Category: Security, Identity, & Compliance
Introduction DNS name resolution is a fundamental part of all on-premises and cloud networks. For customers with hybrid networks, additional infrastructure and configuration are needed for private DNS resolution to work seamlessly across environments. However, building this type of DNS infrastructure in a multi-account environment is complex. In this post, we show how to automate […]
Update: We’ve updated this blog and the AWS Lambda function code to work with both “custom” and “s3” style origins in Amazon CloudFront. Previously, only “custom” types were covered. In August 2022, CloudFront launched OAC (Origin Access Control), providing native support for customers to use CloudFront to access S3 bucket encrypted with SSE-KMS. Depending on […]
Many Content Distribution Networks (CDNs) offer a feature to obfuscate the source origin through functionality commonly referred to as origin cloaking. Using AWS Global Accelerator with Client IP Address Preservation capability, similar functionally can be facilitated. Private Application Load Balancers (ALBs) and private EC2 instances can be accessed through Global Accelerator in a secure and simplified manner. AWS […]
As IT environments grow, they can become more complex, with additional accounts, VPCs, and the networking between them. AWS Transit Gateway is a service that addresses networking complexity by building a hub-and-spoke network to simplify your network routing and security. With Transit Gateway, you can connect your Virtual Private Clouds (VPCs) that span multiple accounts […]
AWS for WordPress WordPress is a technological marvel in the number of internet sites it powers and the momentum with which developers actively contribute to the community. Recent estimates put WordPress at powering more than 34% of internet sites, and more than 50,000 plugins are available through WordPress.org covering everything from security enhancements to SEO […]
Authorization@Edge using cookies: Protect your Amazon CloudFront content from being downloaded by unauthenticated users
Enterprise customers who host private web apps on Amazon CloudFront may struggle with a challenge: how to prevent unauthenticated users from downloading the web app’s source code (for example, React, Angular, or Vue). In a separate blog post, you can learn one way to provide that security using Amazon Lambda@Edge and Amazon Cognito, with an example […]
Last year, a colleague of mine wrote a blog post about new security measures that Amazon CloudFront was implementing to enhance the security of how domains are used on CloudFront distributions. This included mitigations to prevent the abusive use of domain fronting practices by not allowing SSL handshake requests and subsequent requests over the secured […]
Come read the 2018 version of the AWS Best Practices for DDoS Resiliency whitepaper. In this whitepaper, we provide you with prescriptive DDoS guidance to build applications that are resilient to DDoS attacks. We describe different attack types, such as volumetric attacks and application layer attacks, and explain which best practices are most effective to manage each attack type.
Drupal is a powerful content management system (CMS) that has powered has powered over a million websites. Drupal is flexible, scalable, and backed by a large open source community. Amazon CloudFront can accelerate the performance of your Drupal site while also improving your overall security posture. Read more about integrating Amazon CloudFront in front of a Drupal site with this step-by-step guide.
See how you can now use Amazon CloudFront to negotiate HTTPS connections to origins using Elliptic Curve Digital Signature Algorithm (ECDSA). ECDSA uses smaller keys that are faster, yet, just as secure, as the older RSA algorithm. The smaller keys will also increase the number of TLS handshakes that your origins can process per second, thereby saving compute cycles and reducing your cost of cryptography.