電子商務雲端新戰場

Secure Your Critical Workload on AWS

Harry Lin (林書平), Solutions Architect

Amazon Web Services
November 2016
CELEBRATING THE 10TH
ANNIVERSARY OF AMAZON WEB
SERVICES
 Consumer! Seller! IT Infrastructure!
Business! Business! Business!

Tens of millions of active Sell on Amazon websites! Web-scale cloud
customer accounts! computing infrastructure
Use Amazon technology for developing, deploying
13 countries:! for your own retail website! & operating applications!
US, UK, Germany, Japan,
France, Canada, China, Leverage Amazon’s Over 1 million active
Italy, Brazil, Mexico, India, massive fulfilment centre customers in over 190
Spain, Australia network countries
 What is Cloud Computing?
“On-Demand delivery of IT resources via the Internet with pay-as-you-go pricing.”

Technical Component Business Component

Why Run Critical Workloads on AWS?

Security Security in layers approach

Performance Extensive VM and network performance options

Experience Building and managing cloud since 2006

14 38 63
Scale --
13 regions, --
35 availability zones, --
59 edge locations

Ecosystem Thousands of partners; 2,500+ Marketplace products

*as of July 31, 2014

Let’s Start From Security
How AWS Can Help
In the cloud, security is a shared responsibility
https://aws.amazon.com/compliance/shared-responsibility-model/

SOC 1,2,3 Encrypt data in transit

ISO 27001/2 Certification Encrypt data at rest
PCI DSS 2.0 Level 1-5 Protect your AWS credentials
HIPAA/SOX Compliance Rotate your keys
FedRAMP, FISMA & Secure your application, OS,
DIACAP ITAR [CATEGORY [CATEGORY stack, and AMIs
NAME] NAME]
How we secure our How can you secure your
infrastructure application?

[CATEGORY
NAME]

Enforce IAM policies

What security options and Use MFA, VPC, and
features are available to you? leverage S3 bucket policies
EC2 security groups
EFS in EC2, ACM, etc.
AWS Shared Responsibility Model
Customer content
Customers  
Customers are
Platform, Applications, Identity & Access Management responsible for
their security and
Operating System, Network & Firewall Configuration compliance IN the
Cloud
Client-­‐side  Data   Server-­‐side  Data   Network  Traffic  
Encryp2on   Encryp2on   Protec2on  

AWS  Founda+on  Services  

AWS is
Compute   Storage   Database   Networking  
responsible for
the security OF
Availability  Zones  
AWS  Global   the Cloud
Edge  Loca+ons  
Infrastructure   Regions  
Every  customer  gets  the  same  AWS  security  founda+ons  
AWS maintains a formal control environment
•  SOC 1 (SSAE 16 & ISAE 3402) Type II (was SAS70)
•  SOC 2 Type II and public SOC 3 report
•  ISO 27001, 9001 Certifications
•  Certified PCI DSS Level 1 Service Provider
•  FedRAMP Certification
•  HIPAA and MPAA capable
AWS  Founda2on  Services  

Compute   Storage   Database   Networking  

Availability
 Zones
 
AWS
 Global
 
Edge
 Loca2ons
 
Infrastructure
  Regions
 
PCI Compliance service
⽀支援商家或服務提供者處理、儲存和傳輸信⽤用卡資料的服務已經過
驗證，符合 PCI 標準。這些服務包含：
Auto Scaling
AWS CloudFormation
Amazon CloudFront
AWS CloudHSM
AWS CloudTrail
AWS Direct Connect
Amazon DynamoDB
AWS Elastic Beanstalk
Amazon Elastic Block Store (EBS)
Amazon Elastic Compute Cloud (EC2)
Elastic Load Balancing (ELB) Amazon
Elastic MapReduce (EMR)
Amazon Glacier
AWS Key Management Service (KMS)
AWS Identity and Access Management (IAM)
Amazon Redshift
Amazon Relational Database Service (RDS)
Amazon Route 53
Amazon Simple Storage Service (S3)
Amazon Simple Queue Service (SQS)
Amazon Simple Workflow Service (SWF)
Amazon Virtual Private Cloud (VPC)
How About Security Auditing?

AWS CloudTrail can help you achieve

many tasks
  Security analysis
  Track changes to AWS resources, for
example VPC security groups and NACLs
  Compliance – log and understand AWS API
call history
  Prove that you did not:
  Use the wrong region
  Use services you don’t want
  Troubleshoot operational issues – quickly
identify the most recent changes to your
environment
Out of the box….

