SlideShare ist ein Scribd-Unternehmen logo

淺談WAF在AWS的架構_20171027

4
4ndersonLin

Update for "AWS WAF RegEx Support"@pg.25

Technologie
1 von 27
Downloaden Sie, um offline zu lesen
淺談WAF在AWS的架構 SC Lin@AWSUGTW 2017/07/19
SC Lin ❖ Now: ➢ Engineer with focus on public cloud and security. ➢ Prepare for AWS Certified DevOps - Professional ❖ Experiences: ➢ System Engineer, PIC ➢ Security Engineer, PIC ❖ AWS Certification: ➢ AWS Certified Solutions Architect - Professional ➢ AWS Certified Solutions Architect - Associate ➢ AWS Certified Developer - Associate ➢ AWS Certified SysOps Administrator - Associate 2
Agenda ❖ Why WAF? Problems and expectations ❖ WAF architecture on AWS ❖ Comparisons ❖ Demo ❖ Summary This is a AWS WAF icon. 3
Why WAF? 4
Before Why WAF, What is WAF? A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. - Description of WAF from Wikipedia A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. - Description of WAF from OWASP 5
Why WAF? Problems and expectations ➢ OWASP Top 10 ➢ SQL Injection ➢ XSS ➢ CVE & NVD ➢ DDoS ➢ Compliance 6
Why WAF? - 2017 OWASP Top 10 ➢ A1-Injection ➢ A2-Broken Authentication and Session Management ➢ A3-Cross-Site Scripting (XSS) ➢ A4-Broken Access Control ➢ A5-Security Misconfiguration ➢ A6-Sensitive Data Exposure ➢ A7-Insufficient Attack Protection ➢ A8-Cross-Site Request Forgery (CSRF) ➢ A9-Using Components with Known Vulnerabilities ➢ A10-Underprotected APIs 7
DDoS Why WAF? - DDoS 8
Why WAF? - Compliance Compliance ➢ PCI DSS 3.2 requirement 6.6 choice 2 “Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.” ➢ Don’t worry, most of the solutions can help you meet PCI DSS. ➢ AWS WAF service is already certified by PCI DSS. ○ check here “https://aws.amazon.com/tw/compliance/services-in-scope/” 9
WAF architecture on AWS 10
WAF architecture on AWS - AWS best practice AWS best practice Reference: AWS Best Practices for DDoS Resiliency (June 2015) 11
WAF architecture on AWS - Traditional architecture Traditional architecture - problems XFF XFF Scale out Rule Consistency XFF Warm up XFF Warm up ELB traffic fee Traffic Out 12
WAF architecture on AWS - AWS best practices AWS best practice Reference: AWS Best Practices for DDoS Resiliency (June 2016) 13
WAF architecture on AWS - Cloud service Architecture working with cloud service 14
WAF architecture on AWS - AWS WAF Architecture - AWS WAF CloudFront WAF ALB EC2 15
Comparisons 16
Comparisons - Meet OWASP Traditional architecture 1. 使用高度自行客製化的 rule。 2. 使用品牌產品自帶的rule。 Working with cloud service 1. 上限和下限完全取於服務供應商 Working with AWS WAF 1. AWS WAF請參考Use AWS WAF to Mitigate OWASP’s Top 10 Web Application Vulnerabilities 17
Comparisons - Meet compliance Traditional architecture 1. 調整rule的彈性大,對於服務供應商的依賴性小。 2. 品牌產品能產出Compliance report,減少對應稽核的負擔。 Working with cloud service 1. 上限和下限完全取於服務供應商的服務 內容。 Working with AWS WAF 1. AWS WAF底層直接符合PCI,但是Rule的產出與改善... 是使用者的責任。 (AWS shared responsibility model) 18
Comparisons - Maintain & automation Traditional architecture 1. 學習的時間成本,需要維運者有較高的技術 /溝通能力。 2. 複雜的架構,管理複雜度必然增加。 3. 難以自動化,須熟悉特定廠商的 API/Command。 Working with cloud service 1. 架構單純,維運難度較低。 2. 難以自動化,須熟悉特定廠商的 API/Command。 Working with AWS WAF 1. 架構單純,維運難度較低。 2. 學習一套API打天下。 19
Comparisons - Pricing Traditional architecture 1. 養機器 = 貴 2. 專業的維運 = 貴 3. 使用知名品牌 = 貴 (License fee $1~3 hourly) Working with cloud service 1. 不需搭配CDN的專業Cloud WAF,假如包含professional service的話價格必然貴。 2. 搭配CDN的類型必須先購買CDN服務,再購買WAF模組。 Working with AWS WAF 1. AWS WAF有較低的起始費用,同時也支援 CF & ALB來賦予使用者選擇架構的彈性。 ($5 per web ACL, $1 per rule, $0.60 per million requests) 20
Demo 21
Demo SQL Injection Protect XSS Protect Rate based rule CVE 2017-5638: Strust2 22
Summary 23
Summary 1. 把WAF套進架構不是問題,如何Tuning rule才是問題。 2. 對應適合的場景/能力,使用適合架構。 3. 程式有洞就要補... 不要推給資安設備! 4. 如果有用CloudFront/ALB的, 馬上試試看AWS WAF能幫你攔到多少東西! 24
Wishlist 透明的SQLinj, XSS規則清單。 String match支援Regular Expression (Oct 16, 2017 update “AWS WAF Now Supports Regular Expressions” https://goo.gl/kCdfgq) Rate-based rule的取樣單位是5分鐘,希望可以自由讓使用者調整。 Log只能看到最近3小時,最好能夠儲存log到S3/Cloudwatch Logs。 Rules per web ACL只能有10條... 更多的Feature… (Support case分類居然沒有feature request...) 25
References ❏ AWS Security Blog https://aws.amazon.com/blogs/security/ ❏ AWS WAF Developer Guide http://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html ❏ AWS WAF Preconfigured Rules & Tutorials https: ❏ //aws.amazon.com/waf/preconfiguredrules/AWS Security Whitepaper https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf ❏ AWS Security Best Practices https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf ❏ Overview of AWS Security - Network Security https://d0.awsstatic.com/whitepapers/Security/Networking_Security_Whitepaper.pdf ❏ AWS Best Practices for DDoS Resiliency Whitepaper https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf 26
27

