E-commerce has penetrated every aspect of daily life. As a business platform facing consumers directly, e-commerce platforms process large amounts of sensitive personal data, including names, addresses, phone numbers, bank card numbers, etc. At the same time, e-commerce platforms need to maintain 24-hour operations, and any business interruption for any reason may cause order losses and degraded user experience. Furthermore, since consumers on the platform usually come from different countries and regions, e-commerce platforms need to adapt to compliance requirements in different regions.
Security compliance for e-commerce platforms has industry-specific characteristics. For example, during the product design phase (such as clothing), special attention must be paid to information confidentiality. During promotional seasons and new product launch seasons, special attention should be paid to network DDoS protection. After-sales shipping should protect users' personal information.
Building a secure and compliant e-commerce platform is imminent and of utmost importance. AWS provides corresponding solutions. Like other AWS cloud services, AWS security services also have agility, scalability, and cost-effectiveness. This is mainly reflected in the ability to securely scale business, automated deployment, privacy protection and data security as the first priority, a rich partner network, and global compliance certifications.
AWS provides up to 38 security services and management tool services, and continues to innovate based on user needs and actual security incidents. Starting from identity authentication, to resource protection, then to threat intrusion detection, compliance detection, and finally correction based on system anomalies, AWS provides rich security services and management tools.
The following will unfold from five scenarios: external to the e-commerce platform, internal, compliance, daily management, and anti-fraud, applying AWS security services to these five scenarios.
External System Security. For the environment outside the VPC, security issues that e-commerce platforms need to pay attention to include DDoS attacks, illegal scanning attacks, account theft, bucket intrusion, etc.
In terms of DDoS protection, AWS provides two services: AWS Shield and AWS WAF.
Due to the impact of the pandemic, the time and frequency of online activities have increased significantly. People prefer to game, socialize, work, and shop online, making online activities more likely targets for DDoS attacks. The table below summarizes threat events detected by AWS Shield in Q1 2020 and compares them with Q4 2019 and Q1 2019. We can look at the changes in overall attack events from both quarter-over-quarter and year-over-year perspectives. All network events detected as DDoS attacks by AWS Shield will automatically trigger mitigation protection measures, usually targeting attack types and resource conditions.
Parameter Q4 2019 Q1 2020 Change
| Total Attack Events | 282,582 | 310,954 | +10% |
| Volumetric Attack Peak(Tbps) | 0.6 | 2.3 | +283% |
| Packet Attack Peak(Mpps) | 282.2 | 293.1 | +4% |
| Request Attack Peak(rps) | 1,585,615 | 694,201 | -56% |
Table 1. Compare Q4 2019 and Q1 2020
Parameter Q1 2019 Q1 2020 Change
| Total Attack Events | 253,231 | 310,954 | +23% |
| Volumetric Attack Peak(Tbps) | 0.8 | 2.3 | +188% |
| Packet Attack Peak(Mpps) | 260.1 | 293.1 | +13% |
| Request Attack Peak(rps) | 1,000,414 | 694,201 | -31% |
Table 2. Compare Q1 2019 and Q1 2020
In Q1 2020, AWS observed a previously unseen attack peak of 2.3 Tbps, achieved through a known UDP reflection attack - CLDAP reflection. This is nearly 44% higher than the historical attack peak previously detected on AWS. Such a large-scale CLDAP reflection attack occurred in the third week of February 2020. AWS responded at the highest level to this attack and successfully defended against it.
For application layer attacks, AWS provides WAF service and offers easy-to-use automated deployment templates for users. Users can load relevant rules based on this template, set up whitelists, blacklists, SQL injection protection rules, etc. The service also provides honeypot functionality for anti-crawling and malicious bot detection. AWS Athena can also be used to analyze WAF logs and update rules based on analysis results. It's worth mentioning that besides using AWS-provided managed rules or custom rules, users can also select third-party rules from Marketplace and load them onto WAF to achieve multi-WAF rule deployment.
When responding to external security threats, e-commerce platform users can use Amazon GuardDuty threat detection functionality to continuously monitor and protect AWS accounts, workloads, and data stored in Amazon S3. Especially for S3 buckets storing user sensitive data, transaction information, and product design drafts, more attention should be paid to unauthorized access, unauthorized external sharing, malicious IP access, etc.
Internal System Security. Inside the VPC, security issues focus on access control, network and instance security, and data protection and backup. This year, data breaches and malicious data deletions have occurred frequently. E-commerce platforms process large amounts of concentrated data. Data security requires good practices in four dimensions: access control, auditing, encryption, and backup. AWS provides corresponding services in all four dimensions for users.
