Our client is a leading Indian payment aggregator, empowering over 50K+ merchants across industries like e-commerce, education, and SaaS to collect payments seamlessly. The platform processes ~ 1 million daily transactions, supporting UPI, credit/debit cards, and net banking. With operations hosted in two multiple AWS regions in India, the client faced growing challenges in securing their platform while maintaining low latency and high availability for their merchants.
As the client’s business scaled rapidly, ensuring platform security, performance, and compliance became critical to maintaining merchant trust and user satisfaction.
Challenges
The client faced several critical challenges as they grew their operations:
- Security Threats:
- Regular attacks such as SQL injection (SQLi) and Cross-Site Scripting (XSS) targeting their payment gateway APIs.
- Over 15,000 credential stuffing attempts daily, putting merchant accounts at risk of compromise.
- Distributed Denial of Service (DDoS) attacks during high-traffic events caused service disruptions, impacting merchant operations.
- Performance Bottlenecks:
- Latency spikes during peak traffic periods (up to 300 TPS) caused response times to exceed 1.2 seconds, affecting the user experience for merchants and customers.
- Malicious bot traffic consumed nearly 40% of bandwidth, degrading system performance and increasing operational costs.
- Operational Inefficiencies:
- Manual updates to WAF rules took up to 3 hours per change, delaying threat mitigation during critical incidents.
- Managing security policies across two AWS regions (Mumbai and Hyderabad) created inconsistencies in protection levels.
- Compliance Risks:
- The client needed to comply with PCI DSS standards for secure handling of cardholder data but lacked robust application-layer protections.
Solution Implemented
To address these challenges, we implemented a comprehensive solution using AWS Web Application Firewall integrated with automation tools like Terraform and AWS Lambda. The solution was designed to handle the client’s scale of operations while ensuring consistent security policies across both AWS regions.
Key Features of the Solution
- Automated WAF Rule Deployment Using Terraform:
- All WAF rules were codified using Terraform for consistency across environments (development, staging, production) and regions (Mumbai and Hyderabad).
- Configurations included:
- Managed rule groups such as
AWSManagedRulesOWASPCoreRuleSetfor protection against OWASP Top 10 vulnerabilities. - Rate-based rules limiting requests to 1,500 requests per 5 minutes per IP.
- Custom rules for blocking SQL injection payloads (
(?i)(union.*select)). - Geo-restriction rules allowing traffic only from India and trusted international locations.
- Managed rule groups such as
- CI/CD pipelines were used to deploy rule updates seamlessly.
- Dynamic IP Blocklisting Using AWS Lambda:
- An AWS Lambda function was deployed to dynamically update IP blocklists every hour based on threat intelligence feeds.
- This ensured real-time blocking of malicious IPs without manual intervention.
- Custom Rules for Business-Specific Threats:
- Created custom rules tailored to the client’s payment APIs to block malicious patterns, rate-limit abusive traffic, and challenge suspicious bots with CAPTCHA.
- Geo-Restriction Rules:
- Restricted access from non-operational regions while allowing traffic only from India and trusted international locations like Singapore and the US.
- Real-Time Monitoring with CloudWatch:
- Integrated AWS WAF logs with Amazon CloudWatch for real-time monitoring of blocked requests.
- Configured alerts using Amazon SNS for immediate notification of critical security events.
- Centralized Governance Across Regions:
- Used AWS Firewall Manager to enforce consistent WAF policies across both AWS regions (Mumbai and Hyderabad), ensuring uniform protection for all merchant-facing applications.
Results
The deployment of AWS WAF, combined with automation and tailored configurations, resulted in transformative improvements for the client’s platform, addressing critical security, performance, and compliance challenges at scale
Security Enhancements
- Blocked over 2 million malicious requests per month, including SQL injection and XSS attempts.
- Reduced credential stuffing attempts by over 90%, safeguarding merchant accounts.
- Mitigated DDoS attacks effectively, ensuring uninterrupted service during high-traffic events like festive sales campaigns.
Performance Gains
- Reduced latency during peak hours from an average of 1.2 seconds to 400ms, enabling faster transaction processing even at 300 TPS.
- Lowered bandwidth consumption by filtering out bot traffic, resulting in annual cost savings of approximately ₹40 lakhs.
Operational Efficiency
- Automated rule deployment reduced update time from 3 hours (manual) to just 8 minutes, enabling faster response to emerging threats.
- Centralized governance ensured consistent security policies across both AWS regions.
Compliance Achieved
- Achieved PCI DSS compliance within four weeks by implementing robust application-layer protections.
- Regular audits confirmed adherence to industry standards for secure handling of cardholder data.
Key Metrics
| Metric | Before Implementation | After Implementation |
|---|---|---|
| Malicious Requests Blocked | ~500K/month | ~2M/month |
| Average Latency During Peak Hours | 1,200ms | 400ms |
| Bandwidth Consumed by Bot Traffic | ~40% | <5% |
| Rule Update Time | ~3 hours | ~8 minutes |
If your business is facing similar challenges with security or performance at scale, contact us today to learn how we can help you achieve your goals