Empfohlen

淺談WAF在AWS的架構
淺談WAF在AWS的架構淺談WAF在AWS的架構
淺談WAF在AWS的架構4ndersonLin
 
Policy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityPolicy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityLibbySchulze
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
Enterprise Network Security & Compliance - A Vendor's Perspective
Enterprise Network Security & Compliance - A Vendor's PerspectiveEnterprise Network Security & Compliance - A Vendor's Perspective
Enterprise Network Security & Compliance - A Vendor's PerspectiveAnusha Vaidyanathan
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
Leveraging the Cloud for Continuous Delivery while Protecting your IP
Leveraging the Cloud for Continuous Delivery while Protecting your IPLeveraging the Cloud for Continuous Delivery while Protecting your IP
Leveraging the Cloud for Continuous Delivery while Protecting your IPPerforce
 

Empfohlen

淺談WAF在AWS的架構
淺談WAF在AWS的架構淺談WAF在AWS的架構
淺談WAF在AWS的架構4ndersonLin
 
Policy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityPolicy as code what helm developers need to know about security
Policy as code what helm developers need to know about securityLibbySchulze
 
AWS Security Strategy
AWS Security StrategyAWS Security Strategy
AWS Security StrategyTeri Radichel
 
Enterprise Network Security & Compliance - A Vendor's Perspective
Enterprise Network Security & Compliance - A Vendor's PerspectiveEnterprise Network Security & Compliance - A Vendor's Perspective
Enterprise Network Security & Compliance - A Vendor's PerspectiveAnusha Vaidyanathan
 
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...
Extensible dev secops pipelines with Jenkins, Docker, Terraform, and a kitche...Richard Bullington-McGuire
 
DevSecOps in Baby Steps
DevSecOps in Baby StepsDevSecOps in Baby Steps
DevSecOps in Baby StepsPriyanka Aash
 
Implementing DevSecOps
Implementing DevSecOpsImplementing DevSecOps
Implementing DevSecOpsAmazon Web Services
 
Leveraging the Cloud for Continuous Delivery while Protecting your IP
Leveraging the Cloud for Continuous Delivery while Protecting your IPLeveraging the Cloud for Continuous Delivery while Protecting your IP
Leveraging the Cloud for Continuous Delivery while Protecting your IPPerforce
 
App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containersAkash Mahajan
 
Microservices: Notes From The Field
Microservices: Notes From The FieldMicroservices: Notes From The Field
Microservices: Notes From The FieldApcera
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudAlert Logic
 
F5 ASM HEALTH CHECKS
F5 ASM HEALTH CHECKSF5 ASM HEALTH CHECKS
F5 ASM HEALTH CHECKSMarco Essomba
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudAlert Logic
 
