using AWS, we simply deploy and maybe monitor for an hour and that’s it. Abhilash Ramakrishna CTO Services Used: EC2, RDS, S3 AWS ACTIVATE Check us out at https://aws.amazon.com/events/a sean-startup/ “AWS gave us better access to cost-effective open-source software that allowed us to drive innovation” - Lodewijk Tanamal CTO Services Used: EC2, Kinesis, Quicksight, Lambda Or scan here! https://twitter.com/awsstartups/ And many other…
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved FEEDBACKS! Scan the QR stickers on your table and complete the feedback form to redeem an EXCLUSIVE SWAG! Simply show your completed survey to the Loft manager ☺
© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved HAVE FUN! Get your polaroid pictures taken, hang them up on the wall and write us a note!

Recommended

Deep-Dive: Developing Mobile Web Applications with AWS
Deep-Dive: Developing Mobile Web Applications with AWSDeep-Dive: Developing Mobile Web Applications with AWS
Deep-Dive: Developing Mobile Web Applications with AWS
Amazon Web Services
 
Introduction and Overview of Mobile App and Web App Development with AWS
Introduction and Overview of Mobile App and Web App Development with AWSIntroduction and Overview of Mobile App and Web App Development with AWS
Introduction and Overview of Mobile App and Web App Development with AWS
Amazon Web Services
 
Conversational Bot Interfaces for Mobile Applications with Amazon Lex Support
Conversational Bot Interfaces for Mobile Applications with Amazon Lex SupportConversational Bot Interfaces for Mobile Applications with Amazon Lex Support
Conversational Bot Interfaces for Mobile Applications with Amazon Lex Support
Amazon Web Services
 
AWS WAF
AWS WAFAWS WAF
AWS WAF
Amazon Web Services
 
User Authentication and Identity with Amazon Cognito
User Authentication and Identity with Amazon CognitoUser Authentication and Identity with Amazon Cognito
User Authentication and Identity with Amazon Cognito
Amazon Web Services
 
Aws meetup control_tower
Aws meetup control_towerAws meetup control_tower
Aws meetup control_tower
Adam Book
 
Invite Your Prospects With an Engaging Email Campaign
Invite Your Prospects With an Engaging Email CampaignInvite Your Prospects With an Engaging Email Campaign
Invite Your Prospects With an Engaging Email Campaign
Amazon Web Services
 
Build a Web Authentication System with a Custom UI
Build a Web Authentication System with a Custom UIBuild a Web Authentication System with a Custom UI
Build a Web Authentication System with a Custom UI
Amazon Web Services
 

Recommended

Deep-Dive: Developing Mobile Web Applications with AWS
Deep-Dive: Developing Mobile Web Applications with AWSDeep-Dive: Developing Mobile Web Applications with AWS
Deep-Dive: Developing Mobile Web Applications with AWS
Amazon Web Services
 
Introduction and Overview of Mobile App and Web App Development with AWS
Introduction and Overview of Mobile App and Web App Development with AWSIntroduction and Overview of Mobile App and Web App Development with AWS
Introduction and Overview of Mobile App and Web App Development with AWS
Amazon Web Services
 
Conversational Bot Interfaces for Mobile Applications with Amazon Lex Support
Conversational Bot Interfaces for Mobile Applications with Amazon Lex SupportConversational Bot Interfaces for Mobile Applications with Amazon Lex Support
Conversational Bot Interfaces for Mobile Applications with Amazon Lex Support
Amazon Web Services
 
AWS WAF
AWS WAFAWS WAF
AWS WAF
Amazon Web Services
 
User Authentication and Identity with Amazon Cognito
User Authentication and Identity with Amazon CognitoUser Authentication and Identity with Amazon Cognito
User Authentication and Identity with Amazon Cognito
Amazon Web Services
 
Aws meetup control_tower
Aws meetup control_towerAws meetup control_tower
Aws meetup control_tower
Adam Book
 
Invite Your Prospects With an Engaging Email Campaign
Invite Your Prospects With an Engaging Email CampaignInvite Your Prospects With an Engaging Email Campaign
Invite Your Prospects With an Engaging Email Campaign
Amazon Web Services
 
Build a Web Authentication System with a Custom UI
Build a Web Authentication System with a Custom UIBuild a Web Authentication System with a Custom UI
Build a Web Authentication System with a Custom UI
Amazon Web Services
 
