A R C 3 4 8 Protecting your web applications from common attack vectors
Heitor Vital Lalit Grover Solutions Architect Solutions Builder AWS AWS
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda
Overview of attack vectors and mitigating controls
Build a comprehensive rule set for WAF
Customize and extend the solution
Amazon SageMaker IP Insights algorithm Hands-on exercises
AWS console
Mission: build mitigating AWS WAF rule set
Workshop Guide: bit.ly/ARC348 or bit.ly/ARC348PDF Mitigating common vulnerabilities
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Spectrum of attacks
DDoS Targeted attacks
Reflection and HTTP floods XSS Authorization Spear Application amplification Layer 3 & 4 exploits Phishing exploits floods SQL injection Certificate Slowloris Bots and probes CSRF SSL abuse RFI/LFI hijacking Spectrum of attacks
DDoS Targeted attacks
Reflection and HTTP floods XSS Authorization Spear Application amplification Layer 3 & 4 exploits Phishing exploits floods SQL injection Certificate Slowloris Bots and probes CSRF SSL abuse RFI/LFI hijacking
Web Application Firewall AWS WAF Spectrum of attacks
DDoS Targeted attacks
Reflection and HTTP floods XSS Authorization Spear Application amplification Layer 3 & 4 exploits Phishing exploits floods SQL injection Certificate Slowloris Bots and probes CSRF SSL abuse RFI/LFI hijacking
AWS Shield Amazon GuardDuty Amazon CloudFront Amazon Macie Web Application Firewall Elastic Load Balancing AWS WAF Amazon Inspector Amazon Route 53 AWS Systems Manager Amazon Certificate Manager AWS Marketplace: IDS/IPS, Anti-malware Using AWS WAF to mitigate flaws
A WAF does not fix the underlying flaws, it limits the ability to exploit them
Ability to derive recognizable HTTP request pattern is key to effectiveness
Ability to quickly change the rule configuration to keep up with changing attacks Implementing AWS WAF
Conditions AWS WAF Security Match sets Automations
Rules Match sets as predicates Template Web ACLs Ordered set of rules +
Associations Amazon ALB API Gateway CloudFront Getting Started with AWS WAF Security Automations Solution
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Workshop Guide: Lab rule details bit.ly/ARC348 bit.ly/ARC348PDF
Web Application Resources
requests Application Valid users Load Balancer
X AWS WAF Attackers A Whitelist
B Blacklist
C SQL Injection
D XSS
E HTTP Flood
F Scanners & Probes
G IP Reputation Lists
H Bad Bot Workshop Guide: Lab rule details bit.ly/ARC348 bit.ly/ARC348PDF
Web Application Resources
requests Application Valid users Load Balancer
X AWS WAF Attackers A Whitelist
B Blacklist
C SQL Injection
D XSS
E HTTP Flood
F Scanners & Probes
G IP Reputation Lists
H Bad Bot Workshop Guide: Lab rule details bit.ly/ARC348 bit.ly/ARC348PDF
Web Application Resources
requests Application Valid users Load Balancer WAF logs
X AWS WAF Attackers A Whitelist
Amazon Kinesis Amazon S3 B Blacklist Web ACL Data Firehose Traffic Information
C SQL Injection
D XSS AWS Lambda WAF Log Parser
E HTTP Flood
F Scanners & Probes
G IP Reputation Lists
H Bad Bot Workshop Guide: Lab rule details bit.ly/ARC348 bit.ly/ARC348PDF
Web Application Resources
requests Application Valid users Load Balancer
X AWS WAF Attackers A Whitelist App logs
Amazon S3 B Blacklist Access Logs
C SQL Injection
D XSS Amazon Athena E HTTP Flood
F Scanners & Probes
G IP Reputation Lists
H Bad Bot Workshop Guide: Lab rule details bit.ly/ARC348 bit.ly/ARC348PDF
Web Application Resources
requests Application Valid users Load Balancer
X AWS WAF Attackers A Whitelist
B Blacklist
C SQL Injection
D XSS
E HTTP Flood
F Scanners & Probes
hourly G IP Reputation Lists Amazon AWS Lambda IP Lists Parser CloudWatch H Bad Bot Event Workshop Guide: Lab rule details bit.ly/ARC348 bit.ly/ARC348PDF
Web Application Resources
