Cloudfront Flashcards
SSL
Cloudfront does not use SSL Certificate. It uses ACM for HTTPS.
*.cloudfront.net
Cloudfront TTL
- More frequent cache HITS = lower origin load
- Default TTL (behaviour) = 24 hours (validity period)
- You can set Minimum TTL and Maximum TTL values
Cloudfront will apply any of the two that occur first; Max TTL or Expiry date.
Headers
* Origin Header: Cache-Control max-age (seconds)
* Origin Header : Cache-Control s-maxage (seconds)
* Origin Header: Expires (Date & Time)
Custom Origin or S3 (Via object metadata)
Versioned FileNames vs Cache invalidation
Versioned filenames is more cost-effective because even if the file is cached in the user’s machine, only the specified version (in the application) will be returned.
Using customized Domain name with cloud front
Not using the xxxxxxxxxx.cloudfront.com requires an ssl certification if your Domain name is a Https or not
ACM
Importing an SSL certificate into cloudfront is done using ACM. Using US-EAST-1
Self-Signed vs Public Certificates
Cloudfront(as a Public service) does not work with self-signed certificates. therefor, for both Origin and viewer certificates must be a publicly valid certificate
Cloud front SSL
*cloudfront.com
Alternate Domain Name feature allows customized Domain name for cloudfront distribution. This has to be updated in the domain’s zone file, and an SSL certificate for the custom domain is required.
Cloudfront Custom Domain
Custom domain can be used with Cloudfront as Alternate domain name.
Route 53 has to be updated with the alternate Domain name.
Wether or not HTTPs is needed or not, a valid proof of ownership of the provided domain name has to be established. Hence, SSL certificate has to be generated or imported into ACM
This Certificate must be created or added in US-EAST-1
at what layer does https encryption happens
One of the most popular encryption schemes usually associated with the presentation layer is the Secure Socket Layer (SSL) protocol.” HTTPS is the application layer protocol using ssl at layer 6 for encryption purposes. SSL works on OSI layer 6.
HTTPS uses an encryption protocol to encrypt communications. The protocol is called Transport Layer Security (TLS), although formerly it was known as Secure Sockets Layer (SSL).
SNI
Server Name Indication, often abbreviated SNI, is an extension to TLS that allows multiple hostnames to be served over HTTPS from the same IP address.
by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.
SSL for S3
S3 inherently has its own Certificate that can neither be modified or created.
EC2 and ELB Certificates
Origins need to have certificates issued by a trusted authority (CA) - ALB can use
ACM, others need to use an external generated cert. NO SELF-SIGNED CERTS
EC2 and ELB origin have to also present publicly supported certificateEC2 and Load Balancer certificates, no matter the origin, has to be applied manually because **ACM does not automatically apply their certificates.
Certificates (Both Clients side and Origin side must match the domain name as the target website
True
Origin vs Viewer Protocol
Are Automatically matched at both sides.No user configuration is required
Lambda at Edge
Use Cases
A/B testing - Viewer Request
* Migration Between S3 Origins - Origin Request
* Different Objects Based on Device - Origin Request
* Content By Country - Origin Request
Throughput
128MB/5sec
OAC
Origin Access Control is basically denying all access to S3 except for a specific Cloudfront distribution.
On S3 origins, Helps to control allowed request source. It has three options
- Public
- Cloudfront
- Legacy Identities
Is not allowed in custom origin. However, path control is available for Custom
Securing Custom origin
This is the creation of a tunnel over HTTP between the source and destination.
This is established by requiring an additional header from Cloudfront, else the request will not be attended to. Meanwhile between the Edge and cloud, a HTTP tunnel is implemented. Alternatively, WAF can be used at the custom source to filter traffic only from the edge Location Sources. WAF knows all AWS edge Location IP Addresses.
CloudFront Geo Restriction
CloudFront Geo Restriction
1. 3rd Party Geolocation (Customizable)
2. CF - Whitelist or Blacklist - COUNTRY ONLY
CF - GeolP Database 99.8%+ Accurate
Signed URL
Provides access to one particular object. Used for Legacy RTMP because they cant use signed cookies.
For Legacy Apps that do not accept Signed cookies.
Shield Advance Pricing
$3,000 per month (per ORG), 1 year lock-in + data (OUT) /m
Signed URL vs Signed Cookies
Signed URLs:
URL-Based Approach: With signed URLs, access to a resource is granted by generating a special URL containing authentication information. This URL is typically short-lived and has an expiration time.
Time-Limited: Signed URLs often have a limited validity period, meaning they are only valid for a short duration. After the expiration time, the URL becomes invalid.
No Storage on the Client: Signed URLs do not require storage of any tokens or cookies on the client side. The authentication details are entirely contained within the URL.
Usage Examples: Signed URLs are commonly used in cloud storage services like Amazon S3, where you can generate a URL with temporary access to a specific file. Content delivery networks also use this approach.
Signed Cookies:
Cookie-Based Approach: With signed cookies, authentication information is stored as cookies on the client side. These cookies contain a signed token or session identifier.
Persistent Session: Cookies can be persistent, meaning the authentication state can be maintained across multiple visits by the same client, as long as the cookie is not expired.
Storage on the Client: Signed cookies require storage on the client side. This means that a client (e.g., a web browser) needs to maintain and send the cookie on each request.
Usage Examples: Signed cookies are commonly used in web applications to maintain user sessions, such as login state or session data.
Layer 7 Firewalls
Layer 7 Firewalls keeps all the features of Layers 3,4,5 features and still react to Layer 7 elements.
It understands the protocols and all the nuances of Layer 7.
Data at L7 can be inspected and blocked, replaced or tagged (adult, spam, off topic)
L7 FW can identify normal or abnormal requests
Protocol specific attacks
Able to identify, block & adjust specific applications e.g. Facebook
Layer 5 Firewalls
stateful Inspection: In the context of security, stateful inspection firewalls utilize the session layer’s ability to maintain session state. These firewalls examine not only individual packets but also the context and state of the entire session. This allows them to make more informed decisions about whether to allow or block traffic based on the established sessions.
Termination: When a session is completed, the session layer manages the graceful termination of the connection, ensuring that all resources are released correctly.
Stateful inspection firewalls, for example, use the information from the session layer to track the state of connections and apply security policies based on the context of the sessions. This allows them to better protect networks against various threats, as they can understand the state of connections and recognize legitimate responses to outbound requests.
AWS Shield - Standard
21211
Free for AWS customers
* Protection at the perimeter
* Region/VPC or the AWS edge
* Common Network (L3) or Transport (L4) layer attacks
* Best protection using R53, CloudFront, AWS Global Acceleration