Aws
AwsAws
Aws
apponix123
 
Announcing AWS Personal Health Dashboard - January 2017 AWS Online Tech Talks
Announcing AWS Personal Health Dashboard - January 2017 AWS Online Tech TalksAnnouncing AWS Personal Health Dashboard - January 2017 AWS Online Tech Talks
Announcing AWS Personal Health Dashboard - January 2017 AWS Online Tech Talks
Amazon Web Services
 
Introduction to Mobile Development with AWS
Introduction to Mobile Development with AWSIntroduction to Mobile Development with AWS
Introduction to Mobile Development with AWS
Amazon Web Services
 
VijayaNirmala_a_builders_bible_for_authenticating_authorizing_anyservice_anytime
VijayaNirmala_a_builders_bible_for_authenticating_authorizing_anyservice_anytimeVijayaNirmala_a_builders_bible_for_authenticating_authorizing_anyservice_anytime
VijayaNirmala_a_builders_bible_for_authenticating_authorizing_anyservice_anytime
VijayaNirmalaGopal
 
Driven by security: Legendary Entertainment’s high-velocity cloud transformat...
Driven by security: Legendary Entertainment’s high-velocity cloud transformat...Driven by security: Legendary Entertainment’s high-velocity cloud transformat...
Driven by security: Legendary Entertainment’s high-velocity cloud transformat...
Amazon Web Services
 
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksHow to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
Amazon Web Services
 
Karthik raja r task 11
Karthik raja r task 11Karthik raja r task 11
Karthik raja r task 11
karthikraja90173
 
Busting the Myths to AWS Cloud Adoption_Liam Caskie
Busting the Myths to AWS Cloud Adoption_Liam CaskieBusting the Myths to AWS Cloud Adoption_Liam Caskie
Busting the Myths to AWS Cloud Adoption_Liam Caskie
Helen Rogers
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS Amplify
Amazon Web Services
 
Adding Analytics to a Web & Mobile Applications with Amazon Pinpoint & AWS Am...
Adding Analytics to a Web & Mobile Applications with Amazon Pinpoint & AWS Am...Adding Analytics to a Web & Mobile Applications with Amazon Pinpoint & AWS Am...
Adding Analytics to a Web & Mobile Applications with Amazon Pinpoint & AWS Am...
Amazon Web Services
 
How to Use Positive and Negative Security Models and Virtual Patching Techniq...
How to Use Positive and Negative Security Models and Virtual Patching Techniq...How to Use Positive and Negative Security Models and Virtual Patching Techniq...
How to Use Positive and Negative Security Models and Virtual Patching Techniq...
Amazon Web Services
 
Fundamentals of Networking and Security on AWS - AWS Summit Tel Aviv 2017
Fundamentals of Networking and Security on AWS - AWS Summit Tel Aviv 2017Fundamentals of Networking and Security on AWS - AWS Summit Tel Aviv 2017
Fundamentals of Networking and Security on AWS - AWS Summit Tel Aviv 2017
Amazon Web Services
 
Aws
AwsAws
Aws
AhamedBashaN
 
Massive Message Processing with Amazon SQS and Amazon DynamoDB (ARC301) | AWS...
Massive Message Processing with Amazon SQS and Amazon DynamoDB (ARC301) | AWS...Massive Message Processing with Amazon SQS and Amazon DynamoDB (ARC301) | AWS...
Massive Message Processing with Amazon SQS and Amazon DynamoDB (ARC301) | AWS...
Amazon Web Services
 
Introduction to AWS Amplify CLI
Introduction to AWS Amplify CLIIntroduction to AWS Amplify CLI
Introduction to AWS Amplify CLI
Amazon Web Services
 
Big Data on AWS Tutorial | Edureka
Big Data on AWS Tutorial | Edureka Big Data on AWS Tutorial | Edureka
Big Data on AWS Tutorial | Edureka
Edureka!
 