The Psychology of Security Automation
The Psychology of Security AutomationThe Psychology of Security Automation
The Psychology of Security AutomationJason Chan
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedJason Chan
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsAlert Logic
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudAmazon Web Services
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsEvident.io
 
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Evident.io
 
Velocity 2015-tim-prendergast-continuous-security-the-devops-way
Velocity 2015-tim-prendergast-continuous-security-the-devops-wayVelocity 2015-tim-prendergast-continuous-security-the-devops-way
Velocity 2015-tim-prendergast-continuous-security-the-devops-wayEvident.io
 
Azure F5 Solutions
Azure F5 SolutionsAzure F5 Solutions
Azure F5 SolutionsMarketingArrowECS_CZ
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...CloudPassage
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeAlert Logic
 
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security ServicesAlert Logic
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsCloudPassage
 
Docker & Apcera Better Together
Docker & Apcera Better TogetherDocker & Apcera Better Together
Docker & Apcera Better TogetherSimone Morellato
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App AttacksAlert Logic
 
Azure App Gateway and Log Analytics under Penetration Tests
Azure App Gateway and Log Analytics under Penetration TestsAzure App Gateway and Log Analytics under Penetration Tests
Azure App Gateway and Log Analytics under Penetration TestsRoy Kim
 
QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallRisk Analysis Consultants, s.r.o.
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containersAkash Mahajan
 
Microservices: Notes From The Field
Microservices: Notes From The FieldMicroservices: Notes From The Field
Microservices: Notes From The FieldApcera
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudAlert Logic
 
F5 ASM HEALTH CHECKS
F5 ASM HEALTH CHECKSF5 ASM HEALTH CHECKS
F5 ASM HEALTH CHECKSMarco Essomba
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudAlert Logic
 
The Psychology of Security Automation
The Psychology of Security AutomationThe Psychology of Security Automation
The Psychology of Security AutomationJason Chan
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedJason Chan
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsAlert Logic
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudAmazon Web Services
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security OperationsEvident.io
 
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Evident.io
 
Velocity 2015-tim-prendergast-continuous-security-the-devops-way
Velocity 2015-tim-prendergast-continuous-security-the-devops-wayVelocity 2015-tim-prendergast-continuous-security-the-devops-way
Velocity 2015-tim-prendergast-continuous-security-the-devops-wayEvident.io
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...CloudPassage
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeAlert Logic
 
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security ServicesAlert Logic
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsCloudPassage
 
Docker & Apcera Better Together
Docker & Apcera Better TogetherDocker & Apcera Better Together
Docker & Apcera Better TogetherSimone Morellato
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App AttacksAlert Logic
 
Azure App Gateway and Log Analytics under Penetration Tests
Azure App Gateway and Log Analytics under Penetration TestsAzure App Gateway and Log Analytics under Penetration Tests
Azure App Gateway and Log Analytics under Penetration TestsRoy Kim
 

Was ist angesagt? (20)

App sec in the time of docker containers
App sec in the time of docker containersApp sec in the time of docker containers
App sec in the time of docker containers
 
Microservices: Notes From The Field
Microservices: Notes From The FieldMicroservices: Notes From The Field
Microservices: Notes From The Field
 
CSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the CloudCSS17: Atlanta - Realities of Security in the Cloud
CSS17: Atlanta - Realities of Security in the Cloud
 
F5 ASM HEALTH CHECKS
F5 ASM HEALTH CHECKSF5 ASM HEALTH CHECKS
F5 ASM HEALTH CHECKS
 
CSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the CloudCSS17: Houston - Introduction to Security in the Cloud
CSS17: Houston - Introduction to Security in the Cloud
 
The Psychology of Security Automation
The Psychology of Security AutomationThe Psychology of Security Automation
The Psychology of Security Automation
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
 
CSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web AppsCSS17: Houston - Protecting Web Apps
CSS17: Houston - Protecting Web Apps
 
Successfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the CloudSuccessfully Implementing DEV-SEC-OPS in the Cloud
Successfully Implementing DEV-SEC-OPS in the Cloud
 
Automating your AWS Security Operations
Automating your AWS Security OperationsAutomating your AWS Security Operations
Automating your AWS Security Operations
 
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
Security Threats, the Cloud and Your Responsibilities - Evident.io @AWS Pop-u...
 
