AWS for Industries

CloudFront FSI Service Spotlight

In this edition of the Financial Services Industry (FSI) Services Spotlight monthly blog series, we highlight five key considerations for customers running workloads on Amazon CloudFront: achieving compliance, data protection, isolation of compute environments, audits with APIs, and access control/security. Across each area, we’ll examine specific guidance, suggested reference architectures, and technical code to help streamline the service approval of Amazon CloudFront. Amazon CloudFront is a content delivery network (CDN) service built for high performance, security, and developer convenience. Amazon CloudFront gives businesses and web application developers an easy and cost-effective way to distribute content with low-latency and high data transfer speeds. Like other AWS services, Amazon CloudFront is a self-service, pay-per-use offering, requiring no long-term commitments or minimum fees. Following diagram shows CloudFront architecture: aws shield Here are the key components in the architecture.

  • Edge Location: when a user requests content that you’re serving with CloudFront, the request is routed to the edge location or points of presence (POPs) that provides the lowest latency, so that content is delivered with the best possible performance.
  • Regional edge caches (RECs): located between your origin server and the POPs, with a larger cache than an individual POP, which helps keep more of your content closer to your viewers.
  • Lambda@Edge: offering a fully-programmable, serverless edge computing environment for implementing a wide variety of complex customizations and executed in RECs.
  • CloudFront Functions: serverless scripting platform that lets you run lightweight JavaScript code at the CloudFront edge locations at approximately 1/6th the price of Lambda@Edge.

By using Amazon CloudFront, the volume of application origin requests is automatically reduced. Content is stored in CloudFront’s edge and regional caches and only fetched from origins when needed. The load on application origins can be further reduced by using Origin Shield to enable a centralized caching layer. Origin Shield optimizes cache hit ratios and collapses requests across regions leading to as few as one origin request per object. This reduced traffic to your origins helps increase the availability of your applications. Today, numerous FSI customers are leveraging Amazon CloudFront for their use cases. AnandRathi implemented Amazon CloudFront for low-latency content delivery on its websites and mobile app, and feedback has been positive. Most of the firm’s clients interact with their portfolios via mobile phones, so creating a consistent user experience across platforms was important. Operations team members now experience up to 40% faster navigation on internal sites. This has dramatically improved their productivity and ability to respond to client requests. Sunday Insurance is a leading InsuranceTech company that uses technology to boost the efficiency of traditional insurance services. Sunday Insurance uses CloudFront (along with other AWS services) to maximize speeds across the AWS Cloud, resulting in a 30% month-on-month increase in revenue as they attract more customers due to the performance of its machine learning (ML) software running on AWS. Conflux Technologies developed Finflux, a software-as-a-service (SaaS) banking platform aimed at small-to-mid sized banks and non-banking financial companies (NBFCs). The Finflux Platform uses Amazon CloudFront to optimize page-loading times for FinFlux Web, thereby aiding in their processing of millions of daily transactions.

Achieving compliance

AWS leverages the AWS shared responsibility model, and customers are encouraged to make sure that workloads running in the AWS Cloud are using the appropriate security controls to meet their compliance needs and security posture. AWS customers are responsible for their security in the cloud. They control and manage the security of their content, applications, systems, and networks. AWS manages the security of the cloud, providing and maintaining proper operations of services and features, protecting AWS infrastructure and services, maintaining operational excellence, as well as meeting relevant legal and regulatory requirements. Customers can download third-party audit reports using AWS Artifact. Refer to the following documentation for how to download reports in AWS Artifact: Downloading reports in AWS Artifact. The security and compliance of Amazon CloudFront is assessed as part of multiple AWS compliance programs. Amazon CloudFront is compliant with:

  • SOC 1, 2, 3
  • PCI
  • ISMAP
  • FedRAMP Moderate (East/West)
  • DoD CC SRG IL2 (East/West)
  • HIPAA BAA
  • IRAP
  • MTCS
  • C5
  • K-ISMS
  • ENS High
  • OSPAR
  • HITRUST CSF
  • FINMA
  • GSMA
  • PiTuKri

Data protection

Encryption at rest

CloudFront automatically encrypts data at rest. CloudFront uses encrypted SSDs for edge location POPs, and encrypted EBS volumes for regional edge caches (RECs). CloudFront Functions code and configuration in CloudFront Functions is always stored in an encrypted format.

