© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Alessandro Esposito – Cloudfront Account Representative esposita@amazon.lu

14th April 2016

Distributing content securely

Using Amazon CloudFront, AWS WAF and AWS Lambda

Multiple Users Static & Dynamic

Contents

Different Devices

Delivering Content – Challenges

Easy Cost Effective Secure

Delivering Content – Requirements

Content Delivery

A content delivery network (CDN) is a globally distributed network

of proxy servers deployed in multiple data centers. The goal of a

CDN is bringing content closer to end users, lowering latency when

they download or stream the objects.

What is a Content Delivery network? (CDN)

User A

User B

User C

Request A

Origin CDN

Amazon Cloudfront - CDN

• Global content delivery network (CDN)

• Full feature caching – Dynamic & Static Content

• Integrated with other Amazon Web Services

• Easy way to distribute content to end users

• Pay as you go, no integration fee Amazon

CloudFront

AWS Global Infrastructure

Region

Edge Location

12 Regions

33 Availability Zones

54 Edge Locations

AWS Edge Locations

54 Edge Locations

19 Countries

38 Cities

5 Continents

Dynamic

Static Video

User

Input

SSL

Amazon.com - whole site delivery

Video Streaming On-demand & Live Streaming

RTMP (Flash) and HTTP(S)

Adaptive Bitrate Live Streaming

Microsoft Smooth Streaming

Whole Site Delivery Static & Dynamic Content

Mobile Detect, CORS Support

Multiple Cache Behaviors

Multiple Origin Servers

Security Private Content (Signed URLs)

Custom SSL (Dedicated IP & SNI)

Geo Restriction

HTTP to HTTPS Redirect

High Availability 99.9% SLA

Automatic Origin Failover

Custom Error Pages

Serve Stale Content when Origin unavailable

High Performance Latency Based Routing

TCP Optimization

Persistent Connections

EDNS Client Subnet

Low TCO Pay for use

Commit-Based lower pricing

Price Classes

Preferential Pricing for AWS origins

Popular CloudFront Features and Use Cases

Clementoni S.p.A. Clempad Project

Daniele Silenzi IT Manager Clempad Project

• Games available in16 languages and distributed over 60 countries.

• 8 sales offices: Benelux, Germany, Spain, France, Portugal, UK, Poland, Turkey and Hong Kong.

• Hight quality toys with high educational contents which help children grow up since first mounts

Clementoni S.p.A.

•Clementoni is an all-Italian

company with more than 500

employees, the first Italian

company in educational

games

Clempad Project

Android Educational Tablet for Kids

• 2012 Clementoni started the development in Clempad Project, the first educational tablet for kids

• The first year, starting from a forecast of 5TB data transfer, by the end of

the year Clementoni delivered 40TB traffic. • The forecast for the 2013 was 250TB data trasfer in 8 countries • Now we have around 500TB every year, with around 3M HTTP requests

per day managed by CloudFront (Clementoni market, catalogs, WhiteList, and others)

Clempad Project

• From

• Few Devices

• Only Italy

• ~ 10 custom Apps

• no Video Channel

• no official Clementoni market

Clempad Challenge

• To

• Many Devices

• All Europe

• ~ 110 custom Apps

• Video Channel

• Official Clementoni market

• Clementoni Books

• www.planetclemetoni.com

• Others

AWS Architecture

• 5 EC2 Instances • 1 RDS (MySQL) • 3 Bucket S3 • 2 CloudFront

Instances

• All the contents are delivered only via CloudFront

Clemetoni AWS architecture

• High bandwidth Amazon CloudFront

• each device can reach remote resources without latency or delay, around 500TB every year

• Great Scalability

• we can scale without modifying the architecture during the “hot” months

• Increased reliability

• Multi A-Z (Amazon RDS), backup...

