Slide 1

Slide 1 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS UG Novi Sad – Part 2 Securing serverless architectures Marek Kuczynski Serverless Specialist SA [email protected] marekq@

Slide 2

Slide 2 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda • Tools and services to create secure architectures • What happens when you run a Lambda invocation • How to leverage serverless computing for security processes • Some practical tips for serverless security • Q&A

Slide 3

Slide 3 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda functions API Gateway Core business logic RESTful microservices DynamoDB https://api.myapp.com AWS Cloud Mobile app Pure serverless can be straightforward

Slide 4

Slide 4 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 1-n Lambda function sets 1-n API Gateways Microservices environment . . . . . . Various clients, potentially including other microservices Various data tier components, as needed AWS Cloud DynamoDB Mobile client Amazon ElastiCache Amazon S3 Serverless architectural patterns are easily scalable

Slide 5

Slide 5 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda functions Amazon S3 API Gateway Dynamic website content Web application Amazon CloudFront distribution Static website content (HTML/JS/CSS) DynamoDB Amazon RDS ElastiCache Amazon S3 https://api.example.com www.example.com VPC AWS Cloud Web browser Some infrastructure is still there

Slide 6

Slide 6 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda functions Amazon Cognito API Gateway AWS Security Token Service (AWS STS) Core business logic Mobile backend User identity management DynamoDB Amazon RDS ElastiCache Amazon S3 https://api.myapp.com AWS Cloud VPC Mobile app Core business logic elements can be code or containers Amazon ECS

Slide 7

Slide 7 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Common security approach • Serverless and containers share a common pattern: microservices • Core business logic can be modeled as code or containers • We can reuse the same thought model for both serverless and containers to design secure architectures

Slide 8

Slide 8 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Using both serverless and containers AWS AppSync API Gateway Application Load Balancer (ALB)

Slide 9

Slide 9 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda security best practices

Slide 10

Slide 10 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Well Architected Framework for Serverless https://aws.amazon.com/blogs/aws/new-serverless-lens-in-aws-well-architected-tool/

Slide 11

Slide 11 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. You can run a self assessments on workloads Check the AWS Console under ”well architected” for more info

Slide 12

Slide 12 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. CHMOD 777

Slide 13

Slide 13 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. CHMOD 777

Slide 14

Slide 14 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security principles: Least privilege “Granting only those privileges which are essential to perform the intended function” { "Effect": "Allow", "Action": "dynamodb:*", "Resource": "*" } { "Effect": "Allow", "Action": "dynamodb:PutItem", "Resource": ”arn:…/ContactsTable" }

Slide 15

Slide 15 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security principles: Defense in depth (layers) “Using multiple, redundant measures at every system in case a security control fails” AWS Cloud AWS Lambda User traffic Amazon S3 Amazon API Gateway Amazon DynamoDB Amazon RDS Amazon CloudFront

Slide 16

Slide 16 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security principles: Defense in depth (layers) AWS Cloud Lambda User traffic Amazon S3 API Gateway DynamoDB Amazon RDS CloudFront AWS WAF Amazon Cognito Identity and Access Management (IAM) AWS KMS key

Slide 17

Slide 17 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security principles: Clean code No secrets in code • IAM keys • à Use STS AssumeRole • Database usernames/passwords • à Use AWS Secrets Manager/encrypted env. variables Keep it simple • Lambda functions should be small • Group them based on type of access

Slide 18

Slide 18 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon API Gateway queue orders table customers table POST GET DELETE Amazon API Gateway queue orders table customers table monolithic function ANY /{proxy+} Monolithic ü Single responsibility Security principles: Clean code

Slide 19

Slide 19 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless architectures and security patterns

Slide 20

Slide 20 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless security patterns: Web app vulnerabilities AWS Cloud Lambda User traffic Amazon S3 API Gateway DynamoDB Amazon RDS CloudFront

Slide 21

Slide 21 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless security patterns: Web app vulnerabilities AWS Cloud Lambda User traffic Amazon S3 API Gateway DynamoDB Amazon RDS CloudFront AWS WAF filtering rule AWS WAF filtering rule

Slide 22

Slide 22 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless security patterns: Web app vulnerabilities

Slide 23

Slide 23 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless security patterns: Web app auth AWS Cloud Lambda User traffic Amazon S3 API Gateway DynamoDB Amazon RDS CloudFront Identity provider (Amazon Cognito, OIDC) JWT JWT

