Learning Objectives: - Learn how to secure and control the access of critical customer data (e.g., payment instruments, social security numbers, phone numbers, etc.) at rest, in use, or in transit - Learn how it will help your company abide by the strictest data handling policies such as PCI DSS compliance, and HIPAA - Learn how to configure Amazon CloudFront

1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
George John, Product Manager, AWS CloudFront/Lambda@Edge
Cristi Ursachi, Software Development Manager, Amazon.com
March 1st 2018
How to Secure Sensitive Customer
Data Using Amazon CloudFront

2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Agenda
• CloudFront Overview
• Secure content with CloudFront
• CloudFront Field Level Encryption
• Demo
• Q & A

3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Amazon CloudFront
G l o b a l c o n t e n t d e l i v e r y n e t w o r k ( C D N )
A p p l i c a t i o n a c c e l e r a t i o n a n d o p t i m i z a t i o n
D i s t r i b u t e d s c a l a b l e i n t e g r a t e d s e c u r i t y c o n t r o l s
O p t i m i z e d f o r a l l d e l i v e r y u s e c a s e s
O n - d e m a n d , f u l l u s e r c o n t ro l , c o s t e f fe c t i v e
E s s e n t i a l c l o u d
i n f r a s t r u c t u r e
c o m p o n e n t

4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
114 Points of Presence (103 Edge locations + 11 Regional Edge Caches)

5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Four Major Use Cases
Accelerate websites
Customize user
experience
Stream live and
on-demand media
Secure content
Customer
use cases

6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Secure Content

7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
1. Protect Application &
Network/Transport layer

8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
✓ Only Accepts valid HTTP/TCP Requests
✓ Automatically drop traffic on non HTTP Ports
✓ Protection Against Slow Reads (Slowloris)
✓ Safeguards Against SSL Abuse (E.g. Perfect Forward
Secrecy)
✓ Web Server Offload (E.g., Request Collapsing)
AWS Shield AWS WAFCloudFront Built-in
Security

9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
2. Access Control

10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
2.1 Securely ser ve private content: Signed URL/Cookie
End viewers CloudFront
distribution
intranet.example.com
Path: Default (*)
Origin: ALB
Forward Cookies: All
Restrict Viewer Access: No
Application Load
Balancer
Application
Path: videos/
Origin: Amazon S3
Forward cookies: No
Restrict viewer access: Yes
Amazon S3
bucket
User’s application credentials
Signed Cookie or URL
GET /videos/annual-meeting.m3u8
Cached response
Cache behaviors✓ Valid

11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
• Create an origin access identity using the
CloudFront console or API.
• Modify your Amazon S3 bucket policy to limit
read access to the origin access identity’s
Restricting origin access: Amazon S3 Origin

12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Configure origin custom headers to provide a shared secret in a custom-named header.
Restricting origin access: Custom Origin

13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
3. Encryption

14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
3.1 End to End HTTPS
CloudFront
distributionEnd viewer
Origin protocol policy
HTTPS only
Origin SSL protocol
TLSv1.2
Viewer protocol policy
Redirect HTTP to HTTPS
Security policy
TLSv1.2_2018
Certificate
Managed by ACM
Origin

15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
3.2 CloudFront Field-Level Encryption
Secure and control the access of sensitive customer data while accelerating
your application
• Sensitive data encrypted with RSA key pair
• Reduces attack surface for your sensitive data
• Eliminates risk with accidental (or incidental) data leakage

16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Why Amazon consumer needs CloudFront Field Level
Encryption
• Our most valuable asset is customer trust
• We need to handle a lot of sensitive information (credit cards,
addresses, SSN, etc)
• Behind consumer website operate hundreds of teams
maintaining different services

17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Architecture

19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Benefits of using Field Level Encryption
• Greatly reduces the number of systems we have to audit for PCI
compliance
• A bug in a pass-through system cannot cause sensitive
information leakage
• Greatly reduces the number of people that may have access to
sensitive information (e.g. card numbers)

20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo

21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo – products/concepts used
• Amazon CloudFront (content delivery network)
• HTTP forms
• Public-key cryptography
• AWS API Gateway
• AWS Lambda
• AWS CloudFormation
• AWS KMS
• AWS Systems Manager Parameter Store
• AWS DynamoDB

22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo Architecture

23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
How to configure Field Level Encryption
1. Public Keys: Name , Value
2. Field Level Encryption Profiles: Name , ProviderName, PublicKey.Name,
Pattern
3. Field Level Encryption configuration: ContentType, Pass Profile as query
argument

24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Demo Walkthrough
• Stage the required artifacts (deployed already in US East 1 AWS region)
• Generate an RSA key pair
• Upload the public key to CloudFront and associate it with the
Field Level Encryption configuration
• Launch the CloudFormation stack
• Add the Field Level Encryption configuration to the
CloudFront distribution
• Store the private key in Parameter Store

25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Getting Started
• Amazon CloudFront getting started
https://aws.amazon.com/cloudfront/getting-started/
• Introduction to CloudFront and Lambda@Edge (video)
https://www.youtube.com/watch?v=wRaPw1tx6LA
• Slack Uses Amazon CloudFront for Secure API Acceleration (video)
https://www.youtube.com/watch?v=oVaTiRl9-v0
• AWS Shield
https://aws.amazon.com/shield/
• AWS WAF
https://aws.amazon.com/waf/

26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Questions?

27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Thank you!