Learn how you can defend your applications on AWS against diverse set of Internet threats, like DDoS, Bots or Zero-day attacks. At this session you will learn about how your applications on AWS are inherently secured against common threats. You will also learn about how you can use AWS security services like AWS WAF, Shield and Firewall Manager to build a robust and customised protection specific to your applications.

1. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Andrew Thomas, GM, AWS Perimeter Protection
March, 2019
AWS Edge Security
Cloud-Native Defense Against Diverse
Internet Threats

2. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Goal
• Learn about today’s threat landscape and how these
threats can affect your application availability
• Learn how easily using AWS services can give you
baseline protections
• Learn how AWS’s perimeter security services can
provide additional application protections, without the
need to re-architect

3. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Overview of Threat Landscape

4. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Typical web applications
Dynamic
applications
Personalized
Content
Static assets
API
Data CenterEnd Users

5. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Web application design considerations
Data
Center
End Users
Dynamic
applications
Personalized
Content
Static assets
API

6. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Web application design considerations
Data
Center
End Users
DDoS
Web Exploits
Bots
• Security
• Authentication
• Encryption (TLS)
• Layered Protection
• Availability
• Resiliency/Fault Tolerance
• Request handling capacity
• Blocking bad traffic
• Performance
• Routing
• Throttling
• Alerting & Monitoring
Dynamic
applications
Personalized
Content
Static assets
API

7. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Types of threats that exist today
SQL Injection
Cross-site Scripting (XSS)
OWASP Top 10
Common Vulnerabilities and
Exposures (CVE)
HTTP Floods
Reflection Attack
Crawlers
Content Scrapers
Scanners & Probes
Denial of Service App Vulnerabilities Bad Bots

8. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Common DDoS attacks
SYN Flood
UDP Flood
ICMP Flood
Other Reflection Vectors
HTTP Flood
DNS Query Flood

9. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Building the Baseline Defense

10. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Building blocks for baseline defense
Amazon VPC Amazon CloudFront Amazon Route 53
Security Groups
Network ACLs
Global Presence
SSL/TLS
Origin Shielding
Resilience (TTL)
DNS Header Validations
Good vs. Bad Resolvers
Priority Based Traffic
Shaping

11. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of the AWS Global Edge Network
High Availability Application
Acceleration
AWS Integration Cost Effective

12. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Leveraging AWS Perimeter
Protection Services

13. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What else can we do to…
• Defend against DDoS attacks?
• Prevent exploits and bots at application level?
• Manage and apply security policies across multiple
accounts in an organization?

14. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Four tenets of AWS Shield for DDoS protection
Frictionless setup with minimal
architectural changes
Low Operational Overhead for known and
edge cases
Visibility for dynamic security and compliance
Protection from economic vectors
AWS Shield

15. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of AWS Shield Standard and Shield Advanced
Built-in DDoS
Protection for
Everyone
Point and Protect
Wizard
Low Operational Overhead for known and
edge cases
Visibility for dynamic security and compliance
Protection from economic vectors
AWS Shield

16. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of AWS Shield Standard and Shield Advanced
Automatic Protection
across customers
Enhanced Protection
baselined to you
24x7 access to
DDoS Response
Team (DRT)
Built-in DDoS
Protection for
Everyone
Point and Protect
Wizard
Visibility for dynamic security and compliance
Protection from economic vectors
AWS Shield

17. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of AWS Shield Standard and Shield Advanced
Automatic Protection
across customers
Enhanced Protection
baselined to you
24x7 access to
DDoS Response
Team (DRT)
Built-in DDoS
Protection for
Everyone
Point and Protect
Wizard
Protection from economic vectors
AWS Shield
Cloud-
Watch
Metrics
Attack
Diagnostics
Global Threat
Environment
Dashboard
Quarterly
Security
Review

18. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of AWS Shield Standard and Shield Advanced
Automatic Protection
across customers
Enhanced Protection
baselined to you
24x7 access to
DDoS Response
Team (DRT)
Built-in DDoS
Protection for
Everyone
Point and Protect
Wizard
Cloud-
Watch
Metrics
Attack
Diagnostics
Global Threat
Environment
Dashboard
Quarterly
Security
Review
AWS WAF at no
additional cost
For protected resources
AWS Firewall
Manager at no
additional cost
Cost Protection for
scaling
AWS Shield

19. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Application Level Protection with AWS WAF
Automate using AWS Lambda based
security automations
Utilize Managed Rules from the AWS
Marketplace for hassle free protection and
deployment
Customize security to your applications
using custom rules
Monitor using Amazon CloudWatch metrics
or third-party log processorsAWS WAF

20. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Deploying AWS WAF is easy
Amazon CloudFront AWS Application
Load Balancer
Amazon API Gateway

21. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Regional availability of AWS WAF
and AWS Shield Advanced
• N. Virginia (us-east-1)
• Ohio (us-east-2)
• Oregon (us-west-2)
• N. California (us-west-1)
• Ireland (eu-west-1)
• Frankfurt (eu-central-1)
• Tokyo (ap-northeast-1)
• Sydney (ap-southeast-2)

22. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Regional availability of AWS WAF
and AWS Shield Advanced
• N. Virginia (us-east-1)
• Ohio (us-east-2)
• Oregon (us-west-2)
• N. California (us-west-1)
• Ireland (eu-west-1)
• Frankfurt (eu-central-1)
• Tokyo (ap-northeast-1)
• Sydney (ap-southeast-2)
• London (eu-west-2)
• Stockholm (eu-north-1)
• Singapore (ap-southeast-1)
• Seoul (ap-northeast-2)
NEW!

23. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Tools available within AWS WAF
• SQL Injection
Conditions
• XSS Conditions
• AWS CloudFormation
based Security
Automation
• AWS Marketplace
Managed Rules
WebTraffic
Filtering
• Rate-based Rules
• IP-Match & Geo-IP
Filters
• Regex & String
Match Conditions
• Size Constraint
Conditions
Visibility and
Debugging
• Amazon
CloudWatch Metrics
and Alarms
• Sampled Logs
• Comprehensive
Logging
Malicious
Traffic Blocking

24. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Managed Rules for AWS WAF
• Rules written, updated and managed by security
experts
• Pay as you go; available through AWS
Marketplace
• Choice of protections:
• OWASP Top 10 & General Web Exploits
• Common Vulnerabilities and Exposures (CVE)
• Bot Protection
• IP Reputation lists
• CMS (e.g. Wordpress, Joomla)
• Webservers (e.g. Apache, Nginx)

25. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security automations using AWS WAF

26. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Security automations using AWS WAF

27. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon GuardDuty and AWS WAF integration

28. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager
Ensure Compliance to Mandatory Rules
Across Organization
Simplify Management of Rules Across
Accounts & Applications
Enable Rapid Response to Attacks
AcrossAllAccounts
AWS Firewall
Manager

29. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Regional availability of AWS Firewall Manager
• N. Virginia (us-east-1)
• Ohio (us-east-2)
• Oregon (us-west-2)
• Ireland (eu-west-1)
• Frankfurt (eu-central-1)
• Tokyo (ap-northeast-1)
• Sydney (ap-southeast-2)

30. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key benefits for AWS Firewall Manager
 Integrated with AWS Organizations so you can enable AWS
WAF rules across multiple AWS accounts.
 Firewall Manager Policies can span across Accounts and
across resources.
 Supports Hierarchical rules - Security administrator can create
organization-wide rules, while delegating application-specific
rules to individual Account owners.
Simplify Firewall Rules Management Across Accounts & Resources

31. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Key benefits for AWS Firewall Manager
Ensure Compliance of Existing and New Applications
 Ensure All your resources comply with a mandatory set of
security policies
 Automatically discover new Accounts, or resources like ALB or
CloudFront distribution as they are created
 Easily block traffic from embargoed countries across your
Organization to adhere to the US Dept. of Treasury’s Office of
Foreign Assets Control (OFAC) regulations

32. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
AWS Firewall Manager Key Benefits
 Security administrator have a single console to receive real-time threats, and
respond within minutes
 Quickly apply CVE Patches across all applications in your Organization, or
block malicious IP addresses detected by GuardDuty across entire
Organization
Enable Rapid Response to Internet Attacks
GuardDuty CloudWatch Events Lambda
Amazon
GuardDuty
Amazon
CloudWatch
CloudWatch
Event
Lambda
Function
AWS Lambda
Firewall Manager
Account 2
Account 3
Account 1
AWS WAF

33. © 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2019, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank You!