secure your critical workload on aws
TRANSCRIPT
電子商務雲端新戰場 Secure Your Critical Workload on AWS
Harry Lin (林書平), Solutions Architect
Amazon Web Services November 2016
CELEBRATING THE 10TH ANNIVERSARY OF AMAZON WEB SERVICES
Consumer!Business!
Tens of millions of active
customer accounts!
13 countries:!US, UK, Germany, Japan, France, Canada, China,
Italy, Brazil, Mexico, India, Spain, Australia
Seller!Business!
Sell on Amazon websites!
Use Amazon technology
for your own retail website!
Leverage Amazon’s massive fulfilment centre
network
IT Infrastructure!Business!
Web-scale cloud
computing infrastructure for developing, deploying & operating applications!
Over 1 million active
customers in over 190 countries
What is Cloud Computing? “On-Demand delivery of IT resources via the Internet with pay-as-you-go pricing.”
Technical Component Business Component
Why Run Critical Workloads on AWS?
*as of July 31, 2014
Building and managing cloud since 2006
13 regions, 35 availability zones, 59 edge locations
Thousands of partners; 2,500+ Marketplace products
Security
Performance
Experience
Scale
Ecosystem
Extensive VM and network performance options
Security in layers approach
38 14 -- -- -- 63
Let’s Start From Security
How AWS Can Help
[CATEGORY NAME]
[CATEGORY NAME]
[CATEGORY NAME]
In the cloud, security is a shared responsibility https://aws.amazon.com/compliance/shared-responsibility-model/
Encrypt data in transit Encrypt data at rest
Protect your AWS credentials Rotate your keys
Secure your application, OS, stack, and AMIs
Enforce IAM policies Use MFA, VPC, and
leverage S3 bucket policies EC2 security groups
EFS in EC2, ACM, etc.
SOC 1,2,3 ISO 27001/2 Certification
PCI DSS 2.0 Level 1-5 HIPAA/SOX Compliance
FedRAMP, FISMA & DIACAP ITAR
How we secure our infrastructure
How can you secure your application?
What security options and features are available to you?
AWS Founda+on Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge Loca+ons
Client-‐side Data Encryp2on
Server-‐side Data Encryp2on
Network Traffic Protec2on
Platform, Applications, Identity & Access Management
Operating System, Network & Firewall Configuration
Customer content Cu
stom
ers
AWS Shared Responsibility Model
Customers are responsible for their security and compliance IN the Cloud
AWS is responsible for the security OF the Cloud
Every customer gets the same AWS security founda+ons AWS maintains a formal control environment • SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70) • SOC 2 Type II and public SOC 3 report • ISO 27001, 9001 Certifications • Certified PCI DSS Level 1 Service Provider • FedRAMP Certification • HIPAA and MPAA capable
AWS Founda2on Services
Compute Storage Database Networking
AWS Global Infrastructure Regions
Availability Zones Edge Loca2ons
PCI Compliance service
Auto Scaling AWS CloudFormation Amazon CloudFront AWS CloudHSM AWS CloudTrail AWS Direct Connect Amazon DynamoDB AWS Elastic Beanstalk Amazon Elastic Block Store (EBS) Amazon Elastic Compute Cloud (EC2) Elastic Load Balancing (ELB) Amazon Elastic MapReduce (EMR)
Amazon Glacier AWS Key Management Service (KMS) AWS Identity and Access Management (IAM) Amazon Redshift Amazon Relational Database Service (RDS) Amazon Route 53 Amazon Simple Storage Service (S3) Amazon Simple Queue Service (SQS) Amazon Simple Workflow Service (SWF) Amazon Virtual Private Cloud (VPC)
⽀支援商家或服務提供者處理、儲存和傳輸信⽤用卡資料的服務已經過驗證,符合 PCI 標準。這些服務包含:
How About Security Auditing?
AWS CloudTrail can help you achieve many tasks Security analysis Track changes to AWS resources, for
example VPC security groups and NACLs Compliance – log and understand AWS API
call history Prove that you did not:
Use the wrong region Use services you don’t want
Troubleshoot operational issues – quickly identify the most recent changes to your environment
HTTP and HTTPs requests logged with ELB Logging
API and Console calls logged with CloudTrail Logs
Network traffic logged with VPC Flow Logs
VPC change history logged with AWS Config
IAM policy and user changed logged with AWS Config
Application level metrics logged with CloudWatch Logs
Out of the box….
Vulnerability Management
Promotion at scale
Flash Sale Pre-Order
Thanksgiving-Black Friday weekend Cyber Monday
Single’s day 光棍節 双⼗十⼆二
Challenge
10X customers
Some robots
Is there any other way to mitigate attacks for
my critical workloads on AWS?
