Let’s secure our Serverless applications

Slide 1

Slide 1 text

Pune

Slide 2

Slide 2 text

Let’s secure our Serverless applications Jones Zachariah Noel N Pune

Slide 3

Slide 3 text

Pune 👋 I’m Jones Zachariah Noel N (zachjonesnoel) 🥑 Senior Developer Advocate @ Freshworks ☁ AWS Serverless Hero ⚡ Serverless architect 🚀 AWS UG Bengaluru co-organizer 󰞵 Runs newsletter / blog on The Serverless Terminal ▶ Co-run The Zacs’ Show Talking AWS podcast

Slide 4

Slide 4 text

Pune

Slide 5

Slide 5 text

Pune

Slide 6

Slide 6 text

Pune https://docs.aws.amazon.com/whitepapers/latest/security-overview-aws-lambda/the-shared-responsibility-model.html

Slide 7

Slide 7 text

Pune https://docs.aws.amazon.com/whitepapers/latest/security-overview-aws-lambda/the-shared-responsibility-model.html

Slide 8

Slide 8 text

Pune Security in Serverless Identity and access Code Data Infrastructure

Slide 9

Slide 9 text

Identity and access Pune

Slide 10

Slide 10 text

Identity and access Pune Least privileges Unique privileges

Slide 11

Slide 11 text

Code: Request validations with Model Pune

Slide 12

Slide 12 text

Code: Using secrets in Lambda functions Pune AWS Secrets Manager AWS Systems Manager Parameter Store AWS Lambda Functions Environment Variables

Slide 13

Slide 13 text

Code: Audits to check vulnerability Pune Amazon Inspector Scan for vulnerability in your Lambda function and Lambda layer code

Slide 14

Slide 14 text

Data: Encryption at Rest Pune

Slide 15

Slide 15 text

Data: Encryption in Transit Pune SNS and SQS Supports encryption in transit by default Lambda functions Uses Transport Layer Security (TLS) Lambda functions and API Gateway Using HTTPS protocol for all HTTP APIs via Function URLs and API Gateway endpoints

Slide 16

Slide 16 text

Infrastructure: Protection to attacks Pune AWS WAF Amazon S3 and Amazon CloudFront Web hosting and distributions enabled with WAF AWS API Gateway and AWS AppSync Endpoints with WAF enabled SQL Injections Cross-site scripting IP restrictions Geo restrictions HTTPs rules

Slide 17

Slide 17 text

Infrastructure: Protection to attacks Pune AWS API Gateway Enabling throttling Rate Limits Burst Limits To protect from abusive requests

Slide 18

Slide 18 text

Pune

Slide 19

Slide 19 text

Pune Best practices for secure Serverless applications AWS API Gateway Using authentication methods for APIs IAM policies Using least privileges and unique for each resource and execution roles

Slide 20

Slide 20 text

Pune Best practices for secure Serverless applications Security at layers Enabling security in different levels of architecture Security audits Frequent and recurring security audits of infrastructure and code

Slide 21

Slide 21 text

Pune Best practices for secure Serverless applications Secure credentials and configs Using Secrets Managers and System Manager Parameter Stores Resources in VPC Lambda functions or Aurora in VPC with public endpoints of API Gateway

Slide 22

Slide 22 text

Thank you Jones Zachariah Noel N Pune https://zachjonesnoel.com https://theserverlessterminal.com jones-zachariah-noel-n