Velocity 2015-tim-prendergast-continuous-security-the-devops-way
Velocity 2015-tim-prendergast-continuous-security-the-devops-wayVelocity 2015-tim-prendergast-continuous-security-the-devops-way
Velocity 2015-tim-prendergast-continuous-security-the-devops-way
 
Azure F5 Solutions
Azure F5 SolutionsAzure F5 Solutions
Azure F5 Solutions
 
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...Best Practices for Workload Security: Securing Servers in Modern Data Center ...
Best Practices for Workload Security: Securing Servers in Modern Data Center ...
 
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in PracticeCSS 17: NYC - The AWS Shared Responsibility Model in Practice
CSS 17: NYC - The AWS Shared Responsibility Model in Practice
 
#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services#ALSummit: Alert Logic & AWS - AWS Security Services
#ALSummit: Alert Logic & AWS - AWS Security Services
 
Secure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOpsSecure Cloud Development Resources with DevOps
Secure Cloud Development Resources with DevOps
 
Docker & Apcera Better Together
Docker & Apcera Better TogetherDocker & Apcera Better Together
Docker & Apcera Better Together
 
Protecting Against Web App Attacks
Protecting Against Web App AttacksProtecting Against Web App Attacks
Protecting Against Web App Attacks
 
Azure App Gateway and Log Analytics under Penetration Tests
Azure App Gateway and Log Analytics under Penetration TestsAzure App Gateway and Log Analytics under Penetration Tests
Azure App Gateway and Log Analytics under Penetration Tests
 

Ähnlich wie 淺談WAF在AWS的架構_20171027

Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your ApplicationsAmazon Web Services
 
Running Hybrid Cloud Patterns on AWS
Running Hybrid Cloud Patterns on AWSRunning Hybrid Cloud Patterns on AWS
Running Hybrid Cloud Patterns on AWSShiva Narayanaswamy
 
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar SeriesSetup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar SeriesAmazon Web Services
 
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...Amazon Web Services
 
What's New VMware NSX Advanced Load Balancer (Avi Networks)
What's New VMware NSX Advanced Load Balancer (Avi Networks)What's New VMware NSX Advanced Load Balancer (Avi Networks)
What's New VMware NSX Advanced Load Balancer (Avi Networks)Avi Networks
 
Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...
Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...
Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...Amazon Web Services
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud Amazon Web Services
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationAmazon Web Services
 
Protect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudProtect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudImperva
 
Barracuda WAF deployment in AWS
Barracuda WAF deployment in AWSBarracuda WAF deployment in AWS
Barracuda WAF deployment in AWSAravindan A
 
Top 5 Ways to Secure Your Business on the Cloud
Top 5 Ways to Secure Your Business on the CloudTop 5 Ways to Secure Your Business on the Cloud
Top 5 Ways to Secure Your Business on the CloudAmazon Web Services
 
Brocade vADC Portfolio Overview 2016
Brocade vADC Portfolio Overview 2016Brocade vADC Portfolio Overview 2016
Brocade vADC Portfolio Overview 2016Scott Sims
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 
Automate the Provisioning of Secure Developer Environments on AWS PPT
Automate the Provisioning of Secure Developer Environments on AWS PPT Automate the Provisioning of Secure Developer Environments on AWS PPT
Automate the Provisioning of Secure Developer Environments on AWS PPTAmazon Web Services
 
Application Deployment on AWS - Startup Talks June 2015
Application Deployment on AWS - Startup Talks June 2015Application Deployment on AWS - Startup Talks June 2015
Application Deployment on AWS - Startup Talks June 2015Amazon Web Services
 

Ähnlich wie 淺談WAF在AWS的架構_20171027 (20)

QualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application FirewallQualysGuard InfoDay 2013 - Web Application Firewall
QualysGuard InfoDay 2013 - Web Application Firewall
 
Getting Started with AWS Security
Getting Started with AWS SecurityGetting Started with AWS Security
Getting Started with AWS Security
 
Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications Web Security Automation: Spend Less Time Securing your Applications
Web Security Automation: Spend Less Time Securing your Applications
 
Running Hybrid Cloud Patterns on AWS
Running Hybrid Cloud Patterns on AWSRunning Hybrid Cloud Patterns on AWS
Running Hybrid Cloud Patterns on AWS
 
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar SeriesSetup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
Setup Preconfigured Protections on AWS WAF - November 2016 Webinar Series
 
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...
AWS Public Sector Symposium 2014 Canberra | Security as an Enabler: Improving...
 
