Secure Content Delivery Using Amazon CloudFront

© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Secure Content Delivery Using Amazon

CloudFront

Ken ChanBusiness Development Manager, GCR

[email protected]

What to Expect from the Session

In this session we will talk about:

• Why security matters

• Key aspects of security

• How Amazon CloudFront can help

• Best practices for secured delivery on Amazon

CloudFront

Overview: Why Security Matters

• Customer Trust

• Regulatory Compliance

• Data Privacy

How AWS Can Help

Infrastructure Security

Application Security

Services Security

In the cloud, security is a shared responsibilityhttps://aws.amazon.com/compliance/shared-responsibility-model/

Encrypt data in transit

Encrypt data at rest

Protect your AWS Credentials

Rotate your keys

Secure your application, OS,

Stack and AMIs

Enforce IAM policies

Use MFA, VPC, Leverage

S3 bucket policies

EC2 Security groups

EFS in EC2, ACM, etc.

SOC 1,2,3

ISO 27001/2 Certification

PCI DSS 2.0 Level 1-5

HIPAA/SOX Compliance

FedRAMP, FISMA &

DIACAP ITAR

How we secure our

infrastructureHow can you secure your

application?

What security options and

features are available to you?

How CloudFront Can Help

Infrastructure Security Application

Security

Services Security

Security on CloudFront

SSL/TLS Options

Private Content

Origin Access Identities

Web Application Firewall

AWS CloudTrail

IAM Policies

Origin Protection

Rotate Keys

Rotate Certificates

PCI DSS 2.0 Level 1

ISO 9001, 27001,

27017, 27018

How CloudFront Can Help

What CloudFront

does automatically

What you can do

using CloudFront

features

+ =

What should you do?

Highly secure content

delivery


How we secure our infrastructure



Services Security


Facilities

Physical Security

Cache Infrastructure

Network Infrastructure + =

What should you do?

Highly Secure Content

Delivery


• Bastion hosts for maintenance

• Two-factor authentication

• Encryption

• Separation to enhance containment

• Testing & metrics

CloudFront Edge Location

x

Services Security

Security options and features available on CloudFront



Services Security

Services Security

High Security Ciphers

PFS

OCSP Stapling

Session Tickets

SSL/TLS Options

Private Content

Trusted Signers

Web Application Firewall

AWS CloudTrail

AWS Certificate Manager

+ =

What should you do?

Highly Secure Content

Delivery

CloudFront can protect ‘Data in Transit’

CloudFront Protects Data in Transit

Origin

Edge

Location

User Request A

• Deliver content over

HTTPS to protect data

in transit

• HTTPS Authenticates

CloudFront to Viewers

• HTTPS Authenticates

Origin to CloudFront

CloudFront enables advanced SSL

features automatically

Validate Origin Certificate

CloudFront validates SSL certificates to origin

Origin domain name must match Subject Name on

certificate

Certificate must be issued by a Trusted CA

Certificate must be within expiration window

But there are things you need to do

Deliver Content using HTTPS

• CloudFront makes it easy

• Create one distribution, and deliver both

HTTP & HTTPS content

• There are other options as well:

• Strict HTTPS

• HTTP to HTTPS redirect

CloudFront TLS Options

Default CloudFront

SSL Domain Name

CloudFront certificate

shared across customers

When to use?

Example: dxxx.cloudfront.net

SNI Custom SSL

Bring your own SSL certificate

OR use AWS Certificate Manager

Relies on the SNI extension of the Transport Layer Security protocol

When to use?

Example: www.mysite.com

Some older browsers/OS do not support SNI extension

Dedicated IP Custom SSL

Bring your own SSL certificate

OR use AWS Certificate

Manager

CloudFront allocates dedicated

IP addresses to serve your SSL

content

When to use?

Example: www.mysite.com

Supported by all browsers/OS

Before (time-consuming & complex)

3rd Party

Certificate

Authority

3-5 days

Upload to IAM

via AWS CLI

Connect to CloudFront

via AWS CLI

After (simple & automated & super fast)

AWS

Certificate

Manager

End-to-end process

within minutes

Using a couple of

mouse clicks on the

console

Integrated with AWS Certificate Manager

You are not done yet…

You need to protect content cached at

the Edge

Access Control

What if you want to…

• Deliver content only to selected customers

• Allow access to content only until ‘time n’

• Allow only certain IPs to access content

Access Control: Private Content

Signed URLs

• Add signature to the Querystring in URL

• Your URL changes

When should you use it?

• Restrict access to individual files

• Users are using a client that doesn't

support cookies

• You want to use an RTMP distribution

Signed Cookies

• Add signature to a cookie

• Your URL does not change

When should you use it?

• Restrict access to multiple files

• You don’t want to change URLs


• Here is an example of a policy statement for signed

URLs


Under development mode?

Make CloudFront accessible only from your

“Internal IP Addresses”

You are still not done…

What if you want to restrict access

based on parameters in the request?

What is AWS WAF ?