  HTTP and HTTPs requests logged with ELB Logging  

  API and Console calls logged with CloudTrail Logs  

  Network traffic logged with VPC Flow Logs  

  VPC change history logged with AWS Config

  IAM policy and user changed logged with AWS Config

  Application level metrics logged with CloudWatch Logs

Vulnerability Management
Promotion at scale

Flash Sale
Pre-Order
Thanksgiving-Black Friday weekend
Cyber Monday

Single’s day 光棍節

双⼗十⼆二
Challenge

10X
customers

Some
robots
Is there any other way to mitigate attacks for
my critical workloads on AWS?
AWS WAF Example: A Technical Implementation

Blocking bad bots dynamically with AWS WAF web ACLs

AWS WAF Example: Blocking Bad Bots

What We Need…
•  IPSet: contains our list of blocked IP addresses
•  Rule: blocks requests if requests match IP in our IPSet
•  WebACL: allow requests by default, contains our Rule

and…
•  Mechanism to detect bad bots
•  Mechanism to add bad bot IP address to IPSet
Promotion at scale
•  Bad request 4xx 5xx
•  Rate limit
•  SQLI XSS

Lambda

X
WAF CDN

Edge S3
Static website
*.html, *.js *.css
*.jpg *.mp4

WAF CDN

Edge
Amazon
DynamoDB
Web Cache
DMZ Private
public subnet private subnet
Access Control with AWS WAF, a Web
Application Firewall Service
Host: www.internetkitties.com
User-Agent: badbot
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Amazon CloudFront
Accept-Language: en-US,en;q=0.5
Edge Location Accept-Encoding: gzip, deflate
Referer: http://www.InTeRnEkItTiEs.com/
Connection: keep-alive

Scraper Bot

AWS WAF
Host: www.internetkitties.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64)…..
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://www.mysite.com/
Connection: keep-alive
Mitigate Application Layer Attacks

AWS WAF

users
WAF web app
server

Attack CloudFront ELB ELB

Edge Location Auto Scaling

DMZ WAF / Proxy frontend servers

public subnet private subnet private subnet
Amazon Certification Manager

•  Provision SSL/TLS certificates

from Amazon for use with AWS
resources
•  Elastic Load Balancing
•  Amazon CloudFront
distributions
•  AWS handles the muck
•  Key pair and CSR generation
•  Managed renewal and
deployment
•  Domain validation via email

Amazon Confidential
Integrated with AWS Certificate Manager
Before (time-consuming & complex) After (simple & automated & super fast)

3-5 days

Upload to IAM
3rd Party via AWS CLI
Certificate
Authority AWS
Certificate
Manager

End-to-end process Using a couple of

within minutes mouse clicks on the
console

Connect to CloudFront
via AWS CLI
SSL on ELB

Support for both SSL and HTTPs is provided

SSL Negotiation Policies provide selection of ciphers

and protocols that adhere to the latest industry best
practices

Optimized for balance between security and client

connectivity, as testing with Amazon.com traffic
Within 24 hours, 62% of load balancers
migrated to the latest SSL Negotiation
Policy, disabling SSLv3.

POODLE SSLv3
Ubiquitous Encryption
Encryption at rest
Restricted access

S3

Fully managed keys

Encryption in transit
EBS
IAM

RDS

Redshift

AWS
CloudTrail

Glacier Fully auditable

“ 使用AWS，我們並不需
•  MyDress⼀一開始使⽤用實體資料中⼼心，但是難以⽀支撐快
速業務增⻑⾧長的需求，2014年的一次DDoS攻擊導致服
務4⼩小時不可⽤用，業務流失⾼高達52%

要購⾜足⾜足夠的硬體來應 •  基於Magento的電商平台需要⼀一個⾼高可⽤用、安全、可
延展和⾼高性能的基礎設施平台，並能⽀支持促銷等彈性
付尖峰需求，⽽而在平時 業務需求

閒置. •  使用AWS節省新台幣$2,200,000 (US$77,350)

Edman Hung
IT Manager, Mydress

MyDress helps enable fashion labels in Japan, Korea,

and Taiwan to sell clothes and accessories to
customers in Hong Kong online.
”
“
2015年4⽉月8⽇日⽶米粉節，有1460萬⽤用⼾戶參與了⽶米粉節
的狂歡，⼀一共銷售超過200萬台⼿手機和120萬的智慧
型裝置與⼿手機配件，實現了超過20億⼈人⺠民幣，創造
了⾦金⽒氏紀錄，其中利⽤用移動裝置操作佔⽐比43.6%。

在⾦金⽒氏紀錄誕⽣生的同時，是AWS為閃購活動保駕護
航，並且幫助⼩小⽶米網節省了數⼗十萬的IT費⽤用。

”
http://cloud.51cto.com/art/201505/475517.htm
AWS Marketplace: One-stop shop for security tools

Advanced Application Identity and Server & Network Encryption & Vulnerability
Threat Security Access Endpoint Security Key Mgmt & Pen
Analytics Mgmt Protection Testing
Video Demo:
Security Information and Event
Management (SIEM) on AWS
AWS Platform For eCommerce

Networking Web Cache Data Mobile App Machine

CDN Analytics
Storage Apps Backend Learning

Load Mobile Machine

DNS Memcache S3 CloudFront Kinesis Lambda
balancer Push Learning

Virtual RDS Mobile API

private Compute Redis AWS WAF RedShift
MySQL Analytics Gateway
network

Auto EMR DynamoDB

RDS Oracle Device farm
scaling

AWS Global Infrastructure APN Partner Solutions

Thank You