Cloudfront Flashcards
SSL
Cloudfront does not use SSL Certificate. It uses ACM for HTTPS.
*.cloudfront.net
Cloudfront TTL
- More frequent cache HITS = lower origin load
- Default TTL (behaviour) = 24 hours (validity period)
- You can set Minimum TTL and Maximum TTL values
Cloudfront will apply any of the two that occur first; Max TTL or Expiry date.
Headers
* Origin Header: Cache-Control max-age (seconds)
* Origin Header : Cache-Control s-maxage (seconds)
* Origin Header: Expires (Date & Time)
Custom Origin or S3 (Via object metadata)
Versioned FileNames vs Cache invalidation
Versioned filenames is more cost-effective because even if the file is cached in the user’s machine, only the specified version (in the application) will be returned.
Using customized Domain name with cloud front
Not using the xxxxxxxxxx.cloudfront.com requires an ssl certification if your Domain name is a Https or not
ACM
Importing an SSL certificate into cloudfront is done using ACM. Using US-EAST-1
Self-Signed vs Public Certificates
Cloudfront(as a Public service) does not work with self-signed certificates. therefor, for both Origin and viewer certificates must be a publicly valid certificate
Cloud front SSL
*cloudfront.com
Alternate Domain Name feature allows customized Domain name for cloudfront distribution. This has to be updated in the domain’s zone file, and an SSL certificate for the custom domain is required.
Cloudfront Custom Domain
Custom domain can be used with Cloudfront as Alternate domain name.
Route 53 has to be updated with the alternate Domain name.
Wether or not HTTPs is needed or not, a valid proof of ownership of the provided domain name has to be established. Hence, SSL certificate has to be generated or imported into ACM
This Certificate must be created or added in US-EAST-1
at what layer does https encryption happens
One of the most popular encryption schemes usually associated with the presentation layer is the Secure Socket Layer (SSL) protocol.” HTTPS is the application layer protocol using ssl at layer 6 for encryption purposes. SSL works on OSI layer 6.
HTTPS uses an encryption protocol to encrypt communications. The protocol is called Transport Layer Security (TLS), although formerly it was known as Secure Sockets Layer (SSL).
SNI
Server Name Indication, often abbreviated SNI, is an extension to TLS that allows multiple hostnames to be served over HTTPS from the same IP address.
by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.
SSL for S3
S3 inherently has its own Certificate that can neither be modified or created.
EC2 and ELB Certificates
Origins need to have certificates issued by a trusted authority (CA) - ALB can use
ACM, others need to use an external generated cert. NO SELF-SIGNED CERTS
EC2 and ELB origin have to also present publicly supported certificateEC2 and Load Balancer certificates, no matter the origin, has to be applied manually because **ACM does not automatically apply their certificates.
Certificates (Both Clients side and Origin side must match the domain name as the target website
True
Origin vs Viewer Protocol
Are Automatically matched at both sides.No user configuration is required
Lambda at Edge
Use Cases
A/B testing - Viewer Request
* Migration Between S3 Origins - Origin Request
* Different Objects Based on Device - Origin Request
* Content By Country - Origin Request
Throughput
128MB/5sec
OAC
Origin Access Control is basically denying all access to S3 except for a specific Cloudfront distribution.
On S3 origins, Helps to control allowed request source. It has three options
- Public
- Cloudfront
- Legacy Identities
Is not allowed in custom origin. However, path control is available for Custom
Securing Custom origin
This is the creation of a tunnel over HTTP between the source and destination.
This is established by requiring an additional header from Cloudfront, else the request will not be attended to. Meanwhile between the Edge and cloud, a HTTP tunnel is implemented. Alternatively, WAF can be used at the custom source to filter traffic only from the edge Location Sources. WAF knows all AWS edge Location IP Addresses.
CloudFront Geo Restriction
CloudFront Geo Restriction
1. 3rd Party Geolocation (Customizable)
2. CF - Whitelist or Blacklist - COUNTRY ONLY
CF - GeolP Database 99.8%+ Accurate
Signed URL
Provides access to one particular object. Used for Legacy RTMP because they cant use signed cookies.
For Legacy Apps that do not accept Signed cookies.
Shield Advance Pricing
$3,000 per month (per ORG), 1 year lock-in + data (OUT) /m
Signed URL vs Signed Cookies
Signed URLs:
URL-Based Approach: With signed URLs, access to a resource is granted by generating a special URL containing authentication information. This URL is typically short-lived and has an expiration time.
Time-Limited: Signed URLs often have a limited validity period, meaning they are only valid for a short duration. After the expiration time, the URL becomes invalid.
No Storage on the Client: Signed URLs do not require storage of any tokens or cookies on the client side. The authentication details are entirely contained within the URL.
Usage Examples: Signed URLs are commonly used in cloud storage services like Amazon S3, where you can generate a URL with temporary access to a specific file. Content delivery networks also use this approach.
Signed Cookies:
Cookie-Based Approach: With signed cookies, authentication information is stored as cookies on the client side. These cookies contain a signed token or session identifier.
Persistent Session: Cookies can be persistent, meaning the authentication state can be maintained across multiple visits by the same client, as long as the cookie is not expired.
Storage on the Client: Signed cookies require storage on the client side. This means that a client (e.g., a web browser) needs to maintain and send the cookie on each request.
Usage Examples: Signed cookies are commonly used in web applications to maintain user sessions, such as login state or session data.
