Slide 1

Slide 1 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless Security Workshop Danilo Poccia, Principal Evangelist @danilop James Beswick, Senior Developer Advocate @jbesw Heitor Lessa, Specialist Solutions Architect @heitor_lessa Simon Thulbourn, Specialist Solutions Architect @sthulb S e r v e r l e s s D a y s L o n d o n 2 0 1 9 . 0 7 . 1 2

Slide 2

Slide 2 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda • Serverless security – is it different? • Security domains for serverless applications • Workshop scenario • How to secure serverless applications • Hands-on

Slide 3

Slide 3 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sample architecture for serverless API endpoint Amazon API Gateway AWS Lambda Amazon DynamoDB Amazon RDS Users Amazon Cognito

Slide 4

Slide 4 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Sample architecture for serverless web app Amazon API Gateway AWS Lambda Amazon DynamoDB Amazon RDS Users Amazon CloudFront Amazon S3 Amazon Cognito

Slide 5

Slide 5 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. How is serverless security different? Different: • Reduced scope • Ephemeral environment • More events can trigger your AWS Lambda • Old techniques might not be relevant But still… • Need to secure databases, S3 buckets, etc. • Need to secure your code. • Need to use minimum privilege access. • Need to monitor usage and data flow. https://www.protego.io/ebook/

Slide 6

Slide 6 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Slide 7

Slide 7 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Domains of security for (serverless) applications Infrastructure Data Code Identity & Access Logging & Monitoring

Slide 8

Slide 8 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. OWASP 2017- Top 10 Web Application Security Risks Rank Security risks 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities (XXE) 5 Broken Access Control 6 Security Misconfiguration 7 Cross-Site Scripting (XSS) 8 Insecure Deserialization 9 Using Components with Known Vulnerabilities 10 Insufficient Logging & Monitoring https://www.owasp.org • Exploitability • Prevalence • Detectability • Technical impact

Slide 9

Slide 9 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. OWASP Top 10 mapped to security domains Infrastructure Data Code Identity & Access Logging & Monitoring • Broken Authentication(#2) • Broken Access Control (#5) • Injection (#1) • XXE (#4) • XSS (#7) • Insecure Deserialization (#8) • Using Components with Known Vulnerabilities (#9) • Sensitive Data Exposure (#3) • Using Components with Known Vulnerabilities (#9) • Security Misconfiguration (#6) • Insufficient Logging & Monitoring (#10)

Slide 10

Slide 10 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Slide 11

Slide 11 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Scenario: Wild Rydes (www.wildrydes.com)

Slide 12

Slide 12 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3rd party functionality– unicorn customization Visit beautiful Unicornpolis! Sock image Credit: Freepik from www.flaticon.com

Slide 13

Slide 13 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. List customization options and prices: GET /capes GET /glasses GET /horns GET /socks 3rd party API: Unicorn customization Image Credit: Smashicons, Freepik, from www.flaticon.com johnny_automatic from www.openclipart.org

Slide 14

Slide 14 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. 3rd party API: Unicorn customization Create and manage customizations POST /customizations GET /customizations GET /customizations/{id} DELETE /customizations/{id}

Slide 15

Slide 15 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Admin API: register 3rd party partners Register new partners POST /partners

Slide 16

Slide 16 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Workshop architecture – starting point Amazon API Gateway AWS Lambda Amazon RDS 3rd party Not secure!

Slide 17

Slide 17 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Your task: secure the application against attackers! Image Credit: pongsakornred, Freepik from www.flaticon.com

Slide 18

Slide 18 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Workshop Link to the workshop: https://amzn.to/serverless-security Module 0 mandatory Module 1-8: Pick your own battle! Infrastructure Data Code Identity & Access Logging & Monitoring Module 1: auth Module 2: Secrects Module 8: X-Ray Module 4: Encryption in transit Module 5: usage plans Module 6: WAF Module 3: input validation Module 7: dependency vulnerability

Slide 19

Slide 19 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Slide 20

Slide 20 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity and access management for serverless applications • Authenticate and authorize end- users/clients • Access between backend services (e.g. AWS Lambda to DynamoDB tables) Infrastructure Data Code Identity & Access Logging & Monitoring

Slide 21

Slide 21 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity and access management for serverless applications Access control between services Authenticate & authorize end-users/clients

Slide 22

Slide 22 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Workshop module 1: OAuth Client Credentials Flow Client Authorization server Resource server Client credentials (ClientID + Client Secret) Access token Call protected resource with access token protected resource response Resource server Authorization server Client