Aws sys ops associate certification training
Aws sys ops associate certification trainingAws sys ops associate certification training
Aws sys ops associate certification training
srip30
 
Nikhil Dabhade - Introduction to AWS Device Farm.pdf
Nikhil Dabhade - Introduction to AWS Device Farm.pdfNikhil Dabhade - Introduction to AWS Device Farm.pdf
Nikhil Dabhade - Introduction to AWS Device Farm.pdf
Amazon Web Services
 
Build, host and manage your custom API in less than an hour
Build, host and manage your custom API in less than an hourBuild, host and manage your custom API in less than an hour
Build, host and manage your custom API in less than an hour
Jerome Louvel
 
AWS-Certificate-Attendance-CAPSiDE_Xavier Aracil
AWS-Certificate-Attendance-CAPSiDE_Xavier AracilAWS-Certificate-Attendance-CAPSiDE_Xavier Aracil
AWS-Certificate-Attendance-CAPSiDE_Xavier Aracil
Xavi Aracil
 
Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...
Amazon Web Services
 
Welcome To Day One
Welcome To Day OneWelcome To Day One
Welcome To Day One
Amazon Web Services
 

More Related Content

What's hot

Announcing AWS Personal Health Dashboard - January 2017 AWS Online Tech Talks
Announcing AWS Personal Health Dashboard - January 2017 AWS Online Tech TalksAnnouncing AWS Personal Health Dashboard - January 2017 AWS Online Tech Talks
Announcing AWS Personal Health Dashboard - January 2017 AWS Online Tech Talks
Amazon Web Services
 
Massive Message Processing with Amazon SQS and Amazon DynamoDB (ARC301) | AWS...
Massive Message Processing with Amazon SQS and Amazon DynamoDB (ARC301) | AWS...Massive Message Processing with Amazon SQS and Amazon DynamoDB (ARC301) | AWS...
Massive Message Processing with Amazon SQS and Amazon DynamoDB (ARC301) | AWS...
Amazon Web Services
 
AWS-Certificate-Attendance-CAPSiDE_Xavier Aracil
AWS-Certificate-Attendance-CAPSiDE_Xavier AracilAWS-Certificate-Attendance-CAPSiDE_Xavier Aracil
AWS-Certificate-Attendance-CAPSiDE_Xavier Aracil
Xavi Aracil
 

What's hot (20)

Aws
AwsAws
Aws
 
Announcing AWS Personal Health Dashboard - January 2017 AWS Online Tech Talks
Announcing AWS Personal Health Dashboard - January 2017 AWS Online Tech TalksAnnouncing AWS Personal Health Dashboard - January 2017 AWS Online Tech Talks
Announcing AWS Personal Health Dashboard - January 2017 AWS Online Tech Talks
 
Introduction to Mobile Development with AWS
Introduction to Mobile Development with AWSIntroduction to Mobile Development with AWS
Introduction to Mobile Development with AWS
 
VijayaNirmala_a_builders_bible_for_authenticating_authorizing_anyservice_anytime
VijayaNirmala_a_builders_bible_for_authenticating_authorizing_anyservice_anytimeVijayaNirmala_a_builders_bible_for_authenticating_authorizing_anyservice_anytime
VijayaNirmala_a_builders_bible_for_authenticating_authorizing_anyservice_anytime
 
Driven by security: Legendary Entertainment’s high-velocity cloud transformat...
Driven by security: Legendary Entertainment’s high-velocity cloud transformat...Driven by security: Legendary Entertainment’s high-velocity cloud transformat...
Driven by security: Legendary Entertainment’s high-velocity cloud transformat...
 
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech TalksHow to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
How to use AWS WAF to Mitigate OWASP Top 10 attacks - AWS Online Tech Talks
 
Karthik raja r task 11
Karthik raja r task 11Karthik raja r task 11
Karthik raja r task 11
 
Busting the Myths to AWS Cloud Adoption_Liam Caskie
Busting the Myths to AWS Cloud Adoption_Liam CaskieBusting the Myths to AWS Cloud Adoption_Liam Caskie
Busting the Myths to AWS Cloud Adoption_Liam Caskie
 
Building Mobile Apps with AWS Amplify
Building Mobile Apps with AWS AmplifyBuilding Mobile Apps with AWS Amplify
Building Mobile Apps with AWS Amplify
 
Adding Analytics to a Web & Mobile Applications with Amazon Pinpoint & AWS Am...
Adding Analytics to a Web & Mobile Applications with Amazon Pinpoint & AWS Am...Adding Analytics to a Web & Mobile Applications with Amazon Pinpoint & AWS Am...
Adding Analytics to a Web & Mobile Applications with Amazon Pinpoint & AWS Am...
 