AWS WAF Example: A Technical Implementation
Blocking bad bots dynamically with AWS WAF web ACLs
AWS WAF Example: Blocking Bad Bots
What We Need… • IPSet: contains our list of blocked IP addresses • Rule: blocks requests if requests match IP in our IPSet • WebACL: allow requests by default, contains our Rule
and… • Mechanism to detect bad bots • Mechanism to add bad bot IP address to IPSet
Promotion at scale
Amazon DynamoDB
Web DMZ
public subnet
Cache Private
private subnet
CDN
Edge
Lambda
CDN
Edge
WAF
WAF
X
• Bad request 4xx 5xx • Rate limit • SQLI XSS
Static website *.html, *.js *.css
*.jpg *.mp4
S3
Amazon CloudFront Edge Location
Access Control with AWS WAF, a Web Application Firewall Service
Scraper Bot
Host: www.internetkitties.com User-Agent: badbot Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.InTeRnEkItTiEs.com/ Connection: keep-alive
AWS WAF Host: www.internetkitties.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)….. Accept: image/png,image/*;q=0.8,*/*;q=0.5 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://www.mysite.com/ Connection: keep-alive
Mitigate Application Layer Attacks
ELB
DMZ public subnet
CloudFront Edge Location
WAF / Proxy private subnet
Attack
users WAF
ELB Auto Scaling
frontend servers private subnet
web app server
AWS WAF
Amazon Certification Manager
Amazon Confidential
• Provision SSL/TLS certificates from Amazon for use with AWS resources
• Elastic Load Balancing • Amazon CloudFront
distributions • AWS handles the muck
• Key pair and CSR generation • Managed renewal and
deployment • Domain validation via email
Before (time-consuming & complex)
3rd Party Certificate Authority
3-5 days
Upload to IAM via AWS CLI
Connect to CloudFront via AWS CLI
After (simple & automated & super fast)
AWS Certificate Manager
End-to-end process within minutes
Using a couple of mouse clicks on the console
Integrated with AWS Certificate Manager
Support for both SSL and HTTPs is provided SSL Negotiation Policies provide selection of ciphers and protocols that adhere to the latest industry best practices Optimized for balance between security and client connectivity, as testing with Amazon.com traffic
SSL on ELB
Within 24 hours, 62% of load balancers migrated to the latest SSL Negotiation Policy, disabling SSLv3.
POODLE SSLv3
Encryption at rest
AWS CloudTrail
IAM EBS
RDS
Redshift
S3
Glacier
Encryption in transit
Fully auditable
Fully managed keys
Restricted access
Ubiquitous Encryption
”
“
MyDress helps enable fashion labels in Japan, Korea, and Taiwan to sell clothes and accessories to
customers in Hong Kong online.
使用AWS,我們並不需要購⾜足⾜足夠的硬體來應付尖峰需求,⽽而在平時
閒置. Edman Hung
IT Manager, Mydress
”
“ • MyDress⼀一開始使⽤用實體資料中⼼心,但是難以⽀支撐快速業務增⻑⾧長的需求,2014年的一次DDoS攻擊導致服務4⼩小時不可⽤用,業務流失⾼高達52%
• 基於Magento的電商平台需要⼀一個⾼高可⽤用、安全、可延展和⾼高性能的基礎設施平台,並能⽀支持促銷等彈性業務需求
• 使用AWS節省新台幣$2,200,000 (US$77,350)
2015年4⽉月8⽇日⽶米粉節,有1460萬⽤用⼾戶參與了⽶米粉節的狂歡,⼀一共銷售超過200萬台⼿手機和120萬的智慧型裝置與⼿手機配件,實現了超過20億⼈人⺠民幣,創造了⾦金⽒氏紀錄,其中利⽤用移動裝置操作佔⽐比43.6%。 在⾦金⽒氏紀錄誕⽣生的同時,是AWS為閃購活動保駕護航,並且幫助⼩小⽶米網節省了數⼗十萬的IT費⽤用。
http://cloud.51cto.com/art/201505/475517.htm
”
“
Encryption & Key Mgmt
Server & Endpoint
Protection
Application Security
Vulnerability & Pen
Testing
Advanced Threat
Analytics
Identity and Access Mgmt
Network Security
AWS Marketplace: One-stop shop for security tools
Video Demo: Security Information and Event Management (SIEM) on AWS
AWS Platform For eCommerce
App Backend
API Gateway
Lambda
CDN
CloudFront
Mobile Apps Analytics
RedShift
Data Storage
S3
Machine Learning
Machine Learning
DynamoDB
AWS Global Infrastructure APN Partner Solutions
Kinesis Mobile Push
EMR
Mobile Analytics
Device farm
Cache
Memcache
Redis
Web
Load balancer
Compute
Auto scaling
Networking
DNS
Virtual private network
RDS MySQL
RDS Oracle
AWS WAF
Thank You