Professional Documents
Culture Documents
14 38 63
Scale --
13 regions, --
35 availability zones, --
59 edge locations
[CATEGORY
NAME]
Availability
Zones
AWS
Global
Edge
Loca2ons
Infrastructure
Regions
PCI Compliance service
⽀支援商家或服務提供者處理、儲存和傳輸信⽤用卡資料的服務已經過
驗證,符合 PCI 標準。這些服務包含:
Auto Scaling Amazon Glacier
AWS CloudFormation AWS Key Management Service (KMS)
Amazon CloudFront AWS Identity and Access Management (IAM)
AWS CloudHSM Amazon Redshift
AWS CloudTrail Amazon Relational Database Service (RDS)
AWS Direct Connect Amazon Route 53
Amazon DynamoDB Amazon Simple Storage Service (S3)
AWS Elastic Beanstalk Amazon Simple Queue Service (SQS)
Amazon Elastic Block Store (EBS) Amazon Simple Workflow Service (SWF)
Amazon Elastic Compute Cloud (EC2) Amazon Virtual Private Cloud (VPC)
Elastic Load Balancing (ELB) Amazon
Elastic MapReduce (EMR)
How About Security Auditing?
Flash Sale
Pre-Order
Thanksgiving-Black Friday weekend
Cyber Monday
10X
customers
Some
robots
Is there any other way to mitigate attacks for
my critical workloads on AWS?
AWS WAF Example: A Technical Implementation
What We Need…
• IPSet: contains our list of blocked IP addresses
• Rule: blocks requests if requests match IP in our IPSet
• WebACL: allow requests by default, contains our Rule
and…
• Mechanism to detect bad bots
• Mechanism to add bad bot IP address to IPSet
Promotion at scale
• Bad request 4xx 5xx
• Rate limit
• SQLI XSS
Lambda
X
WAF
CDN
Edge
S3
Static website
*.html, *.js *.css
*.jpg *.mp4
WAF CDN
Edge
Amazon
DynamoDB
Web
Cache
DMZ
Private
public subnet
private subnet
Access Control with AWS WAF, a Web
Application Firewall Service
Host: www.internetkitties.com
User-Agent: badbot
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Amazon CloudFront
Accept-Language: en-US,en;q=0.5
Edge Location
Accept-Encoding: gzip, deflate
Referer: http://www.InTeRnEkItTiEs.com/
Connection: keep-alive
Scraper Bot
AWS WAF
Host: www.internetkitties.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)…..
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.mysite.com/
Connection: keep-alive
Mitigate Application Layer Attacks
AWS WAF
users
WAF web app
server
Amazon Confidential
Integrated with AWS Certificate Manager
Before (time-consuming & complex) After (simple & automated & super fast)
3-5 days
Upload to IAM
3rd Party via AWS CLI
Certificate
Authority AWS
Certificate
Manager
Connect to CloudFront
via AWS CLI
SSL on ELB
POODLE SSLv3
Ubiquitous Encryption
Encryption at rest
Restricted access
S3
RDS
Redshift
AWS
CloudTrail
要購⾜足⾜足夠的硬體來應 • 基於Magento的電商平台需要⼀一個⾼高可⽤用、安全、可
延展和⾼高性能的基礎設施平台,並能⽀支持促銷等彈性
付尖峰需求,⽽而在平時 業務需求
Edman Hung
IT Manager, Mydress
在⾦金⽒氏紀錄誕⽣生的同時,是AWS為閃購活動保駕護
航,並且幫助⼩小⽶米網節省了數⼗十萬的IT費⽤用。
”
http://cloud.51cto.com/art/201505/475517.htm
AWS Marketplace: One-stop shop for security tools
Advanced Application Identity and Server & Network Encryption & Vulnerability
Threat Security Access Endpoint Security Key Mgmt & Pen
Analytics Mgmt Protection Testing
Video Demo:
Security Information and Event
Management (SIEM) on AWS
AWS Platform For eCommerce