9. AWS Global Presence and Redundancy
Route A
Route B
Route C
CloudFront
Country B
Country A
Country C
CloudFront
Valid
Object Request
Invalid
Protocol
Invalid
Object Request
Internet
Connection C
Internet
Connection A
Internet
Connection B
10. Your VPC only has to deal with layer 7 traffic
CloudFront
DDoS
HTTP
SYN / UDP
HTTP Customer
Solution
80% of DDoS traffic is
L3/L4 flood attack
20% is DDoS attack is
valid HTTP requests.
11. WAF(Web Application Firewall)
Match any part of the web request
Host: www.example.com
User-Agent: Mozilla/5.0 (Macintosh; …
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.example.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “Referrer”
Match Type: Contains
Match: “example.com”
Action: ALLOW
Rule
String match condition
Good users
12. WAF(Web Application Firewall)
Use transforms to stop evasion
Host: www.example.com
User-Agent: badbot
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.example.com/
Connection: keep-alive
AWS
WAF
RAW request headers
CloudFront
Check: Header “User-Agent”
Match Type: Contains
Match: “badbot”
Action: BLOCK
Rule
String match condition
Scraper bot
13. WAF(Web Application Firewall)
Use transforms to stop evasion
Host: www.example.com
User-Agent: bAdBoT
Accept: image/png,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referrer: http://www.InTeRnEtkItTiEs.com/
Connection: keep-alive
RAW request headers
Check: Header “User-Agent”
Transform: To lower
Match Type: Contains
Match: “badbot”
Action: BLOCK
Rule
String match condition
AWS
WAF
CloudFrontScraper bot
18. Two Users without CloudFront
SYN
SYN-ACK
ACK
GET /index.jsp
ACK
SYN-ACK
GET /index.jsp
2nd User
Region
SYN
90ms
360ms
360ms
19. Without Keep-Alive Connections
• Load on your web server increases the time
to first byte
TTFB(Time to First Byte)DNS Lookup
Connection ContentDownload
23. Access control: Restricting origin access
§Amazon S3
§Origin Access Identify (OAI)
• Prevents direct access to your Amazon
S3 bucket
• Ensure performance benefits to all
customers
§Custom origin
§Block by IP address
• Whitelist only the Amazon CloudFront
IP Range
• Protects origin from overload
• Ensure performance benefits to all
customers
24. Object Access Identity (OAI)
• Ensure only Amazon CloudFront
can access Amazon S3 bucket
• We make it simple for you
Amazon CloudFront
Region
Amazon S3
bucket
Custom origin
25. Object Access Identity (OAI)
• Ensure only Amazon CloudFront
can access Amazon S3 bucket
• We make it simple for you
Amazon CloudFront
Region
Amazon S3
bucket
Custom origin
26. Shield custom origin
• Shield your custom origin
• Whitelist Amazon CloudFront IP range
Amazon CloudFront
Region
Amazon S3
bucket
Custom Origin
27. Shield custom origin
• Shield your custom origin
• Whitelist Amazon CloudFront IP range
Amazon CloudFront
Region
Amazon S3
bucket
Custom origin
28. Shield custom origin
• Subscribe to Amazon SNS notifications on changes to
IP ranges
• Automatically update security groups
AWS Lambda
Amazon CloudFront
Amazon SNS
Security group
Web app
server
Web app
server
AWS IP ranges
Update IP range
SNS message