Encryption in transit

As to encryption in transit, you can configure end-to-end HTTPS connection from your client, then CloudFront, and finally your origin server. To encrypt your data during transit, you can configure CloudFront to accept HTTPS requests only so that connections are encrypted when CloudFront communicates with viewers. Furthermore, you can configure CloudFront to use HTTPS to get files from your origin, so that connections are encrypted when CloudFront communicates with your origin. For more information, see Using HTTPS with CloudFront. Financial services customers would require to use their own domain name and SSL/TLS certificate. You can provision a new certificate in AWS Certificate Manager (ACM) or import existing certificates to ACM. Note that CloudFront uses ACM certificates in the US East (N. Virginia) Region. See steps here on how to use alternate domain names and HTTPS between viewers and CloudFront. The CloudFront API endpoints and FIPS endpoints accept only HTTPS connections, and all of the FIPS endpoints only accept a minimum of TLS 1.2 connections. CloudFront field-level encryption helps secure sensitive data, such as a customer phone numbers by adding another security layer to CloudFront HTTPS. The sensitive information provided by your users is encrypted at the edge, close to the user, and remains encrypted throughout your entire application stack. This encryption makes sure that only applications that need the data—and have the credentials to decrypt it—can do so. You can find the post for details how you can enhance the security of sensitive data by using CloudFront field-level encryption.

Restricting access to content

If you want to restrict access for selected users – for example, users who have paid a fee – then you can provide CloudFront signed URLs or signed cookies to your authenticated users. As to geographically restricting content, you can leverage the CloudFront geographic restrictions feature or a third-party geolocation service to

  • Allow your users to access your content only if they’re in one of the approved countries on your allow list.
  • Prevent your users from accessing your content if they’re in one of the banned countries on your block list.

You can also use AWS Web Application Firewall (AWS WAF), a web application firewall service, to create a web access control list (web ACL) to restrict access to your content. AWS WAF web ACL can protect CloudFront from malicious cross-site scripting (XSS), access from anonymous IP or certain IP addresses, SQL injection, etc. This post shows an example of using AWS WAF to avoid your client directly accessing your origin server.

Isolation of compute environments

AWS operates the global cloud infrastructure that you use to provision various basic computing resources and services, such as compute and storage. The AWS global infrastructure is designed and managed according to security best practices, as well as various security compliance standards. As an AWS customer, be assured that you’re building web architectures on some of the most secure computing infrastructure in the world. Security is built into every layer of the AWS infrastructure and carries into each of the services that run within it. AWS services, including CloudFront, are architected to work efficiently and securely with all AWS networks and platforms. CloudFront Functions uses a highly secure isolation barrier between AWS accounts, making sure that customer environments are secure against side-channel attacks such as Spectre and Meltdown. Functions can’t access or modify data belonging to other customers. Functions run in a dedicated single-threaded process on a dedicated CPU without hyperthreading. In any given CloudFront edge location point of presence (POP), CloudFront Functions only serves one customer at a time, and all customer-specific data is cleared between function executions.

Automating audits with APIs

AWS Config monitors the configuration of resources and can send alerts in the case that resources fall into a non-compliant state. The service provides the ability to use predefined AWS-managed rules or define custom AWS Lambda-based rules to monitor access logs and different security configurations. Here are some examples of AWS-managed rules:

Besides managed rules in AWS Config, customers can build custom Config rules using API calls related to Amazon CloudFront recorded by AWS CloudTrail. CloudTrail is an AWS service that helps customers enable governance, compliance, and operational and risk auditing of their AWS accounts. CloudTrail provides an aggregated repository of AWS API calls and changes to many AWS services. CloudTrail records API calls made to the CloudFront service. For a complete list of CloudFront APIs, you can review the Amazon CloudFront API References. The following is an example of what a CloudTrail log looks like for the CreateDistribution API:

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "IAMUser", 
        "principalId": "AKIAIOSFODNN7EXAMPLE", 
        "arn": "arn:aws:iam::123456789012:user/johndoe", 
        "accountId": "123456789012", 
        "accessKeyId": "AKIAI44QH8DHBEXAMPLE", 
        "userName": "johndoe"
    },
    "eventTime": "2022-03-22T16:30:40Z",
    "eventSource": "cloudfront.amazonaws.com",
    "eventName": "CreateDistribution",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "192.0.2.0",
    "userAgent": "aws-cli/1.15.42 Python/3.6.1 Darwin/17.7.0 botocore/1.10.42",
    "requestParameters": {
        "distributionConfig": {
        ...
        }
    },
    "responseElements": {
        "location": "https://cloudfront.amazonaws.com/2020-05-31/distribution/E28TOBMOJ79M87",
        "eTag": "E38MVX9TT8EDXV",
        "distribution": {
        ...
        }
    },
    "requestID": "d357ddbd-7963-44fc-a64a-aa3f3358d2da",
    "eventID": "4c12256c-9908-49cb-b06b-47f7cb6e48c1",
    "readOnly": false,
    "eventType": "AwsApiCall",
    "apiVersion": "2020_05_31",
    "managementEvent": true,
    "recipientAccountId": "814764508357",
    "eventCategory": "Management",
    "sessionCredentialFromConsole": "false"
}

AWS Audit Manager helps FSI customers continuously audit their AWS usage and simplify how they assess risk and compliance with regulations and industry standards. Audit Manager collects and organizes the evidence by selected frameworks such as PCI-DSS, SOC 2, and GDPR from different sources (including CloudTrail) to compare the environment’s configurations against the compliance controls. Audit Manager saves time with an automated collection of evidence and provides audit-ready reports for customers to review. Moreover, these reports use cryptographic verification to make sure of their integrity. Customers also have the option to enable CloudFront access logs, which provide detailed records about requests that are made to distribution and are useful in security and access audits.

