Securing Serverless Apps with Infrastructure as Code Tools

Transcript

1. O’Reilly Velocity Conference June 13 2018 Deploy Security Controls for

   Serverless Apps with Infrastructure as Code Tools Luis Colon ([email protected]) Senior Developer Advocate, AWS CloudFormation Twitter: @luiscolon1 © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved

2. Agenda • Serverless security compared to traditional apps • Top

   security concerns for serverless, with examples • Monitoring • Tools to harden and automate controls • Additional advice #VelocityConf @luiscolon1

3. Securing Serverless Applications #VelocityConf @luiscolon1

4. Securing Serverless Applications EC2 Docker/K8s Lambda Data Centers #VelocityConf @luiscolon1

5. Securing Serverless Applications #VelocityConf @luiscolon1

6. OWASP Top 10 #VelocityConf @luiscolon1

7. 10 Most Critical Security Risks in Server Architectures #VelocityConf @luiscolon1

8. Insecure 3rd Party Dependencies #VelocityConf @luiscolon1

9. Insecure 3rd Party Dependencies #VelocityConf @luiscolon1

10. Insecure 3rd Party Dependencies 2 Direct 19 Indirect ~191k LOC

    #VelocityConf @luiscolon1

11. Avoiding Injection #VelocityConf @luiscolon1

12. Avoiding Injection #VelocityConf @luiscolon1

13. Avoiding Injection #VelocityConf @luiscolon1

14. Avoiding Injection Use JSON.parse() instead #VelocityConf @luiscolon1

15. Flow Manipulation #VelocityConf @luiscolon1

16. Monitoring and Logging #VelocityConf @luiscolon1

17. Monitoring and Logging • AWS CloudWatch • AWS CloudTrail •

    AWS Config • AWS ConfigRules • AWS X-Ray • Amazon Macie • Dashbird • …no need to write your own #VelocityConf @luiscolon1 4p

18. Monitoring and Logging • AWS CloudWatch • AWS CloudTrail •

    AWS Config • AWS ConfigRules • AWS X-Ray • Amazon Macie • Dashbird • …no need to write your own #VelocityConf @luiscolon1

19. Monitoring and Logging • AWS CloudWatch • AWS CloudTrail •

    AWS Config • AWS ConfigRules • AWS X-Ray • Amazon Macie • Dashbird • …no need to write your own #VelocityConf @luiscolon1

20. Automating Controls #VelocityConf @luiscolon1

21. Automating Controls: CIS AWS Foundations #VelocityConf @luiscolon1

22. Automating Controls: CIS Rules • Prowler • Checks CIS •

    Adds other rules • Check per account/region #VelocityConf @luiscolon1

23. Automating Controls: CIS Benchmark on AWS with CloudFormation #VelocityConf @luiscolon1

24. AWS CloudWatch: Alarms & Rules #VelocityConf @luiscolon1

25. AWS CloudWatch: Alarms & Rules #VelocityConf @luiscolon1

26. AWS Config Rules #VelocityConf @luiscolon1

27. AWS Config Rules #VelocityConf @luiscolon1

28. AWS Lambda Functions for Rules #VelocityConf @luiscolon1

29. Additional Tips #VelocityConf @luiscolon1

30. Authentication and Permissions • Reuse existing systems • AWS Cognito

    • Auth0 • JWT • Least Privilege • No * in IAM policies • No individual permissions (use roles/groups) • Per function • Single responsibility • Protect secrets • Don’t expose in logs, code or alerts • Encryption • Rotate keys to mitigate events #VelocityConf @luiscolon1

31. Assume the worst • Use the tools at your disposal

    • Your own audits • Log logins, failed logins, account changes (password changes, email changes), confirm db transactions… • have thresholds on logins from an address, db connections, queries per second • DoW • Chaos engineering • Rotate credentials • Separate credentials and policies for different functions • Remove unused functions • Harden accounts and environments • Automate your controls #VelocityConf @luiscolon1

32. Summary • With serverless, you have a few less things

    to worry about, but still plenty of things… • Many standard best practices apply • Improve controls, logging, monitoring, etc. incrementally and on an ongoing basis • Automate your controls • Leverage the many tools available #VelocityConf @luiscolon1

33. Further Reading • Securing Serverless - a Newbie's Guide •

    https://www.jeremydaly.com/securing-serverless-a-newbies-guide/ • Yan Cui’s “Many-faced threats to Serverless security” – October 25, 2017 • Hacking Severless Runtimes whitepaper - Andrew Krug and Graham Jones – July 15, 2017 • Serverless Security implications—from infra to OWASP - Guy Podjarny – April 19, 2017 • The Ten Most Critical Security Risks in Serverless Architectures - PureSec – January 17, 2018 • AWS Doc: Lambda Best Practices • https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html #VelocityConf @luiscolon1

34. Links • Detect vulnerabilities on your dependencies https://snyk.io/ • Prowler

    for CLI checks: https://github.com/toniblyx/prowler • https://hackernoon.com/many-faced-threats-to-serverless-security-519e94d19dba • CIS Hardening Guidelines: https://aws.amazon.com/blogs/security/announcing-industry- best-practices-for-securing-aws-resources/ • https://github.com/awslabs/aws-security-benchmark • https://medium.com/dashbird/is-your-serverless-as-good-as-you-think-it- is-2baa3d36b1de • https://medium.com/@fastup/aws-iam-for-serverless-development-ba24be03cd2 #VelocityConf @luiscolon1

35. Thanks :) Luis Colon, Sr. Developer Advocate, AWS CloudFormation [email protected]

    #VelocityConf @luiscolon1