1 00:00:06,930 --> 00:00:09,920 - Now let's talk about AWS Shield. 2 00:00:09,920 --> 00:00:12,870 With AWS Shield, we gain access to a 3 00:00:12,870 --> 00:00:15,920 Distributed Denial of Service protection service. 4 00:00:15,920 --> 00:00:19,640 And so, this service can help protect us against 5 00:00:19,640 --> 00:00:23,340 common attacks based on layers three and four, 6 00:00:23,340 --> 00:00:25,610 so networking level attacks. 7 00:00:25,610 --> 00:00:28,200 And some of these attacks might be things like 8 00:00:28,200 --> 00:00:33,200 UDP reflection attacks, DNS reflection, NTP reflection, 9 00:00:33,690 --> 00:00:38,690 other things like SSL renegotiation, Slowloris attacks. 10 00:00:38,740 --> 00:00:43,740 And so with AWS Shield, we gain a very powerful 11 00:00:44,390 --> 00:00:46,660 again DDoS protection service. 12 00:00:46,660 --> 00:00:49,960 And this is available for free to everyone 13 00:00:49,960 --> 00:00:54,200 or AWS Shield Standard is available for free to everyone, 14 00:00:54,200 --> 00:00:56,010 and there's nothing for us to do. 15 00:00:56,010 --> 00:00:58,690 We get the standard level of AWS Shield 16 00:00:58,690 --> 00:01:01,260 without really even having to opt into anything. 17 00:01:01,260 --> 00:01:05,230 It's already there when we use things like CloudFront, 18 00:01:05,230 --> 00:01:09,670 Elastic Load Balancing, VPCs and security groups, 19 00:01:09,670 --> 00:01:11,093 and Elastic IPs. 20 00:01:12,000 --> 00:01:16,280 And so, if we need an additional layer of mitigation 21 00:01:16,280 --> 00:01:20,710 and protection, we can subscribe to AWS Shield Advanced. 22 00:01:20,710 --> 00:01:24,250 Now with advanced again, we get that additional detection 23 00:01:24,250 --> 00:01:27,410 and mitigation against more sophisticated 24 00:01:27,410 --> 00:01:29,170 and larger attacks. 25 00:01:29,170 --> 00:01:33,730 And we also get near real-time visibility into those attacks 26 00:01:33,730 --> 00:01:37,170 so that we can be up to speed as far as you know, 27 00:01:37,170 --> 00:01:38,673 the nature of the attack, 28 00:01:39,750 --> 00:01:43,270 what the progress is in helping to mitigate that attack, 29 00:01:43,270 --> 00:01:44,370 and so on. 30 00:01:44,370 --> 00:01:47,860 We also get DDoS cost protection. 31 00:01:47,860 --> 00:01:52,860 So when we apply AWS Shield Advanced to certain things 32 00:01:53,350 --> 00:01:58,350 like our load balancers, our Route 53 DNS zones. 33 00:01:59,380 --> 00:02:01,990 When we apply Shield Advanced to things like our 34 00:02:03,650 --> 00:02:06,090 Elastic IPs and our EC2 instances, 35 00:02:06,090 --> 00:02:09,070 our auto scaled fleet of instances. 36 00:02:09,070 --> 00:02:12,460 If any of those services were to scale 37 00:02:12,460 --> 00:02:15,300 as a result of that DDoS attack, 38 00:02:15,300 --> 00:02:18,510 then we could get service credits for that. 39 00:02:18,510 --> 00:02:20,860 Another nice feature of Shield Advanced 40 00:02:20,860 --> 00:02:24,700 is that it integrates with the Web Application Firewall. 41 00:02:24,700 --> 00:02:29,700 And so, we can get automatic rule creation based on 42 00:02:29,960 --> 00:02:33,610 you know, what's happening with that DDoS attack. 43 00:02:33,610 --> 00:02:38,610 We also gain access to a 24-hour a day, seven-day a week 44 00:02:39,250 --> 00:02:44,250 DDoS Response Team and so or what we might call the DRT. 45 00:02:45,280 --> 00:02:50,280 And so the the DDoS response team can help us mitigate that, 46 00:02:50,940 --> 00:02:54,700 they can actively help us mitigate a DDoS attack. 47 00:02:54,700 --> 00:02:59,563 They can also write what were firewall rules for us. 48 00:03:01,300 --> 00:03:03,870 Now it does require a subscription. 49 00:03:03,870 --> 00:03:07,070 So AWS Shield Standard is available for free to everyone, 50 00:03:07,070 --> 00:03:10,440 but Shield Advanced requires a subscription. 