Upgrade to Pro — share decks privately, control downloads, hide ads and more …

The ~~Ten~~ Three Most Critical Security Risks ...

The ~~Ten~~ Three Most Critical Security Risks in Serverless Architectures

Ruby開発様の姫島オフィスにて発表した資料です

Koji Nakayama

April 26, 2018
Tweet

More Decks by Koji Nakayama

Other Decks in Technology

Transcript

  1. Function Event-Data Injection • ςЄϝЄϹφίϤϷξЄτϴЀ΅αϦЀϕϖϷϣЀ΁㳌ቘ͢ᤈΥ΢Ρ • ֺ: S3 -> Lambda

    -> DynamoDB • ͩ΄檭̵ڹྦྷ΄αϦЀϕ͡ΟჁͫ΢͵ఘ䁭Ψ͚Σ͚ΣےૡͭͼOutputͯ Ρ̵;͚͜΄͢ΞֵͥΥ΢ΡϞόЄЀ • ͵Ͷ̵ͭͩ΄ϔЄόΨͳ΄ΔΔֵ͹ͼͭΔ͜;ψκϲϷϓΰ΄㺔氂΁΀ Π஑Ρ • ᥝͯΡ΁̵فێ㮔Ψͭ͹͡ΠϝϷϔЄτϴЀͭΔͭΝ͜;͚͜扖 10
  2. S3 Event Notification΄ֺ { "Records": [ { ... "s3": {

    "s3SchemaVersion": "1.0", "configurationId": "testConfigRule", "bucket": { "name": "example-bucket", "ownerIdentity": { "principalId": "EXAMPLE" }, "arn": "arn:aws:s3:::example-bucket" }, "object": { "key": "example-object", "size": 1024, "eTag": "0123456789abcdef0123456789abcdef", "sequencer": "0A1B2C3D4E5F678901" } } } ] } 11