How to Use Positive and Negative Security Models and Virtual Patching Techniq...
How to Use Positive and Negative Security Models and Virtual Patching Techniq...How to Use Positive and Negative Security Models and Virtual Patching Techniq...
How to Use Positive and Negative Security Models and Virtual Patching Techniq...
 
Fundamentals of Networking and Security on AWS - AWS Summit Tel Aviv 2017
Fundamentals of Networking and Security on AWS - AWS Summit Tel Aviv 2017Fundamentals of Networking and Security on AWS - AWS Summit Tel Aviv 2017
Fundamentals of Networking and Security on AWS - AWS Summit Tel Aviv 2017
 
Aws
AwsAws
Aws
 
Massive Message Processing with Amazon SQS and Amazon DynamoDB (ARC301) | AWS...
Massive Message Processing with Amazon SQS and Amazon DynamoDB (ARC301) | AWS...Massive Message Processing with Amazon SQS and Amazon DynamoDB (ARC301) | AWS...
Massive Message Processing with Amazon SQS and Amazon DynamoDB (ARC301) | AWS...
 
Introduction to AWS Amplify CLI
Introduction to AWS Amplify CLIIntroduction to AWS Amplify CLI
Introduction to AWS Amplify CLI
 
Big Data on AWS Tutorial | Edureka
Big Data on AWS Tutorial | Edureka Big Data on AWS Tutorial | Edureka
Big Data on AWS Tutorial | Edureka
 
Aws sys ops associate certification training
Aws sys ops associate certification trainingAws sys ops associate certification training
Aws sys ops associate certification training
 
Nikhil Dabhade - Introduction to AWS Device Farm.pdf
Nikhil Dabhade - Introduction to AWS Device Farm.pdfNikhil Dabhade - Introduction to AWS Device Farm.pdf
Nikhil Dabhade - Introduction to AWS Device Farm.pdf
 
Build, host and manage your custom API in less than an hour
Build, host and manage your custom API in less than an hourBuild, host and manage your custom API in less than an hour
Build, host and manage your custom API in less than an hour
 
AWS-Certificate-Attendance-CAPSiDE_Xavier Aracil
AWS-Certificate-Attendance-CAPSiDE_Xavier AracilAWS-Certificate-Attendance-CAPSiDE_Xavier Aracil
AWS-Certificate-Attendance-CAPSiDE_Xavier Aracil
 

Similar to Securing your Public API with AWS WAF

AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
Amazon Web Services
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Amazon Web Services
 

Similar to Securing your Public API with AWS WAF (20)

Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...
 
Welcome To Day One
Welcome To Day OneWelcome To Day One
Welcome To Day One
 
Deploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control TowerDeploy and Govern at Scale with AWS Control Tower
Deploy and Govern at Scale with AWS Control Tower
 
SMM Training in Marathahalli| AchieversIT
SMM Training in Marathahalli| AchieversITSMM Training in Marathahalli| AchieversIT
SMM Training in Marathahalli| AchieversIT
 
AchieversIT training institute in bangalore
AchieversIT training institute in bangaloreAchieversIT training institute in bangalore
AchieversIT training institute in bangalore
 
Full Stack Course Institute in Marathahalli| AchieversIT
Full Stack Course Institute in Marathahalli| AchieversITFull Stack Course Institute in Marathahalli| AchieversIT
Full Stack Course Institute in Marathahalli| AchieversIT
 
Full Stack Training Course in Marathahalli| AchieversIT
Full Stack Training Course in Marathahalli| AchieversITFull Stack Training Course in Marathahalli| AchieversIT
Full Stack Training Course in Marathahalli| AchieversIT
 
Full Stack Training Institute in Marathahalli
Full Stack Training Institute in MarathahalliFull Stack Training Institute in Marathahalli
Full Stack Training Institute in Marathahalli
 
Full Stack Web Development Training in Marathahalli
Full Stack Web Development Training in MarathahalliFull Stack Web Development Training in Marathahalli
Full Stack Web Development Training in Marathahalli
 
AWS
AWSAWS
AWS
 
AWS conent
AWS conentAWS conent
AWS conent
 
AWS conent 2 (2023).docx
AWS conent 2 (2023).docxAWS conent 2 (2023).docx
AWS conent 2 (2023).docx
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
 
Denver AWS Meetup -- August 2018
Denver AWS Meetup -- August 2018Denver AWS Meetup -- August 2018
Denver AWS Meetup -- August 2018
 
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
AWS identity services: Enabling and securing your cloud journey - SEC203 - Ne...
 