51 00:03:10,440 --> 00:03:13,540 And once you subscribe to that Shield Advanced, 52 00:03:13,540 --> 00:03:17,540 it will cover all of the accounts for that organization. 53 00:03:17,540 --> 00:03:19,630 You don't, you don't have to do it per account, 54 00:03:19,630 --> 00:03:21,320 you do it per organization. 55 00:03:21,320 --> 00:03:24,960 And so any account that is linked underneath that 56 00:03:24,960 --> 00:03:29,480 organization can be protected by Shield Advanced. 57 00:03:29,480 --> 00:03:31,280 So let's take a look at this diagram. 58 00:03:31,280 --> 00:03:34,670 And you can see here that we're using CloudFront. 59 00:03:34,670 --> 00:03:38,040 We're also using, we have an Elastic Load Balancer here, 60 00:03:38,040 --> 00:03:41,310 we have EC2 instances running our application. 61 00:03:41,310 --> 00:03:45,540 And we want ultimately, we want to prevent these instances 62 00:03:45,540 --> 00:03:50,140 from coming down as a result of an attack. 63 00:03:50,140 --> 00:03:52,260 And so you can see that all of these, 64 00:03:52,260 --> 00:03:54,730 we are leveraging Amazon CloudFront. 65 00:03:54,730 --> 00:03:56,250 We have all of those, 66 00:03:56,250 --> 00:03:59,850 you know edge locations all over the globe, right. 67 00:03:59,850 --> 00:04:04,850 And, AWS Shield is working alongside the AWS WAF, 68 00:04:05,240 --> 00:04:08,150 both of those are working at the edge location. 69 00:04:08,150 --> 00:04:12,250 So as this flood of attacks are coming in, 70 00:04:12,250 --> 00:04:14,610 some of the benefits here are that, 71 00:04:14,610 --> 00:04:18,760 one, because we do have those 100 edge locations, 72 00:04:18,760 --> 00:04:22,110 more than 100 edge locations, all over the globe, 73 00:04:22,110 --> 00:04:26,140 there's a much wider footprint to absorb that attack. 74 00:04:26,140 --> 00:04:30,120 The attack is not concentrated right here 75 00:04:30,120 --> 00:04:35,120 at the load balancer or on any one, EC2 instance. 76 00:04:35,860 --> 00:04:40,430 The attack can be absorbed by many machines across those 77 00:04:40,430 --> 00:04:42,790 edge locations all over the globe. 78 00:04:42,790 --> 00:04:46,250 And so, like I say, a number of those attacks are already 79 00:04:46,250 --> 00:04:51,250 mitigated by AWS Shield working alongside CloudFront at the, 80 00:04:51,850 --> 00:04:53,490 at the edge location. 81 00:04:53,490 --> 00:04:57,180 And then of course, we can leverage 82 00:04:57,180 --> 00:05:00,540 AWS Web Application Firewall to help further mitigate 83 00:05:00,540 --> 00:05:05,540 and block request based on IP and HTTP headers, and so on. 84 00:05:06,080 --> 00:05:08,623 And then of course, back here, 85 00:05:09,620 --> 00:05:11,690 on the load balancer, we would, 86 00:05:11,690 --> 00:05:14,490 we would of course have a security group 87 00:05:14,490 --> 00:05:15,840 on the load balancer. 88 00:05:15,840 --> 00:05:19,530 We would also have security groups around our EC2 instances. 89 00:05:19,530 --> 00:05:24,070 And we can use those tools to help mitigate different types 90 00:05:24,070 --> 00:05:27,593 of attacks as well, such as UDP reflections, 91 00:05:28,910 --> 00:05:31,543 and UDP flooding, Sign flooding, and so on. 92 00:05:33,020 --> 00:05:38,020 Now, CloudFront is really great for HTTP based applications, 93 00:05:40,040 --> 00:05:44,130 applications doing streaming such as RTMP and HLS. 94 00:05:44,130 --> 00:05:46,930 CloudFront also supports web sockets, 95 00:05:46,930 --> 00:05:51,700 but it, but it is specifically for TCP based applications. 96 00:05:51,700 --> 00:05:55,840 If we have applications that are not based on TCP, 97 00:05:55,840 --> 00:06:00,140 if we have applications that are using things like UDP, 98 00:06:00,140 --> 00:06:04,330 or SIP, then we cannot use CloudFront. 