awsnotes

Multi-Layered Secured Application

Mrudul P.'s photo
Mrudul P.
·

3 min read

Table of contents

Making sense of AWS Shield, Firewall Manager, WAF, Cloudfront, ALB

Image Credit:https://youtu.be/0xlwLEccRe0

As can be seen in the image above one can configure Multilayered security using AWS Cloudfront, AWS WAF and AWS Shield.

CloudFront provides a way to not only accelerate access to resources but also has built-in security features that can help protect access to applications.

Security Options available on AWS Cloudfront are as follows (more information) --

  • TLS/SSL -- Use CloudFront certificate or bring your certificate

  • Restrictions using Signed URLs or Signed Cookies or Based on Geo Location

  • Restricting access to origin.

While CloudFront provides a way to accelerate access to resources, it also provides a layer of security. However, the options available are not enough against web application threats.

For this AWS WAF comes in handy.

AWS WAF helps you protect against common web exploits and bots that can affect availability, compromise security, or consume excessive resources. One can create security rules that control bot traffic and block common attack patterns such as SQL injection or cross-site scripting (XSS). If you do not want to write your own rules, there is a possibility to use managed rules to protect your web application. WAF also provides the ability to monitor incoming traffic.

WAF comes in handy for the following use cases --

  • Filter traffic

  • Prevent account takeover fraud

  • SQL Injection

  • Cross-Site Scripting (XSS)

  • Block or rate limit based on specific user agents, IP etc...

Now we restricted access to our application by first filtering traffic and then specific certificates. This ensures the attack surface is reduced but still an attacker can make your application inaccessible by employing Distributed Denial of Service (DDoS) attacks. To prevent this AWS provides AWS Shield and AWS Shield Advanced.

AWS Shield comes for free with AWS WAF. It prevents most of the DDoS attacks.

With AWS Shield Advanced you can get

  • Preconfigured mitigations, advanced mitigations or custom mitigations.

  • It can also detect volumetric layer 7 attacks

  • 24*7 access to DDoS response Team.

  • Cost protection against scaling.

Let's look at some special use cases where multilayered security is implemented not exactly as described in the previous section.

Case 1: I have a serverless architecture.

To protect serverless architecture one can put AWS WAF and AWS Shield (Advanced) to protect the application

Image Credit:https://youtu.be/0xlwLEccRe0

Case 2: I have TCP traffic (non-HTTP/non-HTTPS)

Customers typically use Network load balancers in such use cases and Global Accelerator to accelerate access to the resource. Protection for such cases can be done as shown below

Image Credit:https://youtu.be/0xlwLEccRe0

Case 3: I have a use case where I run a server for games over UDP

For these use cases as well, one can protect applications as shown below

Image Credit:https://youtu.be/0xlwLEccRe0

AWS Shieldaws-wafaws cloudfrontFirewall Manager