What's New VMware NSX Advanced Load Balancer (Avi Networks)
What's New VMware NSX Advanced Load Balancer (Avi Networks)What's New VMware NSX Advanced Load Balancer (Avi Networks)
What's New VMware NSX Advanced Load Balancer (Avi Networks)
 
AWS Lunch and Learn - Security
AWS Lunch and Learn - SecurityAWS Lunch and Learn - Security
AWS Lunch and Learn - Security
 
Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...
Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...
Living on the Edge, It’s Safer Than You Think! Building Strong with Amazon Cl...
 
Security and Compliance in the Cloud
Security and Compliance in the Cloud Security and Compliance in the Cloud
Security and Compliance in the Cloud
 
Modern Security and Compliance Through Automation
Modern Security and Compliance Through AutomationModern Security and Compliance Through Automation
Modern Security and Compliance Through Automation
 
Protect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public CloudProtect Your Data and Apps in the Public Cloud
Protect Your Data and Apps in the Public Cloud
 
Barracuda WAF deployment in AWS
Barracuda WAF deployment in AWSBarracuda WAF deployment in AWS
Barracuda WAF deployment in AWS
 
Top 5 Ways to Secure Your Business on the Cloud
Top 5 Ways to Secure Your Business on the CloudTop 5 Ways to Secure Your Business on the Cloud
Top 5 Ways to Secure Your Business on the Cloud
 
Brocade vADC Portfolio Overview 2016
Brocade vADC Portfolio Overview 2016Brocade vADC Portfolio Overview 2016
Brocade vADC Portfolio Overview 2016
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
Toward Full Stack Security
Toward Full Stack SecurityToward Full Stack Security
Toward Full Stack Security
 
AWS CodeDeploy Getting Started
AWS CodeDeploy Getting StartedAWS CodeDeploy Getting Started
AWS CodeDeploy Getting Started
 
Automate the Provisioning of Secure Developer Environments on AWS PPT
Automate the Provisioning of Secure Developer Environments on AWS PPT Automate the Provisioning of Secure Developer Environments on AWS PPT
Automate the Provisioning of Secure Developer Environments on AWS PPT
 
Application Deployment on AWS - Startup Talks June 2015
Application Deployment on AWS - Startup Talks June 2015Application Deployment on AWS - Startup Talks June 2015
Application Deployment on AWS - Startup Talks June 2015
 

Kürzlich hochgeladen

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdfChristopherTHyatt
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 

Kürzlich hochgeladen (20)