requests Application Valid users Load Balancer Amazon API Gateway
X AWS WAF A AWS Lambda Attackers Whitelist Access Handler
B Blacklist
C SQL Injection
D XSS
E HTTP Flood
F Scanners & Probes
G IP Reputation Lists
H Bad Bot Workshop Guide: Lab architecture bit.ly/ARC348 bit.ly/ARC348PDF
Web Application Resources
requests Application Valid users Load Balancer Amazon API Gateway WAF logs
X AWS WAF A App logs AWS Lambda Attackers Whitelist Access Handler
Amazon Kinesis Amazon S3 Amazon S3 B Blacklist Web ACL Access Logs Data Firehose Traffic Information
C SQL Injection
D XSS AWS Lambda WAF Log Parser Amazon Athena E HTTP Flood
F Scanners & Probes
hourly G IP Reputation Lists Amazon AWS Lambda IP Lists Parser CloudWatch H Bad Bot Event Workshop Guide: Lab architecture bit.ly/ARC348 bit.ly/ARC348PDF
Web Application Resources
requests Application Valid users Load Balancer Amazon API Gateway WAF logs
X AWS WAF A App logs AWS Lambda Attackers Whitelist Access Handler
Amazon Kinesis Amazon S3 Amazon S3 B Blacklist Web ACL Access Logs Data Firehose Traffic Information
C SQL Injection
D XSS AWS Lambda WAF Log Parser Amazon Athena E HTTP Flood
F Scanners & Probes
hourly G IP Reputation Lists Amazon AWS Lambda IP Lists Parser CloudWatch H Bad Bot Event Customizing and extending the solution
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lab architecture
Web Application Resources
requests Application Valid users Load Balancer Amazon API Gateway WAF logs
X AWS WAF A App logs AWS Lambda Attackers Whitelist Access Handler
Amazon Kinesis Amazon S3 Amazon S3 B Blacklist Web ACL Access Logs Data Firehose Traffic Information
C SQL Injection
D XSS AWS Lambda WAF Log Parser Amazon Athena E HTTP Flood
F Scanners & Probes
hourly G IP Reputation Lists Amazon AWS Lambda IP Lists Parser CloudWatch H Bad Bot Event Block suspicious IP addresses with Amazon SageMaker and AWS WAF
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Detecting suspicious login attempts to a web application
Suspicious Login Attempt
We detected an unusual login attempt. Do you recognize the following Alert users suspicious login? Update AWS WAF to block those IP: 198.51.100.0 IP sources Dec 2, 10:45 AM Las Vegas How to minimize false positive events?
Yes Fighting malicious activity with Amazon SageMaker Build, Train, and Deploy ML Models at Scale
IP Insights algorithm Capture associations between IP addresses and various entities (user IDs, account numbers, etc..) AWS WAF logs format { "status": "success", "data": { "username": "", { "email": ”[email protected]", "httpRequest": { "createdAt": "2019-12-02 00:00:00.000 }, "exp": 1575030463 "clientIp": "client_ip", }
"headers": [{ "name": "Cookie", "value": "token=token_value" }] JWT Decode } } Lab architecture
Web Application Resources
requests Application Valid users Load Balancer WAF logs
X AWS WAF Attackers A IP Insights Count
Amazon Kinesis Amazon S3 Train Notebook B IP Insights Blacklist Web ACL IP Insights Data Firehose Traffic Information
AWS Lambda WAF Log Parser Model
Amazon SageMaker Inference Lab architecture
Web Application Resources
requests Application Valid users Load Balancer WAF logs
X AWS WAF Attackers A IP Insights Count
Amazon Kinesis Amazon S3 Train Notebook B IP Insights Blacklist Web ACL IP Insights Data Firehose Traffic Information
AWS Lambda WAF Log Parser Model
Amazon SageMaker Inference Key takeaways
Internet-based attacks affect everyone, whether specifically targeted or not
You can no longer rely just on the application to handle such attacks
AWS WAF, AWS Shield, Amazon CloudFront, Elastic Load Balancing can be used to build in-line attack mitigation controls
It’s all about reducing the exposure footprint and risk Thank you!
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.