Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Serverless Apps with Infrastructure as...

Securing Serverless Apps with Infrastructure as Code Tools

V2 Oreilly Velocity 2018 San Jose June 13 - Differences between Serverless and traditional apps from a security perspective; vulnerability examples; monitoring options; using Prowler and CloudFormation to evaluate CIS rules and harden AWS accounts.

Luis Colon @ AWS

June 13, 2018
Tweet

More Decks by Luis Colon @ AWS

Other Decks in Technology

Transcript

  1. O’Reilly Velocity Conference June 13 2018 Deploy Security Controls for

    Serverless Apps with Infrastructure as Code Tools Luis Colon ([email protected]) Senior Developer Advocate, AWS CloudFormation Twitter: @luiscolon1 © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved
  2. Agenda • Serverless security compared to traditional apps • Top

    security concerns for serverless, with examples • Monitoring • Tools to harden and automate controls • Additional advice #VelocityConf @luiscolon1
  3. Monitoring and Logging • AWS CloudWatch • AWS CloudTrail •

    AWS Config • AWS ConfigRules • AWS X-Ray • Amazon Macie • Dashbird • …no need to write your own #VelocityConf @luiscolon1 4p
  4. Monitoring and Logging • AWS CloudWatch • AWS CloudTrail •

    AWS Config • AWS ConfigRules • AWS X-Ray • Amazon Macie • Dashbird • …no need to write your own #VelocityConf @luiscolon1
  5. Monitoring and Logging • AWS CloudWatch • AWS CloudTrail •

    AWS Config • AWS ConfigRules • AWS X-Ray • Amazon Macie • Dashbird • …no need to write your own #VelocityConf @luiscolon1
  6. Automating Controls: CIS Rules • Prowler • Checks CIS •

    Adds other rules • Check per account/region #VelocityConf @luiscolon1
  7. Authentication and Permissions • Reuse existing systems • AWS Cognito

    • Auth0 • JWT • Least Privilege • No * in IAM policies • No individual permissions (use roles/groups) • Per function • Single responsibility • Protect secrets • Don’t expose in logs, code or alerts • Encryption • Rotate keys to mitigate events #VelocityConf @luiscolon1
  8. Assume the worst • Use the tools at your disposal

    • Your own audits • Log logins, failed logins, account changes (password changes, email changes), confirm db transactions… • have thresholds on logins from an address, db connections, queries per second • DoW • Chaos engineering • Rotate credentials • Separate credentials and policies for different functions • Remove unused functions • Harden accounts and environments • Automate your controls #VelocityConf @luiscolon1
  9. Summary • With serverless, you have a few less things

    to worry about, but still plenty of things… • Many standard best practices apply • Improve controls, logging, monitoring, etc. incrementally and on an ongoing basis • Automate your controls • Leverage the many tools available #VelocityConf @luiscolon1
  10. Further Reading • Securing Serverless - a Newbie's Guide •

    https://www.jeremydaly.com/securing-serverless-a-newbies-guide/ • Yan Cui’s “Many-faced threats to Serverless security” – October 25, 2017 • Hacking Severless Runtimes whitepaper - Andrew Krug and Graham Jones – July 15, 2017 • Serverless Security implications—from infra to OWASP - Guy Podjarny – April 19, 2017 • The Ten Most Critical Security Risks in Serverless Architectures - PureSec – January 17, 2018 • AWS Doc: Lambda Best Practices • https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html #VelocityConf @luiscolon1
  11. Links • Detect vulnerabilities on your dependencies https://snyk.io/ • Prowler

    for CLI checks: https://github.com/toniblyx/prowler • https://hackernoon.com/many-faced-threats-to-serverless-security-519e94d19dba • CIS Hardening Guidelines: https://aws.amazon.com/blogs/security/announcing-industry- best-practices-for-securing-aws-resources/ • https://github.com/awslabs/aws-security-benchmark • https://medium.com/dashbird/is-your-serverless-as-good-as-you-think-it- is-2baa3d36b1de • https://medium.com/@fastup/aws-iam-for-serverless-development-ba24be03cd2 #VelocityConf @luiscolon1