Taking access credential management as an example, in daily work, credential management is prone to various oversights, such as sending credentials via email, developers being able to see or share credentials, disorderly credential management, lack of tracking records for credential usage, lack of visibility, credential generation and acquisition relying entirely on security teams, consuming time and effort, and credential rotation affecting system stability. This can be managed through AWS Secrets Manager, obtaining and rotating credentials, solving the problem of plaintext credential usage, enabling more frequent rotation updates, achieving programmatic operation, reducing manual involvement, while enabling auditing and tracking of credential usage.
For internal network reachability and instance security, AWS provides Inspector service. At the network level, it can detect which specific port is open on which path, and which process is using it in what way. At the instance level, it can detect CVE vulnerabilities and inform users of potential impacts and recommended remediation measures.
Data is the foundation of all security compliance. Classifying and protecting data is the basis of all compliance. With business development, production data is increasing, definitions of sensitive data in various countries and regions are becoming broader, and data distribution is becoming more dispersed. All of this makes identification and protection of sensitive data increasingly important, especially for e-commerce industry users. AWS Macie defines sensitive data types based on current GDPR, PCI, HIPAA and other compliance requirements, including personal information, family information, health information, and also supports user-defined sensitive information. AWS Macie can classify and filter based on preset and custom sensitive data rules and provide different protection recommendations based on discovered data types.
For discovered sensitive data, AWS provides different encryption services, including ACM, KMS, CloudHSM to meet different encryption scenarios, such as transmission encryption, storage encryption, database encryption, and application encryption.
Security Compliance Risks. Security compliance should not only focus on specific compliance certification audits but also on continuous security compliance monitoring of the overall operating environment. Taking PCI-DSS as an example, if malicious attackers make abnormal configurations or operations to the overall environment after passing certification, it can also lead to PCI-DSS non-compliance. This requires introducing tools for continuous security compliance monitoring of the operating environment, alerting and correcting anomalies. AWS Security Hub meets this need exactly.
AWS Security Hub provides users with a comprehensive view of high-priority security alerts and compliance status in AWS accounts. With Security Hub, security alerts or findings from multiple AWS services (such as Amazon GuardDuty, Amazon Inspector, and Amazon Macie) and AWS partner solutions can be aggregated, organized, and prioritized. Relevant findings can be visually summarized on an integrated dashboard with actionable graphs and tables. Users can also use automated compliance checks to continuously monitor the operating environment. To improve usability and convenience, the service can score based on compliance check results, and users can improve directly based on scores.
AWS also provides PCI-DSS best practices, and users can obtain AWS's PCI-DSS certificate through AWS Artifact.
Improve Security Management Efficiency. Although all security matters are important, security management processes should still be simplified to devote more energy and time to business innovation. For example, certificate management and APP user management are time-consuming tasks. AWS ACM supports authentication via email or DNS, certificates are valid for 13 months, supports fully managed updates and deployment, trusted by multiple browsers, and is completely free, very suitable for startups. Customers can also import third-party certificates to ACM for simplified management. In terms of APP user management, AWS provides Cognito, which can combine with multiple social applications for registration and login, and can support comprehensive security authentication for registered accounts, such as email and phone number uniqueness. Cognito can combine with AWS Pinpoint to classify and analyze users and generate analysis reports, such as user regions, registration times, consumption preferences, etc.
Anti-Fraud. After the pandemic, the economy is gradually recovering, but various online fraud incidents have also appeared, including fake contracts, fake credit card payments, etc. The traditional approach to fraud is to organize manual teams, summarize and find patterns from fraud behaviors that have occurred, and then formulate relevant rules to update the system for protection. This approach usually lags and lacks real-time capability. In recent years, companies specializing in anti-fraud solutions have emerged, but because fraud behaviors usually occur in different industries, such as e-commerce, gaming, etc., such solutions appear insufficiently targeted. AWS Fraud Detector can be used to solve fraud identification. This service first builds a machine learning model, combines years of anti-fraud experience from AWS and AMAZON.COM, and finally allows users to upload historical fraud transaction data. The combination of these three aspects provides customers with a solution for identifying fake accounts, fake transactions, and fake credit cards. This service also provides an API, allowing users to call the API in real-time for fraud assessment when in doubt about a transaction.
This article is reprinted from AWS official blog "Building a Secure E-Commerce Platform on AWS"