Good Users

Bad Guys

Serve

r

AWS

WAF

Logs

Threat

Analysis

Rule Updater

Amazon CloudFront

Edge Location

Serving Unnecessary Requests Costs Money

Scraper Bot

Host: www.internetkitties.com

User-Agent: badbot

Accept: image/png,image/*;q=0.8,*/*;q=0.5

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://www.InTeRnEkItTiEs.com/

Connection: keep-alive

AWS WAFHost: www.internetkitties.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)…..




Referer: http://www.mysite.com/


Amazon CloudFront

Edge Location

Access Control: Web Application Firewall

Scraper Bot

Host: www.internetkitties.com

User-Agent: badbot




Referer: http://www.InTeRnEkItTiEs.com/


AWS WAFHost: www.internetkitties.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)…..




Referer: http://www.mysite.com/


Setting Up AWS WAF

1. Create a web ACL.

ALLOW requests by default,

but…

2. Add a rule.

BLOCK if…

3. Add match

conditions.

the source IP

matches this

list…

4. Assign to

CloudFront.

for any request to

d123.cloudfront.net.

But wait, there’s more

Match conditions

• IP

• String

• SQLi

Customizable rules

• AND/OR

• Block, allow, or

count

• Ordered

conditions

Fast feedback

• ~1 minute for

changes

• 1-minute metrics

• Request samples

Match conditions: Strings and bytes

Match any part of the web request

Host: www.example.com

User-Agent: Mozilla/5.0 (Macintosh; …




Referrer: http://www.example.com/


AWS

WAF

RAW request headers

CloudFront

Check: Header “Referrer”

Match Type: Contains

Match: “example.com”

Action: ALLOW

Rule

String match condition

Good users


Use transforms to stop evasion


User-Agent: badbot




Referrer: http://www.example.com/


AWS

WAF

RAW request headers

CloudFront

Check: Header “User-Agent”


Match: “badbot”

Action: BLOCK

Rule


Scraper bot


Use transforms to stop evasion


User-Agent: bAdBoT




Referrer: http://www.InTeRnEtkItTiEs.com/


AWS

WAF

RAW request headers

CloudFront

Check: Header “User-Agent”

Transform: To lower


Match: “badbot”

Action: BLOCK

Rule


Scraper bot


Malicious binary? We can find it.

“iVBORw0KGgoAAAAN”

8950 4e47

0d0a 1a0a

0000 000d

bad.bin

1. Select binary file 2. Base64 encode 3. Set match criteria

$> base64 bad.bin

iVBORw0KGgoAAAAN

Match conditions: SQLi

/login?x=test%27%20UNION%20ALL%20select%20NULL%20--

/login?x=test’ UNION ALL select NULL --

Transform: URL Decode

True

Match: SQL Injection

Check your query strings, URL decode

Combining conditions

Restrict a rule to specific URIs, such as the login page.

Public Internet

Seattle adminsAWS

WAF

/admin/login.cgi

/*

Observing rules in action

Finding requests that

match your rules

Preconfigured Protection & Tutorials

https://aws.amazon.com/waf/preconfiguredrules/

Types of attacks that need automation

HTTP floods Scans & probesIP reputation lists Bots & scrapers

Attackers


How can you secure your application and origin?



Services Security


IAM Policies

Origin Protection

OAI

Rotate Keys

Rotate Certificates

+ =

What should you do?

Highly secure content

delivery

Hackers could still bypass CloudFront

to access your origin…

Access Control: Restricting Origin Access

Amazon S3

Origin Access Identify (OAI)

• Prevents direct access to your Amazon

S3 bucket

• Ensures performance benefits to all

customers

Custom Origin

Block by IP Address

Pre-shared Secret Header

• Whitelist only CloudFront

• Protects origin from overload

• Ensures performance benefits to all customers

Object Access Identity (OAI)

• Only CloudFront can access

Amazon S3 bucket

• We make it simple for you

Amazon CloudFront

Region

Amazon S3

bucket

Custom

Origin

Shield Custom Origin

1. Whitelisting CloudFront IP Range

2. Whitelist a pre-shared secret origin header

Amazon CloudFront

Region

Amazon S3

bucket

Custom Origin

Shield Custom Origin

• Subscribe to SNS notifications on changes to IP ranges

• Automatically update security groups

• https://github.com/awslabs/aws-cloudfront-samples

AWS Lambda

Amazon CloudFront

Amazon SNS

Security Group

Web app

server

Web app

server

AWS IP Ranges

Update IP RangeSNS Message

Services Security: IAM

• AWS Managed Policies or create custom policies

• Regulate access to CloudFront APIs

• Describe user role or permissions

Services Security : IAM Examples

• Example 1: Create groups with just access to create

invalidations

• Example 2: Just read access to your distributions &

configuration

AWS CloudTrail

Record CloudFront API calls history for:

• Security analysis

• Resource change tracking

• Compliance auditing

CloudWatch Alarm

CloudTrailCloudFront

Distribution Updates

How to validate your security configurations

Secure Content Delivery Using Amazon CloudFront

Technology

Transcript of Secure Content Delivery Using Amazon CloudFront