Slide 23

Slide 23 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Workshop module 1: add authentication Amazon API Gateway AWS Lambda Amazon RDS (Aurora MySQL) 3rd party Amazon Cognito Client authentication AWS Lambda (Custom authorizer) Verify access token and scope Amazon DynamoDB (Mapping ClientID -> backend companyID) Download public key to validate token OWASP #2: Broken Authentication OWASP #5: Broken Access Control

Slide 24

Slide 24 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Workshop module 1: add authentication Amazon Cognito Admin App client: • Client ID: ZZZ • Client Secret Company bar app client: • Client ID: YYY • Client Secret Company foo app client: • Client ID: XXX • Client Secret Amazon Aurora Company table ID Name 1 Foo 2 Bar … Mapping table ClientID BackendID XXX 1 YYY 2 Amazon DynamoDB

Slide 25

Slide 25 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing code for serverless applications • Input validation • Dependency vulnerabilities • Secrets in source code Infrastructure Data Code Identity & Access Logging & Monitoring

Slide 26

Slide 26 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing code for serverless applications Input validation Storing secrets • AWS WAF: • XSS Rules • SQL injection rules • AWS Secrets Manager • Systems Manager Dependency vulnerabilities

Slide 27

Slide 27 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Module 2: Secret Manager Amazon API Gateway AWS Lambda Amazon RDS (Aurora MySQL) 3rd party AWS Secrets Manager CloudFormation Secret Rotation OWASP #3: Sensitive Data Exposure

Slide 28

Slide 28 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Module 3: Input Validation Amazon API Gateway 3rd party AWS Lambda { ”unexpectedAttr":"1", } Request body { ”name":”AwesomeUnicorn", "imageUrl": "http://this.jpg", "sock": "1", "horn": "1", "glasses": "1", "cape": "1" } /customizations POST • OWASP #1: Injection • OWASP #8: Insecure Deserialization

Slide 29

Slide 29 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Module 7: Dependency Vulnerability • Check for vulnerabilities on our dependencies • OWASP Dependency Check: https://www.owasp.org/index.php/O WASP_Dependency_Check • Third party tools • Remove unused dependencies • depcheck: https://www.npmjs.com/package/de pcheck http://npm.anvaka.com/#/view/2d/request • OWASP #9: Using Components with Known Vulnerabilities

Slide 30

Slide 30 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing data for serverless applications Your responsibility: • Data Classification and Data Flow • Tokenization • Encryption at rest • Encryption in transit • Data Backup/Replication/Recovery Infrastructure Data Code Identity & Access Logging & Monitoring Managed backups/ encryption

Slide 31

Slide 31 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing data for serverless applications Data Classification Data backup/Replication Data Encryption at rest Data Flow Data Encryption in transit Data Tokenization

Slide 32

Slide 32 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Module 4: encryption in transit Amazon API Gateway AWS Lambda Amazon RDS (Aurora MySQL) 3rd party { host: ”database.host.com", user: "admin", password: ”xxxxxxx", database: "unicorn_customization", ssl: "Amazon RDS" } { host: ”database.host.com", user: "admin", password: ”xxxxxxxxx", database: "unicorn_customization" } OWASP #3: Sensitive Data Exposure

Slide 33

Slide 33 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing infrastructure for serverless applications Your responsibility: • DDOS protection • Throttling/ Rate limiting • Network boundaries Infrastructure Data Code Identity & Access Logging & Monitoring

Slide 34

Slide 34 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing infrastructure for serverless applications DDOS protection + Throttling/ Rate limiting Network boundaries • AWS WAF: • Geoblocking • IP reputation lists • Rate-based rules • Size constraint

Slide 35

Slide 35 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Module 5: Usage Plans Amazon API Gateway AWS Lambda Amazon RDS 3rd party AWS Lambda (Custom authorizer) + API key + API key

Slide 36

Slide 36 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Module 6: WAF AWS Lambda 3rd party Amazon API Gateway AWS WAF Amazon RDS

Slide 37

Slide 37 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Logging & monitoring for serverless applications • Application logs • Access logs • Control plane audit logs • Metrics • Alarms • Compliance validation Infrastructure Data Code Identity & Access Logging & Monitoring

Slide 38

Slide 38 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Logging & monitoring for serverless applications Logging and tracing Metrics Compliance validation

Slide 39

Slide 39 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Module 8: X-Ray OWASP #10: Insufficient Logging & Monitoring

Slide 40

Slide 40 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Workshop Link to the workshop: https://amzn.to/serverless-security Module 0 mandatory Module 1-8: Pick your own battle! Infrastructure Data Code Identity & Access Logging & Monitoring Module 1: auth Module 2: Secrects Module 8: X-Ray Module 4: Encryption in transit Module 5: usage plans Module 6: WAF Module 3: input validation Module 7: dependency vulnerability

Slide 41

Slide 41 text

Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. @danilop