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 

淺談WAF在AWS的架構_20171027

  • 2. SC Lin ❖ Now: ➢ Engineer with focus on public cloud and security. ➢ Prepare for AWS Certified DevOps - Professional ❖ Experiences: ➢ System Engineer, PIC ➢ Security Engineer, PIC ❖ AWS Certification: ➢ AWS Certified Solutions Architect - Professional ➢ AWS Certified Solutions Architect - Associate ➢ AWS Certified Developer - Associate ➢ AWS Certified SysOps Administrator - Associate 2
  • 3. Agenda ❖ Why WAF? Problems and expectations ❖ WAF architecture on AWS ❖ Comparisons ❖ Demo ❖ Summary This is a AWS WAF icon. 3
  • 5. Before Why WAF, What is WAF? A web application firewall (or WAF) filters, monitors, and blocks HTTP traffic to and from a web application. A WAF is differentiated from a regular firewall in that a WAF is able to filter the content of specific web applications while regular firewalls serve as a safety gate between servers. - Description of WAF from Wikipedia A web application firewall (WAF) is an application firewall for HTTP applications. It applies a set of rules to an HTTP conversation. Generally, these rules cover common attacks such as cross-site scripting (XSS) and SQL injection. - Description of WAF from OWASP 5
  • 6. Why WAF? Problems and expectations ➢ OWASP Top 10 ➢ SQL Injection ➢ XSS ➢ CVE & NVD ➢ DDoS ➢ Compliance 6
  • 7. Why WAF? - 2017 OWASP Top 10 ➢ A1-Injection ➢ A2-Broken Authentication and Session Management ➢ A3-Cross-Site Scripting (XSS) ➢ A4-Broken Access Control ➢ A5-Security Misconfiguration ➢ A6-Sensitive Data Exposure ➢ A7-Insufficient Attack Protection ➢ A8-Cross-Site Request Forgery (CSRF) ➢ A9-Using Components with Known Vulnerabilities ➢ A10-Underprotected APIs 7
  • 9. Why WAF? - Compliance Compliance ➢ PCI DSS 3.2 requirement 6.6 choice 2 “Installing an automated technical solution that detects and prevents web-based attacks (for example, a web-application firewall) in front of public-facing web applications, to continually check all traffic.” ➢ Don’t worry, most of the solutions can help you meet PCI DSS. ➢ AWS WAF service is already certified by PCI DSS. ○ check here “https://aws.amazon.com/tw/compliance/services-in-scope/” 9
  • 11. WAF architecture on AWS - AWS best practice AWS best practice Reference: AWS Best Practices for DDoS Resiliency (June 2015) 11
  • 12. WAF architecture on AWS - Traditional architecture Traditional architecture - problems XFF XFF Scale out Rule Consistency XFF Warm up XFF Warm up ELB traffic fee Traffic Out 12
  • 13. WAF architecture on AWS - AWS best practices AWS best practice Reference: AWS Best Practices for DDoS Resiliency (June 2016) 13
  • 14. WAF architecture on AWS - Cloud service Architecture working with cloud service 14
  • 15. WAF architecture on AWS - AWS WAF Architecture - AWS WAF CloudFront WAF ALB EC2 15
  • 17. Comparisons - Meet OWASP Traditional architecture 1. 使用高度自行客製化的 rule。 2. 使用品牌產品自帶的rule。 Working with cloud service 1. 上限和下限完全取於服務供應商 Working with AWS WAF 1. AWS WAF請參考Use AWS WAF to Mitigate OWASP’s Top 10 Web Application Vulnerabilities 17
  • 18. Comparisons - Meet compliance Traditional architecture 1. 調整rule的彈性大,對於服務供應商的依賴性小。 2. 品牌產品能產出Compliance report,減少對應稽核的負擔。 Working with cloud service 1. 上限和下限完全取於服務供應商的服務 內容。 Working with AWS WAF 1. AWS WAF底層直接符合PCI,但是Rule的產出與改善... 是使用者的責任。 (AWS shared responsibility model) 18
  • 19. Comparisons - Maintain & automation Traditional architecture 1. 學習的時間成本,需要維運者有較高的技術 /溝通能力。 2. 複雜的架構,管理複雜度必然增加。 3. 難以自動化,須熟悉特定廠商的 API/Command。 Working with cloud service 1. 架構單純,維運難度較低。 2. 難以自動化,須熟悉特定廠商的 API/Command。 Working with AWS WAF 1. 架構單純,維運難度較低。 2. 學習一套API打天下。 19
  • 20. Comparisons - Pricing Traditional architecture 1. 養機器 = 貴 2. 專業的維運 = 貴 3. 使用知名品牌 = 貴 (License fee $1~3 hourly) Working with cloud service 1. 不需搭配CDN的專業Cloud WAF,假如包含professional service的話價格必然貴。 2. 搭配CDN的類型必須先購買CDN服務,再購買WAF模組。 Working with AWS WAF 1. AWS WAF有較低的起始費用,同時也支援 CF & ALB來賦予使用者選擇架構的彈性。 ($5 per web ACL, $1 per rule, $0.60 per million requests) 20
  • 22. Demo SQL Injection Protect XSS Protect Rate based rule CVE 2017-5638: Strust2 22
  • 24. Summary 1. 把WAF套進架構不是問題,如何Tuning rule才是問題。 2. 對應適合的場景/能力,使用適合架構。 3. 程式有洞就要補... 不要推給資安設備! 4. 如果有用CloudFront/ALB的, 馬上試試看AWS WAF能幫你攔到多少東西! 24
  • 25. Wishlist 透明的SQLinj, XSS規則清單。 String match支援Regular Expression (Oct 16, 2017 update “AWS WAF Now Supports Regular Expressions” https://goo.gl/kCdfgq) Rate-based rule的取樣單位是5分鐘,希望可以自由讓使用者調整。 Log只能看到最近3小時,最好能夠儲存log到S3/Cloudwatch Logs。 Rules per web ACL只能有10條... 更多的Feature… (Support case分類居然沒有feature request...) 25
  • 26. References ❏ AWS Security Blog https://aws.amazon.com/blogs/security/ ❏ AWS WAF Developer Guide http://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html ❏ AWS WAF Preconfigured Rules & Tutorials https: ❏ //aws.amazon.com/waf/preconfiguredrules/AWS Security Whitepaper https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf ❏ AWS Security Best Practices https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf ❏ Overview of AWS Security - Network Security https://d0.awsstatic.com/whitepapers/Security/Networking_Security_Whitepaper.pdf ❏ AWS Best Practices for DDoS Resiliency Whitepaper https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf 26
  • 27. 27