© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing serverless services Walid Benabderrahmane – Solutions Architect Amazon Web Services

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Customer’s responsibility AWS takes over responsibility from customers AWS IAM (Federation) Customer IAM API Endpoints Mgmt. Protocols API Calls Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer Content Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection Foundations: Shared Responsibility - Infrastructure

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Customer’s responsibility AWS takes over responsibility from customers AWS IAM (Federation) Customer IAM API Endpoints Mgmt. Protocols API Calls Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer Content Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection Foundations: Shared Responsibility - Container

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Customer’s responsibility AWS takes over responsibility from customers AWS IAM (Federation) API Endpoints API Calls Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer Content Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection Foundations: Shared Responsibility - Abstracted

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Security: A Very High Bar Compliance – Programs and certifications

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. What is serverless? No infrastructure provisioning, no management Automatic scaling Pay for value Highly available and secure

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Lambda AWS Fargate Amazon API Gateway Amazon SNS Amazon SQS AWS Step Functions Compute Data stores Integration Amazon Aurora Serverless Amazon S3 Amazon DynamoDB AWS AppSync

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Let’s focus on the compute layer Elastic container service For Kubernetes No control plane to manage Deploy worker nodes Amazon EKS Kubernetes- certified Amazon EKS Elastic container services Container orchestration Deploy in a VPC Docker-oriented Amazon ECS

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless compute engine for containers Long-running Bring existing code Fully managed orchestration AWS Fargate Let’s focus on the compute layer Serverless event-driven code execution Short-lived All language runtimes Data source integrations AWS Lambda

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Comparison of operational responsibility Lambda Serverless functions Fargate Serverless containers Amazon ECS/ Amazon EKS Container management as a service Amazon EC2 Infrastructure as a service More opinionated Less opinionated AWS manages Customer manages • Data source integrations • Physical hardware, software, networking, and facilities • Provisioning • Application code • Container orchestration, provisioning • Cluster scaling • Physical hardware, host OS/kernel, networking, and facilities • Application code • Data source integrations • Security config and updates, network config, management tasks • Container orchestration control plane • Physical hardware software, networking, and facilities • Application code • Data source integrations • Work clusters • Security config and updates, network config, firewall, management tasks • Physical hardware software, networking, and facilities • Application code • Data source integrations • Scaling • Security config and updates, network config, management tasks • Provisioning, managing scaling and patching of servers

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda functions API Gateway Core business logic RESTful microservices DynamoDB https://api.myapp.com AWS Cloud Mobile app Pure serverless can be straightforward

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda functions Amazon S3 API Gateway Dynamic website content Web application Amazon CloudFront distribution Static website content (HTML/JS/CSS) DynamoDB Amazon RDS ElastiCache Amazon S3 https://api.example.com www.example.com VPC AWS Cloud Web browser Some infrastructure is still there

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda worker architecture Hardware Host OS Hypervisor Guest OS Sandbox Lambda runtime Your code

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda isolation One function One account Many accounts Hardware Host OS Hypervisor Guest OS Sandbox Lambda runtime Your code Keeping workloads safe and separate

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda execution environments • Upon invocation, Lambda data plane creates execution environment (or chooses an existing one) in a microVM • Execution environments are never shared across functions, and microVMs are never shared across AWS accounts

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Isolation between MicroVMs Two models: EC2 instances and Firecracker (open source hypervisor)

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Firecracker Micro-VMs Security Speed by design Scale and efficiency Minimal device model reduces memory footprint and attack surface area User-space code in <125ms, 150 microVM per second per host Low memory overhead with high density (thousands) of microVMs on each server

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda isolation using Firecracker Hardware Host OS Hypervisor Guest OS Sandbox Lambda runtime Your code Firecracker Amazon EC2 bare metal

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda isolation using Firecracker One account and one function Many accounts Hardware Host OS Hypervisor Guest OS Sandbox Lambda runtime Your code Keeping workloads safe and separate

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Domains of security for (serverless) applications Infrastructure Data Code Identity & Access Logging & Monitoring