• Extended scalability and durability with Amazon S3

• Increased security

AWS Advantages

…. More data

• More than 1 Billion HTTP requests every year

• 30/40 TB trasfered every month (December, January and February more than 65TB)

• Application (app) size increase

• New Clementoni games take advantage from AWS

• New WebSite

Clementoni saved around 40% on data transfer cost

Future developments

New products will take advantage from AWS and CloudFront

Traffic Management

Web Application Firewall (AWS WAF)

Recent Security and Compliance Features

• Compliance

• PCI DSS Compliance

• ISO 9001, 27001, 27017, 27018

• Security Enhancements

• Signed Cookies

• Enforce HTTPS to origin

• Support for TLSv1 .1 and TLSv1.2 between

edge and origin

• Add/Modify Request Headers Forwarded

From CloudFront to Origin

• Integration with AWS WAF

• Integration with AWS Certificate Manager

AWS WAF

AWS ACM

Web Application Firewall (WAF)

What is a Web Application Firewall?

Web Application Firewall (WAF) is an appliance, server plugin, or

filter that applies a set of rules to HTTP traffic.

Exploit

Attackers

Good users

Web site

CloudFront without WAF

Amazon CloudFront

Edge

Location

site

scraping

SQL Injection,

XSS, other attacks

legitimate

traffic

EC2 ELB S3

AND/OR

On Premises Environment

Origin Server Origin Storage

Traditional WAF Deployment

Amazon CloudFront

Edge

Location

site

scraping

SQL Injection,

XSS, other attacks

legitimate

traffic EC2 ELB WAF ELB

ELB Sandwich

On Premises Environment

Origin Origin Storage WAF

Traditional WAF

Complex and slow

setup

Many False

Positives

Limited API for

automation

Expensive to set up

and mantain

AWS WAF - Web Application Firewall

• WAF protection at the Edge Location

• Customizable security

• Integrated with Amazon CloudFront

• Exploits, abuse, and application DDoS protection

• Easy to deploy and mantain

• Pay as you go AWS WAF

AWS WAF - Web Application Firewall

CloudFront with AWS WAF

Amazon CloudFront

site

scraping

SQL Injection,

XSS, other attacks

legitimate

traffic

Edge

Location WAF EC2 ELB S3

AND/OR

On Premises Environment

Origin Server Origin Storage

The AWS WAF

Customizable and

flexible

Full featured API Easy and

quick setup Pay as you go

AWS WAF Components

Conditions Rules Web ACL

Cloudfront

distribution

Apply

Amazon

CloudWatch

Report/Logs

Automated Security

POST /2012-07-01/distribution HTTP/1.1

Host: cloudfront.amazonaws.com

Authorization: AWS authentication string

Date: time stamp

Other required headers

<?xml version="1.0" encoding="UTF-8"?>

<DistributionConfig

xmlns="http://cloudfront.amazonaws.com/doc/2012-07-01/">

API

Console management and reporting

AWS - Manage Content Your Way

AWS Lambda - Run code without servers

Lambda automatically runs your code without

requiring you to provision servers.

• “Server-less” scripting - event driven actions

• Integrated with other AWS services

• Use cases: scheduled events, provisioning

services, and customer analysis AWS

Lambda

Automated security – traditional data center

Good users

Logs Threat analysis

Rule updater

Web site Exploit

Attackers

Rules

Automated security – AWS makes it easier

Good users

CloudFront Access Logs Exploit

Attackers

AWS WAF AWS Lambda

AWS Lambda

Amazon

CloudFront

AWSLABS – Cloudformation template available

https://github.com/awslabs/aws-waf-

sample/tree/master/waf-reactive-blacklist

Resources

• Amazon Cloudfront Product Page

http://aws.amazon.com/cloudfront/

• AWS WAF Product Page

https://aws.amazon.com/waf/

• Webinar | Introducing AWS WAF

http://bit.ly/1N63GvO

• Webinar | Using Using AWS WAF and Lambda for Automatic Protection

http://bit.ly/1qFLBe9

• Preconfigured Rules & Tutorials for AWS WAF

http://aws.amazon.com/waf/preconfiguredrules/

Thank You!