Slide 1

Slide 1 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Serverless best practices for configuration management and cost optimization Alex Casalboni Technical Evangelist, AWS

Slide 2

Slide 2 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T About me • Software Engineer & Web Developer • Startupper for 4.5 years • Serverless Lover & AI Enthusiast • ServerlessDays Organizer • AWS Customer since 2013

Slide 3

Slide 3 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Agenda 1. Serverless security & configuration management 2. Serverless cost optimization

Slide 4

Slide 4 text

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Slide 5

Slide 5 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Lambda permission model Fine-grained security controls for both execution and invocation Execution policies Define what AWS resources/API calls can this function access via AWS Identity and Access Management (IAM) Used in streaming invocations For example, “Lambda function A can read from DynamoDB table users” Function policies Used for sync and async invocations For example, “Actions on bucket X can invoke Lambda function Z" Resource policies allow for cross account access

Slide 6

Slide 6 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Action: “s3:*” … make puppies cry! Action: “dynamodb:*" Action: “sns:*“ Photo by Matthew Henry on Unsplash

Slide 7

Slide 7 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Fine-grained IAM policy with AWS SAM MyFunction: Type: AWS::Serverless::Function Properties: Handler: index.handler Runtime: python2.7 Policies: - AWSLambdaExecute # Managed Policy - Version: '2012-10-17' Statement: - Effect: Allow Action: - dynamodb:GetItem Resource: !GetAtt MyDynamoDBTable.Arn

Slide 8

Slide 8 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Hardcoded secrets make fish cry! Photo by Julieann Ragojo on Unsplash

Slide 9

Slide 9 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T AWS Lambda environment variables Key-value pairs that you can dynamically pass to your function Available via standard environment variable APIs (based on runtime) Can optionally be encrypted via AWS Key Management Service (AWS KMS) Allows you to specify in IAM what roles have access to the keys to decrypt the information Useful for creating environments per stage (such as dev, test, prod)

Slide 10

Slide 10 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T AWS Systems Manager―Parameter Store Centralized store to manage your configuration data Supports hierarchies Plaintext or encrypted with AWS KMS Can send notifications of changes to Amazon SNS or Lambda Can be secured with IAM Calls recorded in AWS CloudTrail Can be tagged Available via API/SDK Useful for centralized environment variables, secrets control, feature flags

Slide 11

Slide 11 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Parameter Store access via SDK import json, boto3 ssm = boto3.client('ssm') def get_parameter(): response = ssm.get_parameter( Name='LambdaSecureString’, WithDecryption=True ) return response['Parameter']['Value'] def lambda_handler(event, context): value = get_parameter() print(”value = %s" % value)

Slide 12

Slide 12 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Parameter Store access via SDK with ssm_cache import json, boto3 ssm = boto3.client('ssm') def get_parameter(): response = ssm.get_parameter( Name=‘my_param’, WithDecryption=True ) return response['Parameter']['Value'] def lambda_handler(event, context): value = get_parameter() print(”value = %s" % value) from ssm_cache import SSMParameter param = SSMParameter(‘my_param’) def lambda_handler(event, context): value = param.value print(”value = %s" % value) github.com/alexcasalboni/ssm-cache-python

Slide 13

Slide 13 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T AWS Secrets Manager Allows you to manage, retrieve, and rotate credentials Helps you rotate secrets regularly without breaking stuff Keeps track of different password versions Implements security controls associated with credential management Built-in support for Amazon RDS

Slide 14

Slide 14 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T AWS Secrets Manager + Parameter Store Uniform and consistent access to both services You can reference Secrets Manager secrets with Parameter Store APIs Rotation & Refresh delegated to the client As simple as using a prefix: /aws/reference/secretsmanager/ +

Slide 15

Slide 15 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Secrets access via Parameter Store import json, boto3 ssm = boto3.client('ssm’) prefix = ‘/aws/reference/secretsmanager’ def get_secret(): response = ssm.get_parameter( Names=[‘%s/my_secret’ % prefix], WithDecryption=True ) return response['Parameter']['Value'] def lambda_handler(event, context): value = get_secret() print(”value = %s" % value)

Slide 16

Slide 16 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Secrets access via Parameter Store with ssm_cache import json, boto3 ssm = boto3.client('ssm’) prefix = ‘/aws/reference/secretsmanager’ def get_secret(): response = ssm.get_parameter( Names=[‘%s/my_secret’ % prefix], WithDecryption=True ) return response['Parameter']['Value'] def lambda_handler(event, context): value = get_secret() print(”value = %s" % value) from ssm_cache import SecretsManagerParameter secret = SecretsManagerParameter(‘my_secret’) def lambda_handler(event, context): value = secret.value print(”value = %s" % value) github.com/alexcasalboni/ssm-cache-python

