Weitere ähnliche Inhalte Ähnlich wie How to Secure Sensitive Customer Data Using Amazon CloudFront - AWS Online Tech Talks (20) Mehr von Amazon Web Services (20) How to Secure Sensitive Customer Data Using Amazon CloudFront - AWS Online Tech Talks1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
George John, Product Manager, AWS CloudFront/Lambda@Edge
Cristi Ursachi, Software Development Manager, Amazon.com
March 1st 2018
How to Secure Sensitive Customer
Data Using Amazon CloudFront
2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
• CloudFront Overview
• Secure content with CloudFront
• CloudFront Field Level Encryption
• Demo
• Q & A
3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon CloudFront
G l o b a l c o n t e n t d e l i v e r y n e t w o r k ( C D N )
A p p l i c a t i o n a c c e l e r a t i o n a n d o p t i m i z a t i o n
D i s t r i b u t e d s c a l a b l e i n t e g r a t e d s e c u r i t y c o n t r o l s
O p t i m i z e d f o r a l l d e l i v e r y u s e c a s e s
O n - d e m a n d , f u l l u s e r c o n t ro l , c o s t e f fe c t i v e
E s s e n t i a l c l o u d
i n f r a s t r u c t u r e
c o m p o n e n t
4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
114 Points of Presence (103 Edge locations + 11 Regional Edge Caches)
5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Four Major Use Cases
Accelerate websites
Customize user
experience
Stream live and
on-demand media
Secure content
Customer
use cases
6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Secure Content
7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1. Protect Application &
Network/Transport layer
8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
✓ Only Accepts valid HTTP/TCP Requests
✓ Automatically drop traffic on non HTTP Ports
✓ Protection Against Slow Reads (Slowloris)
✓ Safeguards Against SSL Abuse (E.g. Perfect Forward
Secrecy)
✓ Web Server Offload (E.g., Request Collapsing)
AWS Shield AWS WAFCloudFront Built-in
Security
9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
2. Access Control
10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
2.1 Securely ser ve private content: Signed URL/Cookie
End viewers CloudFront
distribution
intranet.example.com
Path: Default (*)
Origin: ALB
Forward Cookies: All
Restrict Viewer Access: No
Application Load
Balancer
Application
Path: videos/
Origin: Amazon S3
Forward cookies: No
Restrict viewer access: Yes
Amazon S3
bucket
User’s application credentials
Signed Cookie or URL
GET /videos/annual-meeting.m3u8
Cached response
Cache behaviors✓ Valid
11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Create an origin access identity using the
CloudFront console or API.
• Modify your Amazon S3 bucket policy to limit
read access to the origin access identity’s
Restricting origin access: Amazon S3 Origin
12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configure origin custom headers to provide a shared secret in a custom-named header.
Restricting origin access: Custom Origin
13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
3. Encryption
14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
3.1 End to End HTTPS
CloudFront
distributionEnd viewer
Origin protocol policy
HTTPS only
Origin SSL protocol
TLSv1.2
Viewer protocol policy
Redirect HTTP to HTTPS
Security policy
TLSv1.2_2018
Certificate
Managed by ACM
Origin
15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
3.2 CloudFront Field-Level Encryption
Secure and control the access of sensitive customer data while accelerating
your application
• Sensitive data encrypted with RSA key pair
• Reduces attack surface for your sensitive data
• Eliminates risk with accidental (or incidental) data leakage
16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why Amazon consumer needs CloudFront Field Level
Encryption
• Our most valuable asset is customer trust
• We need to handle a lot of sensitive information (credit cards,
addresses, SSN, etc)
• Behind consumer website operate hundreds of teams
maintaining different services
17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Architecture
19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of using Field Level Encryption
• Greatly reduces the number of systems we have to audit for PCI
compliance
• A bug in a pass-through system cannot cause sensitive
information leakage
• Greatly reduces the number of people that may have access to
sensitive information (e.g. card numbers)
20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo
21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo – products/concepts used
• Amazon CloudFront (content delivery network)
• HTTP forms
• Public-key cryptography
• AWS API Gateway
• AWS Lambda
• AWS CloudFormation
• AWS KMS
• AWS Systems Manager Parameter Store
• AWS DynamoDB
22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo Architecture
23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to configure Field Level Encryption
1. Public Keys: Name , Value
2. Field Level Encryption Profiles: Name , ProviderName, PublicKey.Name,
Pattern
3. Field Level Encryption configuration: ContentType, Pass Profile as query
argument
24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo Walkthrough
• Stage the required artifacts (deployed already in US East 1 AWS region)
• Generate an RSA key pair
• Upload the public key to CloudFront and associate it with the
Field Level Encryption configuration
• Launch the CloudFormation stack
• Add the Field Level Encryption configuration to the
CloudFront distribution
• Store the private key in Parameter Store
25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting Started
• Amazon CloudFront getting started
https://aws.amazon.com/cloudfront/getting-started/
• Introduction to CloudFront and Lambda@Edge (video)
https://www.youtube.com/watch?v=wRaPw1tx6LA
• Slack Uses Amazon CloudFront for Secure API Acceleration (video)
https://www.youtube.com/watch?v=oVaTiRl9-v0
• AWS Shield
https://aws.amazon.com/shield/
• AWS WAF
https://aws.amazon.com/waf/
26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Questions?
27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!