99 00:06:04,330 --> 00:06:07,290 We also cannot use Elastic Load Balancing. 100 00:06:07,290 --> 00:06:10,760 So remember that CloudFront and Elastic Load Balancing 101 00:06:10,760 --> 00:06:14,770 are both specifically for TCP based applications. 102 00:06:14,770 --> 00:06:18,600 And so for non-TCP based applications, 103 00:06:18,600 --> 00:06:21,810 UDP, SAP whatever the case may be, 104 00:06:21,810 --> 00:06:25,440 then we would need to run an EC2 instance 105 00:06:25,440 --> 00:06:28,230 that is directly available from the internet. 106 00:06:28,230 --> 00:06:29,930 So when in this example, 107 00:06:29,930 --> 00:06:32,360 you can see we have an EC2 instance. 108 00:06:32,360 --> 00:06:35,600 And we would also in this region, we would of course, 109 00:06:35,600 --> 00:06:38,400 have a VPC, we would have an Internet gateway. 110 00:06:38,400 --> 00:06:42,460 We would have routing tables that allow this instance to be 111 00:06:42,460 --> 00:06:44,830 directly reachable from the Internet. 112 00:06:44,830 --> 00:06:49,830 And so when we have that, AWS Shield Standard is already 113 00:06:50,050 --> 00:06:53,400 protecting this EC2 instance against those common 114 00:06:53,400 --> 00:06:57,400 infrastructure attacks on layers three and four. 115 00:06:57,400 --> 00:07:02,200 So we do get some protection, you know, 116 00:07:02,200 --> 00:07:05,810 certain types of UDP reflections and NTP reflections, 117 00:07:05,810 --> 00:07:08,530 DNS reflections, those kinds of things. 118 00:07:08,530 --> 00:07:10,940 Those common attacks are already mitigated 119 00:07:10,940 --> 00:07:14,630 by AWS Shield Standard for that instance. 120 00:07:14,630 --> 00:07:19,050 If we wanted to leverage AWS shield Advanced, 121 00:07:19,050 --> 00:07:22,520 then we could enable Shield Advanced on in 122 00:07:22,520 --> 00:07:24,130 an Elastic IP address. 123 00:07:24,130 --> 00:07:27,940 And of course, that Elastic IP address would be attached 124 00:07:27,940 --> 00:07:31,800 to the instance or associated with that instance. 125 00:07:31,800 --> 00:07:36,350 And so by attaching AWS shield to the Elastic IP address, 126 00:07:36,350 --> 00:07:40,330 then we could, we could gain access to Shield Advanced, 127 00:07:40,330 --> 00:07:43,563 which would automatically, it would actually, 128 00:07:44,474 --> 00:07:47,470 AWS Shield Advanced would, would will detect 129 00:07:47,470 --> 00:07:50,810 the size and type of that EC2 instance 130 00:07:50,810 --> 00:07:55,810 and automatically apply predefined mitigation profiles. 131 00:07:56,310 --> 00:08:00,700 And then we could also work with the 132 00:08:00,700 --> 00:08:05,700 DDoS Response Team to help create custom mitigation profiles 133 00:08:07,040 --> 00:08:09,370 for our particular scenario. 134 00:08:09,370 --> 00:08:11,450 So either way, if you're using you know, 135 00:08:11,450 --> 00:08:14,570 TCP based applications behind CloudFront, 136 00:08:14,570 --> 00:08:18,260 if you're using UDP or SIP based applications, 137 00:08:18,260 --> 00:08:22,270 you know, on an EC2 publicly available EC2 instance, 138 00:08:22,270 --> 00:08:27,270 then we can still get DDoS protection using AWS shield. 139 00:08:28,140 --> 00:08:32,520 So, if your organization is concerned about some kind of 140 00:08:32,520 --> 00:08:37,010 DDoS attack, then one, you can rest assured knowing that 141 00:08:37,010 --> 00:08:40,910 you already get a notable level of protection 142 00:08:40,910 --> 00:08:44,320 with Shield Standard, without having to do anything. 143 00:08:44,320 --> 00:08:48,610 And then of course, if you want further protection, 144 00:08:48,610 --> 00:08:50,930 if you want that more deeper protection, 145 00:08:50,930 --> 00:08:55,280 if you want access to some type of DDoS support team, 146 00:08:55,280 --> 00:08:57,833 then take a look at Shield Advanced.