AWS re:Inforce 2024
Protect Your Internet Facing Web Applications Hosted on Aws Nis304

Title: AWS re:Inforce 2024 - Protect your internet-facing web applications hosted on AWS (NIS304)

Insights:

  • Introduction and Scope: The session focuses on protecting internet-facing applications hosted on AWS, covering multi-vector threats and defense mechanisms.
  • Key Security Services: Emphasis on AWS Shield, AWS Network Firewall, AWS WAF, and AWS Firewall Manager for comprehensive protection.
  • Attack Surface Definition: Detailed explanation of a typical internet-facing app architecture, including VPCs, subnets, and load balancers.
  • Multi-Vector Threats: Importance of understanding and mitigating multi-vector threats, such as ransomware, which involve multiple stages like reconnaissance, backdoor access, malware infection, and lateral movement.
  • Reconnaissance Defense: Use of security groups, network access control lists, and AWS WAF to limit reconnaissance activities by attackers.
  • DDoS Protection: AWS Shield provides automatic protection against volumetric DDoS attacks, with Shield Advanced offering additional capabilities and support.
  • Layer 7 DDoS Mitigation: AWS WAF can be deployed on CloudFront to handle sophisticated HTTP request floods, using rate limiting and bot control rules.
  • SQL Injection Prevention: AWS WAF can detect and block SQL injection attempts by inspecting query strings and other request components.
  • Account Takeover Prevention: AWS WAF can help prevent account takeovers by monitoring login attempts and blocking compromised credentials.
  • Non-HTTP Applications: For non-HTTP applications, options include third-party appliances via Gateway Load Balancer or AWS Network Firewall for deep packet inspection.
  • Centralized vs. Distributed Ingress: Discussion on the pros and cons of centralized ingress (single VPC with internet gateway) versus distributed ingress (multiple VPCs with their own internet gateways).
  • Firewall Manager: AWS Firewall Manager allows centralized control of security policies across multiple AWS accounts and services, ensuring consistent protection.

Quotes:

  • "The defender is interested in CIA, confidentiality, integrity, and availability."
  • "A multi-vector threat can be viewed as a threat that has multiple components, and in order to detect and protect in all of these components, you cannot have a siloed view."
  • "AWS WAF is a fully managed web application firewall that allows you to craft rules and deploy them on different AWS managed resources that receive HTTP, HTTPS traffic."
  • "Shield standard would usually take care of 99% of volumetric attacks within one minute."
  • "With challenge, we're not having the actual user involved, just the client application."
  • "If the application will not do it, it's likely a bot or it's likely an application that's not a real user."
  • "Dealing with bots in general can be a little bit complicated. And as bots get more advanced and more sophisticated, your approach to dealing with those bots has to be more advanced and sophisticated."
  • "The only option is to bring third-party firewalls and make them the target of your first network load balancer."
  • "If you are going with centralized ingress, just be aware that there's downsides. You're increasing your blast radius, right?"
  • "AWS Firewall Manager allows you to centrally control the policies that are deployed across all of those different VPCs."
Protect Your Generative Ai Applications against Jailbreaks Gai321Protecting Data in Generative Ai Applications with Amazon Bedrock Com223