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. OWASP 2017- Top 10 Web Application Security Risks Rank Security risks 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities (XXE) 5 Broken Access Control 6 Security Misconfiguration 7 Cross-Site Scripting (XSS) 8 Insecure Deserialization 9 Using Components with Known Vulnerabilities 10 Insufficient Logging & Monitoring https://www.owasp.org • Exploitability • Prevalence • Detectability • Technical impact

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. OWASP Top 10 mapped to security domains Infrastructure Data Code Identity & Access Logging & Monitoring • Broken Authentication(#2) • Broken Access Control (#5) • Injection (#1) • XXE (#4) • XSS (#7) • Insecure Deserialization (#8) • Using Components with Known Vulnerabilities (#9) • Sensitive Data Exposure (#3) • Using Components with Known Vulnerabilities (#9) • Security Misconfiguration (#6) • Insufficient Logging & Monitoring (#10)

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity and access management for serverless applications • Authenticate and authorize end- users/clients • Access between backend services (e.g. AWS Lambda to DynamoDB tables) Infrastructure Data Code Identity & Access Logging & Monitoring

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity and Access Management Using AWS IAM Using Amazon Cognito

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda functions API Gateway DynamoDB Mobile app Reference architecture Amazon Cognito

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in access management and identity layer Access control between services Authenticate and authorize end users/clients

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Identity and Access Management—Lambda . . . { "Effect": "Allow", "Action": "dynamodb:*", "Resource": "*" } . . . { "Effect": "Allow", "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetItem" ], "Resource": "arn:aws:dynamodb:us-east-1:*:table/session" }

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing code for serverless applications • Input validation • Dependency vulnerabilities • Secrets in source code Infrastructure Data Code Identity & Access Logging & Monitoring

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in compute Layer Input validation • AWS WAF: • XSS rules • SQL injection rules • Secrets Manager • AWS Systems Manager Dependency vulnerabilities Storing secrets • Use Lambda layers

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda layers Lets functions easily share code: Upload layer once, reference within any function Promote separation of responsibilities, lets developers iterate faster on writing business logic Built-in support for secure sharing by ecosystem

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing data for serverless applications Your responsibility: • Data Classification and Data Flow • Tokenization • Encryption at rest • Encryption in transit • Data Backup/Replication/Recovery AWS platform takes care of: Automatic replication of data across availability zones for high durability Managed backups/ encryption Infrastructure Data Code Identity & Access Logging & Monitoring

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in data layer Data classification Data backup/replication Data encryption at rest Data flow Data encryption in transit Data tokenization

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing infrastructure for serverless applications Your responsibility: • DDOS protection • Throttling/ Rate limiting • Network boundaries Serverless platform takes care of: Physical security Virtualization OS security & patching Scaling & HA Infrastructure Data Code Identity & Access Logging & Monitoring

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing infrastructure for serverless applications DDOS protection + Throttling/ Rate limiting Network boundaries • AWS Shield Standard • AWS Shield Advanced • AWS WAF: • Geoblocking • IP reputation lists • Rate-based rules • Size constraint • … • API Gateway: • Account level throttling • API Stage level throttling • Usage Plan • Method level throttling • Metered by API key • Request rate and Quota limits • AWS Lambda : • concurrency Limits • API Gateway: • Private VPC endpoints • AWS Lambda: • Access resources in VPC • Security groups • NACLs • Proxy-based egress filtering

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Logging & monitoring for serverless applications • Application logs • Access logs • Control plane audit logs • Metrics • Alarms • Compliance validation Infrastructure Data Code Identity & Access Logging & Monitoring

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. X-Ray Security in system monitoring layer Logging and tracing Metrics Compliance validation

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud adoption framework – Security perspective CloudWatch CloudTrail AWS Trusted Advisor Amazon Cognito Amazon GuardDuty AWS Certificate Manager IAM AWS KMS AWS Security Hub AWS Secrets Manager AWS Shield AWS WAF Amazon VPC PrivateLink Lambda functions CloudWatch X-Ray

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless Security Partners

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless Monitoring Partners

Merci! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Walid Benabderrahmane [email protected]