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...
Automated Monitoring of Operational Health in the Cloud - Mathew Green - AWS ...
 
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...Using AWS Control Tower to govern multi-account AWS environments at scale - G...
Using AWS Control Tower to govern multi-account AWS environments at scale - G...
 
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
 
Startups at AWS
Startups at AWSStartups at AWS
Startups at AWS
 
Architecting security and governance across your AWS environment
Architecting security and governance across your AWS environmentArchitecting security and governance across your AWS environment
Architecting security and governance across your AWS environment
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
Overkill Security
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 

Recently uploaded (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Cyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdfCyberprint. Dark Pink Apt Group [EN].pdf
Cyberprint. Dark Pink Apt Group [EN].pdf
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

Securing your Public API with AWS WAF

  • 1. Do you use any of these? ● API Gateway ● Application Load Balancer ● CloudFront
  • 2. Securing your Public API with AWS WAF Rafi Kurnia Putra Cloud Infrastructure Engineer Traveloka AWS User Group Jakarta x Pop-up Loft - 22/10/2019 - WeWork, Noble House Kuningan Lv.30
  • 3. In the last 7 days, we blocked... ● Over millions of DoS attacks. ● Thousands of WAF attacks.
  • 4. Our Problems ● Centralized WAF management. ● Hard to attribute WAF costs. ● Have large number of public endpoints that: ○ Keep growing. ○ Hosted in multiple AWS Accounts. ○ Owned and maintained by various teams.
  • 6. What is AWS WAF? ● Designed to helps protect your app from common attacks. ● Controls which traffic to allow or block to your app. ● Allows user to create custom rules.
  • 9. Why AWS WAF ● Well integrated with other AWS Services. ● Access control based on AWS IAM. ● Covers common needs. ● Inexpensive. ● Decentralized. ● Cost attribution. ● Easy to set up WAF rules.
  • 10. AWS WAF Limitations ● Very hard to analyze the WAF logs. ● It is difficult to trace the logs from a single request. ● Getting a dashboard for monitoring requires more setup. ● Can’t parse and validate JSON & XML payload
  • 11. Bonus: Terraform Modules 1. https://github.com/traveloka/terraform-aws-waf-owasp-top-10-rules
  • 12. Bonus: Terraform Modules 2. https://github.com/traveloka/terraform-aws-waf-webacl-supporting-resources
  • 14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved Notes: Startups previously issued AWS Promotional Credit may not be eligible to receive additional credit. Promotional credits will be a one-time offer Exact credit eligibility amount varies by the organization through which you apply. Redeem $1,000 worth of credits: 1. Create a free AWS account here: https://portal.aws.amazon.com/billing/signup#/ 2. Navigate to this link: https://aws.amazon.com/activate/portfolio-signup/ 3. Signup using 0aKL8 as your Organization ID The credits will be in your account upon validation after 1~2 weeks Learn more here : https://aws.amazon.com/activate/portfolio-detail/ AWS ACTIVATE AWS Activate Program provides startups with the resources they need to quickly get started on AWS – including credits, training, and support. Scaling to a unicorn begins with AWS Activate.
  • 15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark INDONESIA’S STARTUPS RUN ON AWS Services Used: EC2, RDS, S3 “We found that the cost of an on-premises infrastructure was too high, so we turned to the cloud.” Sofian Hadiwijaya CTO “Before AWS, 20–30 percent of our time would be spent ensuring that servers are responsive. By using AWS, we simply deploy and maybe monitor for an hour and that’s it. Abhilash Ramakrishna CTO Services Used: EC2, RDS, S3 AWS ACTIVATE Check us out at https://aws.amazon.com/events/a sean-startup/ “AWS gave us better access to cost-effective open-source software that allowed us to drive innovation” - Lodewijk Tanamal CTO Services Used: EC2, Kinesis, Quicksight, Lambda Or scan here! https://twitter.com/awsstartups/ And many other…
  • 16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved FEEDBACKS! Scan the QR stickers on your table and complete the feedback form to redeem an EXCLUSIVE SWAG! Simply show your completed survey to the Loft manager ☺
  • 17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved HAVE FUN! Get your polaroid pictures taken, hang them up on the wall and write us a note!