Operational access and security

Identity-based policy

You need an AWS Identity and Access Management (IAM) user or IAM role to create a CloudFront distribution or invalidate an object. Using identity-based policies (IAM policies), you can grant permissions to a person or group in their account to perform operations on CloudFront resources. CloudFront resources can be distributions, invalidations, origin access identities, and functions. You can find actions, resources, and conditions reference of CloudFront API permissions for reference. To help our customers avoid having to investigate which permissions are needed for some common use cases, AWS provides the following AWS Managed Policies:

  • CloudFrontFullAccess – Grants full access to CloudFront resources.
  • CloudFrontReadOnlyAccess – Grants read-only access to CloudFront resources.

When you use CloudFront with an Amazon Simple Storage Service (Amazon S3) bucket as the origin, you can configure Amazon S3 to only allow access to authenticated requests from CloudFront. CloudFront provides two ways to send authenticated requests to an Amazon S3 origin: origin access control (OAC) and origin access identity (OAI).

Logging in Amazon CloudFront

As to the audit of CloudFront API calls, such as creating or modifying resources, CloudTrail captures information about every API call, and periodically saves log files of these requests to an Amazon S3 bucket that you specify. The CloudFront CloudTrail log includes the source IP address from which each request was made, who made the request, when it was made, and so on. As to the logging of a request that’s made to a distribution, there are these two types of logs:

  • CloudFront standard logs, also known as access logs, provide detailed records about every request. These logs are useful for many scenarios, including security and access audits. You can specify Amazon S3 to store the access logs. The tab-separated access log entry uses the W3C extended log file format.
  • CloudFront real-time logs provide real-time information about requests and deliver to an Amazon Kinesis data stream. You can choose the sampling rate and log fields for your real-time logs to limit the volume. This post shows how you stream the real-time logs to the Amazon OpenSearch Service to monitor the performance of your content delivery and respond quickly to operational events.

Conclusion

In this post, we reviewed Amazon CloudFront, highlighting essential information that can help FSI customers accelerate the service’s approval within these five categories: achieving compliance, data protection, isolation of computing environments, automating audits with APIs, and operational access and security. Although it’s not a one-size-fits-all approach, the guidance can be adapted to meet the organization’s security and compliance requirements. Make sure to visit the FSI Service Spotlight Blog Series to learn how FSI customers are using other AWS services from a security lens. You may also find the following additional resources useful:

  • AWS Security Documentation The security documentation repository shows how to configure AWS services to help meet security and compliance objectives. Cloud security at AWS is the highest priority. AWS customers benefit from a data center and network architecture that are built to meet the requirements of the most security-sensitive organizations.
  • AWS Compliance Center The AWS Compliance Center is an interactive tool that provides customers with country-specific requirements and any special considerations for cloud use in the geographies in which they operate. The AWS Compliance Center has quick links to AWS resources to help with navigating cloud adoption in specific countries, and includes details about the compliance programs that are applicable in these jurisdictions. The AWS Compliance Center covers many countries, and more countries continue to be added as they update their regulatory requirements related to technology use.
  • AWS WAF and AWS Well-Architected Tool The AWS WAF helps customers understand the pros and cons of decisions that they make while building systems on AWS. The AWS Well-Architected Tool helps customers review the state of their workloads and compares them to the latest AWS architectural best practices. For more information about the AWS WAF and security, see the Security Pillar – AWS Well-Architected Framework whitepaper. For best practices for financial services, see the Financial Services Industry Lens – AWS Well-Architected Framework.
TAGS: , , , ,
Max Ivashchenko

Max Ivashchenko

Max Ivashchenko is a Solutions Architect with AWS Worldwide Commercial Sector. As a generalist, he works with DNB and ISV customers on their solutions in diversified technology domains. He also supports Financial Services and Real-Money Gaming communities, further promoting AWS best practices. Outside of work, Max enjoys studying new things, active sports and music concerts.

Jacky Wu

Jacky Wu

Jacky Wu is an FSI Solutions Architect at AWS with 13+ years in financial services industry. Right before AWS, he was with Adenza providing front-to-back cross-asset trading system to large financial institutions running on top of AWS. He is very passionate about how technology can solve business challenges and provide beneficial outcomes by AWS latest services and best practices. Outside of work, Jacky enjoys 10km run and traveling.

Rohit Talluri

Rohit Talluri

Rohit Talluri is an Enterprise Solutions Architect and the Global Solutions Lead for AWS Mergers & Acquisitions Advisory. His domains of expertise include enterprise transformation, corporate cloud strategy, and mergers & acquisitions technology strategy. Rohit is a cloud evangelist, and routinely publishes, speaks, and presents on cloud and M&A topics for global audiences. Outside of work, he enjoys golfing, fishing, and going on adventures with his Labrador Retriever Colt.