Slide 17

Slide 17 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Parameters & secrets grouping with ssm_cache from ssm_cache import SSMParameterGroup group1 = SSMParameterGroup(max_age=300) # 5min cache param1 = group.parameter('param_1’) param2 = group.parameter('param_2’) group2 = SSMParameterGroup(base_path="/Foo") # common prefix foo_bar = group2.parameter('/Bar') # will fetch /Foo/Bar baz_params = group2.parameters('/Baz') # will fetch /Foo/Baz/1 and /Foo/Baz/2 secret = group2.secret(‘my_secret’) # will fetch /aws/reference/secretsmanager/my_secret group1.refresh() group2.refresh()

Slide 18

Slide 18 text

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. amzn.to/serverless-security

Slide 19

Slide 19 text

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Slide 20

Slide 20 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Anatomy of a function Your function Language runtime Function container Compute substrate

Slide 21

Slide 21 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T The request lifecycle Bootstrap the runtime Start your code Cold start Warm start Download your code Start new container AWS optimization Your optimization

Slide 22

Slide 22 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Same view in AWS X-Ray

Slide 23

Slide 23 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Efficient function code Avoid “fat”/monolithic functions Control the dependencies in your function's deployment package Optimize for your language Node – Browserfy, Minify

Slide 24

Slide 24 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Ephemeral function environment Lambda processes a single event per-container No need for non-blocking execution on the frontend REMEMBER – containers are reused Lazily load variables in global scope Don’t load it if you don’t need it

Slide 25

Slide 25 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Ephemeral function environment import boto3 client = None def my_handler(event, context): if not client: client = boto3.client("s3") # process

Slide 26

Slide 26 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Concise function logic Separate Lambda handler from core logic Use functions to TRANSFORM, not TRANSPORT Read only what you need Query filters in Amazon Aurora Use Amazon S3 select

Slide 27

Slide 27 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Concise function logic (example) from mylib import MyLibClass def lambda_handler(event, context): operation = event['Operation’] myobj = MyLibClass() if operation == ‘do_this’: my_obj.do_this() elif operation == ‘do_that’: myobj.do_that() else: raise ValueError(‘Invalid op’)

Slide 28

Slide 28 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Concise function logic (example) import boto3 ddb = boto3.client(‘dynamodb’) class MyLibClass(object): MY_CONSTANT = ‘blabla’ def __init__(…): # constructor def do_this(self): # use ddb to do this def do_that(self): # use ddb to do that from mylib import MyLibClass def lambda_handler(event, context): operation = event['Operation’] myobj = MyLibClass() if operation == ‘do_this’: my_obj.do_this() elif operation == ‘do_that’: myobj.do_that() else: raise ValueError(‘Invalid op’)

Slide 29

Slide 29 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Small changes, big difference # Download and process all keys for key in src_keys: response = s3_client.get_object(…) contents = response['Body'].read() for line in contents.split('\n')[:-1]: line_count +=1 try: data = line.split(',') srcIp = data[0][:8] … # Select IP Address and Keys for key in src_keys: response = s3_client.select_object_content( expression=“SELECT SUBSTR(obj._1, 1, 8), obj._2 FROM s3object as obj”) contents = response['Body'].read() for line in contents: line_count +=1 try: … After (95s, $0.028) Before (200s, $0.112) https://github.com/awslabs/lambda-refarch-mapreduce

Slide 30

Slide 30 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T SMART RESOURCE ALLOCATION Match resource allocation (up to 3 GB!) to logic Stats for Lambda function that calculates 1000 times all prime numbers <= 1000000 128 MB 11.722s $0.024628 256 MB 6.6789s $0.028035 512 MB 3.1949s $0.026830 1024 MB 1.4659s $0.024638

Slide 31

Slide 31 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T “AWS Lambda Power Tuning” Data-driven cost & performance optimization for AWS Lambda github.com/alexcasalboni/aws-lambda-power-tuning Don’t guesstimate!

Slide 32

Slide 32 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T No orchestration in code START JOB JOB #X STARTED HTTP POST HTTP POST ARE WE THERE YET? NOPE! WE’RE DONE! ZzZz OR time.sleep(10)

Slide 33

Slide 33 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T No orchestration in code

Slide 34

Slide 34 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Gateways & routers Choose suitable entry point for client applications Single, custom client? Use the AWS SDK Not end user facing? Use regional endpoints on API Gateway Discard uninteresting events ASAP S3 – Event prefix SNS – Message filtering

Slide 35

Slide 35 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Resilient: retry policies Understand retry policies Sync never retried Async retried 2 times Streams retried all the time Leverage Dead Letter Queues (DLQ) SQS or SNS for replays REMEMBER: Retries count as invokes

Slide 36

Slide 36 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Concurrency Controls Concurrency a shared pool by default Separate using per function concurrency settings Acts as reservation Also acts as max concurrency per function Especially critical for data sources like RDS “Kill switch” – set per function concurrency to zero

Slide 37

Slide 37 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. S U M M I T Should my Lambda function be in a VPC? Does my function need to access any specific resources in a VPC? Does it also need to access resources or services in the public internet? Don’t put the function in a VPC Put the function in a private subnet Put the function in a subnet with a NAT’d route to the internet Yes Yes No No Do I need a VPC?

Slide 38

Slide 38 text

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Slide 39

Slide 39 text

S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.