Slide 24

Slide 24 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. JSON web token (JWT) eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVBO VNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJzdW IiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2OWYzYzM 4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoMXF0bnR2ajAx MiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ0b2tlbl91c2UiO iJpZCIsImF1dGhfdGltZSI6MTQ3ODQ0OTA2MCwiaXNzIjoiaH R0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25 hd3MuY29tXC91cy1lYXN0LTFfWE1sVVc5c1V5IiwiY29nbml0 bzp1c2VybmFtZSI6InRlc3QxMjMiLCJleHAiOjE0Nzg0NTI2N jAsImdpdmVuX25hbWUiOiJUZXN0IiwiaWF0IjoxNDc4NDQ5MD YwLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFpbCI6InRyYW5 qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9 K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8ym jH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMHtj dfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ18_ yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs4Cuk moYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ { "kid":"9errtDKltq8YwaJy2GZtObykRDEA9SB4iDT6vWmTeQE=", "alg":"RS256” } Header { "sub":"6f557368-a884-484e-b662-9fc69f3c3802", "aud":"6lkfs70rovkubirh1qtntvj012", "email_verified":true, "token_use":"id", "auth_time":1478449060, "iss":"https:\/\/cognito-idp.us-east-1.amazonaws.com \/us-east-1_XMlUW9sUy", "cognito:username":"test123", "exp":1478452660, "given_name”:"Test", "iat":1478449060, "family_name":"Test", "email":”[email protected]" } Payload Signature HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), {secret});

Slide 25

Slide 25 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless security patterns: Web app auth AWS Cloud Lambda User traffic Amazon S3 API Gateway DynamoDB Amazon RDS CloudFront JWT token

Slide 26

Slide 26 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless security patterns: Web app auth AWS Cloud Lambda User traffic Amazon S3 API Gateway DynamoDB Amazon RDS CloudFront Authorizer

Slide 27

Slide 27 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. What about insecure code?

Slide 28

Slide 28 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda execution environments • Upon invocation, Lambda data plane creates execution environment (or chooses an existing one) in a microVM including: • The function code • Any Lambda layers selected for your function • The function runtime, either built-in (Java 8, NodeJS 8, Python 3.7, etc.) or custom runtime • A minimal Linux userland based on Amazon Linux • Execution environments are never shared across functions, and microVMs are never shared across AWS accounts

Slide 29

Slide 29 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Host KVM MicroVM (Guest OS & Container Workload) Firecracker RESTful API Networks Storage Rate Limiting Metadata Service • Firecracker microVMs have the same security as KVM VMs • Designed for low overhead, high density, and fast start times • Built-in fair sharing Firecracker Architecture and Benefits Source; https://github.com/firecracker-microvm/firecracker

Slide 30

Slide 30 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda design considerations • First invocation of a Lambda function requires “bootstrapping”, which adds some latency. • Execution environments can be reused by subsequent invocations, with no memory scrub. • Execution environments includes a writeable file system, available at /tmp. that remains for the lifetime of the execution environment. • Lambda provides patching and updates for supported runtimes. Maintenance of custom runtimes is customer responsibility.

Slide 31

Slide 31 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda best practices • Plan for cold start to optimize microVM reuse • Minimize package size to necessities • ENIs for VPC support are attached during cold start • Instantiate AWS clients and database clients outside the scope of the Lambda handler • Avoid code to read or write to /tmp if not needed • Leverage AWS-supported runtimes to avoid heavy lifting of custom runtimes import sys import logging import rds_config import pymysql rds_host = "rds-instance" db_name = rds_config.db_name try: conn = pymysql.connect( except: logger.error("ERROR: def handler(event, context): with conn.cursor() as cur: Executes with each invocation Executes during cold start

Slide 32

Slide 32 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Slide 33

Slide 33 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Integrate security controls in CI/CD pipelines Developer CodeBuild Amazon SNS S3 bucket 6 5 6 5 Stack Stack Pre-create Create stacks Post-create Deploy region Region Region cfn-nag AWS CloudFormation CodeCommit CodePipeline Security

Slide 34

Slide 34 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. CodeDeploy and Lambda canary deployments • Direct a portion of traffic to a new version • Monitor stability with CloudWatch • Initiate rollback if needed • Incorporate into your AWS SAM templates

Slide 35

Slide 35 text

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Slide 36

Slide 36 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS account maintenance Scheduled Lambda to shut down unused resources Amazon CloudWatch Schedule AWS Lambda EC2 start/stop/tag Amazon EC2 control plane AWS Cloud

Slide 37

Slide 37 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS account management Lambda + Step Functions workflow to create AWS accounts and setup projects CLI utility Step Functions workflow Multiple functions to: Create account Set permissions Configure monitoring AWS Organizations AWS Account AWS Identity and Access Management (IAM) Permissions Role AWS CloudTrail

Slide 38

Slide 38 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Create dedicated, locked down accounts per project Use AWS Organizations Use the third party org-formation solution https://github.com/OlafConijn/AwsO rganizationFormation

Slide 39

Slide 39 text

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security and compliance Rules engine in Lambda consumes logs and checks for breaches AWS Lambda Rules engine function CloudWatch Logs CloudTrail Logs Account A CloudWatch Logs CloudTrail Logs Account B Ingestion Kinesis Firehose raw storage Raw archive Alarm Compliance team AWS account

Slide 40

Slide 40 text

Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Marek Kuczynski Serverless Specialist SA [email protected] marekq@