Layer 7 Firewalls
Layer 7 Firewalls keeps all the features of Layers 3,4,5 features and still react to Layer 7 elements.
It understands the protocols and all the nuances of Layer 7.
Data at L7 can be inspected and blocked, replaced or tagged (adult, spam, off topic)
L7 FW can identify normal or abnormal requests
Protocol specific attacks
Able to identify, block & adjust specific applications e.g. Facebook
Layer 5 Firewalls
stateful Inspection: In the context of security, stateful inspection firewalls utilize the session layer’s ability to maintain session state. These firewalls examine not only individual packets but also the context and state of the entire session. This allows them to make more informed decisions about whether to allow or block traffic based on the established sessions.
Termination: When a session is completed, the session layer manages the graceful termination of the connection, ensuring that all resources are released correctly.
Stateful inspection firewalls, for example, use the information from the session layer to track the state of connections and apply security policies based on the context of the sessions. This allows them to better protect networks against various threats, as they can understand the state of connections and recognize legitimate responses to outbound requests.
AWS Shield - Standard
21211
Free for AWS customers
* Protection at the perimeter
* Region/VPC or the AWS edge
* Common Network (L3) or Transport (L4) layer attacks
* Best protection using R53, CloudFront, AWS Global Acceleration
Shield Advance Pricing
$36,000/year
Shield Response Team
WEB ACL
A configuration Tool used by WAF and other Security tools to filter access rules and patterns for Web applications access.
Features
- AWS Managed Rules
- ALLOW LIST
- DENY LIST
- SOLIniection
- Bot
- Attacker
- IP Reputation
- BOTS
WAF
Strictly for Web Application (Global or regional)
eg. Cloudfront, API Gateway, Appsynch, ALB
AWS Shield
Against Ddos attack.
Network Layer DDoS attacks.
DDoS attacks can also target this Network layer (layer 3) or the Transport Layer (Layer 4) of the OSI model, with the goal of consuming the target’s network bandwidth. Network layer DDoS attacks include attacks like ICMP (Internet Control Message Protocol) floods, ARP floods, and IP (Internet Protocol) fragmentation attacks.
Operates on Layers 3&4
Shield Advance features
- Protects CF, R53, Global Accelerator, anything associated with EIPs (i.e EC2), ALBs, CLBs, NLBs
- Not automatic - must be explicitly enabled in Shield
Advanced or AWS Firewall Manager Shield Advanced policy - Cost protection (ie EC2 scaling) for unmitigated attacks
- Proactive Engagement & AWS Shield Response Team (ST)
Shield Advanced Scope
- WAF Integration - includes basic AWS WAF fees for web
ACLs, rules, and web requests. - Application Layer (L7) DDOS protection (uses WAF)
- Real time visibility of DDOS events and attacks
- Health-based detection - application specific health checks, used by proactive engagement team
- Protection groups
Cloudfront TTL
Optionally, you can configure your origin server to add headers to the files, to indicate how long you want the files to stay in the cache in CloudFront edge locations. By default, each file stays in an edge location for 24 hours before it expires. The minimum expiration time is 0 seconds; there isn’t a maximum expiration time.
Cloudfront Preferred domain
As you develop your website or application, you use the domain name that CloudFront provides for your URLs. For example, if CloudFront returns d111111abcdef8.cloudfront.net as the domain name for your distribution, the URL for logo.jpg in your Amazon S3 bucket (or in the root directory on an HTTP server) is https://d111111abcdef8.cloudfront.net/logo.jpg.
Or you can set up CloudFront to use your own domain name with your distribution. In that case, the URL might be https://www.example.com/logo.jpg.
Cloudfront Field Level Encryption
With Amazon CloudFront, you can enforce secure end-to-end connections to origin servers by using HTTPS. Field-level encryption adds an additional layer of security that lets you protect specific data throughout system processing so that only certain applications can see it.
Field-level encryption allows you to enable your users to securely upload sensitive information to your web servers. The sensitive information provided by your users is encrypted at the edge, close to the user, and remains encrypted throughout your entire application stack. This encryption ensures that only applications that need the data—and have the credentials to decrypt it—are able to do so.
Field Level Encryption Limits
To use field-level encryption, when you configure your CloudFront distribution, specify the set of fields in POST requests that you want to be encrypted, and the public key to use to encrypt them. You can encrypt up to 10 data fields in a request. (You can’t encrypt all of the data in a request with field-level encryption; you must specify individual fields to encrypt.)
To set up field-level encryption, you add a public key to CloudFront, and then specify the set of fields that you want to be encrypted with the key.
Cloudfront Security
The CloudFront managed prefix list contains the IP address ranges of all of CloudFront’s globally distributed origin-facing servers. If your origin is hosted on AWS and protected by an Amazon VPC security group, you can use the CloudFront managed prefix list to allow inbound traffic to your origin only from CloudFront’s origin-facing servers, preventing any non-CloudFront traffic from reaching your origin. CloudFront maintains the managed prefix list so it’s always up to date with the IP addresses of all of CloudFront’s global origin-facing servers. With the CloudFront managed prefix list, you don’t need to read or maintain a list of IP address ranges yourself.
If the instance is in a VPC, you can create a security group rule that allows inbound HTTPS access from the CloudFront managed prefix list. This allows all of CloudFront’s global origin-facing servers to reach the instance. If you remove all other inbound rules from the security group, you prevent any non-CloudFront traffic from reaching the instance.
