AWS re:Inforce 2024
Enhance Application Security at the Edge with Aws Cdn221

Title: AWS re:Inforce 2024 - Enhance application security at the edge with AWS (CDN221)

Insights:

  • Introduction and Overview: The session focuses on enhancing application security at the edge using AWS services, specifically Amazon CloudFront and AWS WAF (Web Application Firewall).
  • Common Challenges: Internet-facing applications face significant risks, including bot traffic and DDoS attacks. These applications need to be responsive, secure, and cost-efficient.
  • Amazon CloudFront:
    • A content delivery network (CDN) that brings applications closer to users for better performance.
    • Features over 600 points of presence (POPs) globally, which helps in caching content and providing DDoS protection.
    • Integrates with AWS security services like WAF and Shield Advanced.
  • AWS WAF:
    • Integrates with CloudFront to provide security at the edge.
    • Allows for custom rules (rate-based, geolocation, allow/block lists) and managed rules.
    • Can be used with other AWS services like API Gateway and AppSync.
  • Demo Overview:
    • First Demo: Building a WebACL (Web Access Control List) in AWS WAF.
      • Steps include naming the policy, selecting CloudFront distributions, adding managed rules (Amazon IP reputation list, core rule set, known bad inputs), and setting rule priorities.
      • Provides visibility into rule matches and bot traffic.
    • Second Demo: Building security policies directly in CloudFront.
      • Similar steps to the first demo but done within the CloudFront console.
      • Allows for enabling security protections, adding managed rules, and setting rate limits.
  • Visibility and Monitoring: Both methods provide visibility into traffic and potential threats, helping to make informed decisions about security policies.
  • Flexibility in Implementation: Security teams can build detailed policies in WAF, while app development teams can quickly add baseline security through CloudFront.

Quotes:

  • "What we're going to talk about today is how these two services can help you with some of the hurdles that you may have when you're trying to move fast with putting applications in the cloud that are internet facing."
  • "With our CDN, you're bringing that content closer to your users. You're helping on cost because you can cache it out there and with the CDN it helps with DDoS protection."
  • "All you would have to do is turn that on and then you can add that to your WebACL policy."
  • "We have a lot of customers that use this to get a feel for the percentage of traffic that's coming from bots."
  • "At a minimum, if you wanted to see get a feel for what kind of traffic is going to the application behind this CloudFront distribution, you can turn on one managed rule, put it in count mode, and then you can get a great view of visibility."
  • "The reason I showed the two approaches is I just wanted to show that we have a lot of people that need to work fast and move fast."
Empowering Small Teams with Amazon Ecs Fargate and Datadog Tdr306 SEnhance Appsec Generative Ai Integration in Aws Testing Aps301