EDF at the AWS Security Game Day
By Arina Bulantseva and Anwar Bouchra
At EDF, we’re always on the lookout for opportunities to enhance our knowledge and skills. Recently, we have had the opportunity of being part of an AWS Security Game Day — an immersive experience, encouraging hands-on learning and problem-solving using services like WAF and AWS Shield. The event drew in engineers with differing levels of experience, from beginners who have only recently come across AWS to more experienced professionals.
Two of our 2023 Data and Tech graduates took on the challenge and have offered to share their own perspective and advice from the day to fellow AWS enthusiasts!
Here is Arina’s story:
Last week I had the pleasure of experiencing my first AWS Game Day and I must say, it did not disappoint! After hearing praises about it from those who have participated in similar days before, I was excited, but did not have a clear idea of what to expect.
Nevertheless, I packed my rucksack and headed towards the AWS offices, braving the inferno heat of the central line during peak hours. Although I originally missed my stop, I still got some time before the start of the Game Day to chat to the lovely people around me, both those I work with daily and those I met for the first time that day. Making new connections or seeing people I otherwise only see as heads on Teams is always a highlight of any in-person events, especially when you get to race them in an arcade — but more on that later!
Soon, it was time to get down to business and focus on the first important task of the day — choosing our team name. While we were waiting for our other teammate, Rufus, Anwar and I wracked our brains trying to come up with security-related Kahoot-style team names. And, after going through some very unhelpful and some great suggestions from ChatGPT, we landed on “Phish and Chips”, which later earned us our one and only award (for the coolest team name!).
During the first part of the day, we were introduced to different cyber-security risks and levels, and some of the AWS services that help mitigate them, namely Web Application Firewall (WAF) and Shield. The former protects the application from DDoS, Web, and Bot attacks, while the latter focuses on protecting the underlying AWS infrastructure. The two can be integrated to configure custom protection rules, such as denial of access to specific IP addresses. Furthermore, the services offer several metrics for observability, as well as activity logs for analytics and monitoring.
After digesting all the new information over lunch, we were presented with a light-hearted introduction to the Game Day itself. In the scenario, we were cybersecurity teams competing for a contract with a Unicorn Rental company after the big boss fired our predecessors over the weekend. We were given our credentials and three challenges to solve using the previously showcased services among other AWS features. One of the issues we were presented with was that someone had hacked into our website and deleted the CSS file and our background image. However, using WAF custom rules, we were able to find the IP address of the perpetrator and block them from accessing our site again. It was also helpful to limit access to the S3 bucket to read-only, stopping unwanted changes from occurring.
The other challenges included unexpected bursts of traffic to our website, and odd requests to the application, potentially linked to some unexpected changes that were reported within user accounts. The former could be alleviated by blocking the inbound traffic to the database, and the latter could be addressed by adding a WAF to the application load balancer and configuring it to block common attacks like XSS and SQL injection.
Since I had not used the AWS console in depth, I found starting the exercises confusing, but I was helped by the support of the team and the morning session on WAF and Shield. And, after finding out that we could get extra points for getting the high score on the Deep Racer arcade machine, we all had to try to navigate a car around the virtual track, taking breaks from sitting around our screens. Even though I did not get the record, a few of us had a fun back-and-forth beating each other’s track times by milliseconds each time — a welcome break from all the learning.
We worked well together as a team — Rufus even drew us a very helpful diagram, and we did not lock anyone out of their accounts, which was a very definite possibility. And although we didn’t win, it was a great way to learn practically, rather than by simply staring at a lecturer explaining a topic for hours.
Next time I am sure I will be a little more prepared for the challenges and hopefully be able to help get my team get to the top 3. Either way, the experience was a great combination of fun and educational, and I will definitely be encouraging others to participate in the upcoming events :)
Here is Anwar’s story:
I’m Anwar and I’m in my first rotation as a software engineer. I’ve used AWS moderately in my limited time on this scheme so going into the Security game day I was very much still a beginner.
Overall, the day was very informative and fun! We started the day with a lecture which had relevance to the game challenge later in the day. So, it was important to be switched on from the start!
The event was really well organised, and we were assigned teams based on each individual’s ability / experience, so the teams were balanced, making the game-day very competitive.
We were given a brief meeting to outline the structure of the day but for specific preparation I’d say to have a familiarity with how to navigate each AWS service, and an idea of what each service does. There is a lot of support on the day so don’t worry! But this is just to be well prepared.
We learned quite a lot on how applications and websites are vulnerable to attacks, and steps we can take to prevent this (or be able to rectify it, if it has already happened), more specifically doing this using services like WAF or AWS Shield. The most common types of attacks were split into 2 main categories, DoS attacks and application attacks. DoS attacks usually consist of volumetric attacks sending unusual amounts of traffic to a target. Whereas application attacks were in the form of: SQL injections, Bot Attacks or credential abuse. WAF came in handy here as it blocked application attacks when we added it to our load balancer in the exercise.
The game-day has made me more mindful in my practices at EDF of the importance of cybersecurity for businesses and individuals.
EDF’s AWS Game Day offered engineers like Arina and Anwar a blend of enjoyment and learning, emphasising teamwork and hands-on experience. They highlighted the event’s importance in fostering continuous skill development, providing insights into cybersecurity measures using AWS tools, and showcasing EDF’s commitment to staying updated in the field.
