© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS UG Novi Sad – Part 2 Securing serverless architectures Marek Kuczynski Serverless Specialist SA marekku@amazon.nl marekq@

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda • Tools and services to create secure architectures • What happens when you run a Lambda invocation • How to leverage serverless computing for security processes • Some practical tips for serverless security • Q&A

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda functions API Gateway Core business logic RESTful microservices DynamoDB https://api.myapp.com AWS Cloud Mobile app Pure serverless can be straightforward

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. 1-n Lambda function sets 1-n API Gateways Microservices environment . . . . . . Various clients, potentially including other microservices Various data tier components, as needed AWS Cloud DynamoDB Mobile client Amazon ElastiCache Amazon S3 Serverless architectural patterns are easily scalable

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda functions Amazon S3 API Gateway Dynamic website content Web application Amazon CloudFront distribution Static website content (HTML/JS/CSS) DynamoDB Amazon RDS ElastiCache Amazon S3 https://api.example.com www.example.com VPC AWS Cloud Web browser Some infrastructure is still there

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda functions Amazon Cognito API Gateway AWS Security Token Service (AWS STS) Core business logic Mobile backend User identity management DynamoDB Amazon RDS ElastiCache Amazon S3 https://api.myapp.com AWS Cloud VPC Mobile app Core business logic elements can be code or containers Amazon ECS

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Common security approach • Serverless and containers share a common pattern: microservices • Core business logic can be modeled as code or containers • We can reuse the same thought model for both serverless and containers to design secure architectures

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Using both serverless and containers AWS AppSync API Gateway Application Load Balancer (ALB)

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda security best practices

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Well Architected Framework for Serverless https://aws.amazon.com/blogs/aws/new-serverless-lens-in-aws-well-architected-tool/

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. You can run a self assessments on workloads Check the AWS Console under ”well architected” for more info

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. CHMOD 777

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. CHMOD 777

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security principles: Least privilege “Granting only those privileges which are essential to perform the intended function” { "Effect": "Allow", "Action": "dynamodb:*", "Resource": "*" } { "Effect": "Allow", "Action": "dynamodb:PutItem", "Resource": ”arn:…/ContactsTable" }

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security principles: Defense in depth (layers) “Using multiple, redundant measures at every system in case a security control fails” AWS Cloud AWS Lambda User traffic Amazon S3 Amazon API Gateway Amazon DynamoDB Amazon RDS Amazon CloudFront

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security principles: Defense in depth (layers) AWS Cloud Lambda User traffic Amazon S3 API Gateway DynamoDB Amazon RDS CloudFront AWS WAF Amazon Cognito Identity and Access Management (IAM) AWS KMS key

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security principles: Clean code No secrets in code • IAM keys • à Use STS AssumeRole • Database usernames/passwords • à Use AWS Secrets Manager/encrypted env. variables Keep it simple • Lambda functions should be small • Group them based on type of access

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon API Gateway queue orders table customers table POST GET DELETE Amazon API Gateway queue orders table customers table monolithic function ANY /{proxy+} Monolithic ü Single responsibility Security principles: Clean code

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless architectures and security patterns

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless security patterns: Web app vulnerabilities AWS Cloud Lambda User traffic Amazon S3 API Gateway DynamoDB Amazon RDS CloudFront

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless security patterns: Web app vulnerabilities AWS Cloud Lambda User traffic Amazon S3 API Gateway DynamoDB Amazon RDS CloudFront AWS WAF filtering rule AWS WAF filtering rule

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless security patterns: Web app vulnerabilities

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless security patterns: Web app auth AWS Cloud Lambda User traffic Amazon S3 API Gateway DynamoDB Amazon RDS CloudFront Identity provider (Amazon Cognito, OIDC) JWT JWT

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. JSON web token (JWT) eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVBO VNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJzdW IiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2OWYzYzM 4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoMXF0bnR2ajAx MiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ0b2tlbl91c2UiO iJpZCIsImF1dGhfdGltZSI6MTQ3ODQ0OTA2MCwiaXNzIjoiaH R0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25 hd3MuY29tXC91cy1lYXN0LTFfWE1sVVc5c1V5IiwiY29nbml0 bzp1c2VybmFtZSI6InRlc3QxMjMiLCJleHAiOjE0Nzg0NTI2N jAsImdpdmVuX25hbWUiOiJUZXN0IiwiaWF0IjoxNDc4NDQ5MD YwLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFpbCI6InRyYW5 qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9 K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8ym jH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMHtj dfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ18_ yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs4Cuk moYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ { "kid":"9errtDKltq8YwaJy2GZtObykRDEA9SB4iDT6vWmTeQE=", "alg":"RS256” } Header { "sub":"6f557368-a884-484e-b662-9fc69f3c3802", "aud":"6lkfs70rovkubirh1qtntvj012", "email_verified":true, "token_use":"id", "auth_time":1478449060, "iss":"https:\/\/cognito-idp.us-east-1.amazonaws.com \/us-east-1_XMlUW9sUy", "cognito:username":"test123", "exp":1478452660, "given_name”:"Test", "iat":1478449060, "family_name":"Test", "email":”test@example.com" } Payload Signature HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), {secret});

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless security patterns: Web app auth AWS Cloud Lambda User traffic Amazon S3 API Gateway DynamoDB Amazon RDS CloudFront JWT token

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless security patterns: Web app auth AWS Cloud Lambda User traffic Amazon S3 API Gateway DynamoDB Amazon RDS CloudFront Authorizer

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. What about insecure code?

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda execution environments • Upon invocation, Lambda data plane creates execution environment (or chooses an existing one) in a microVM including: • The function code • Any Lambda layers selected for your function • The function runtime, either built-in (Java 8, NodeJS 8, Python 3.7, etc.) or custom runtime • A minimal Linux userland based on Amazon Linux • Execution environments are never shared across functions, and microVMs are never shared across AWS accounts

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Host KVM MicroVM (Guest OS & Container Workload) Firecracker RESTful API Networks Storage Rate Limiting Metadata Service • Firecracker microVMs have the same security as KVM VMs • Designed for low overhead, high density, and fast start times • Built-in fair sharing Firecracker Architecture and Benefits Source; https://github.com/firecracker-microvm/firecracker

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda design considerations • First invocation of a Lambda function requires “bootstrapping”, which adds some latency. • Execution environments can be reused by subsequent invocations, with no memory scrub. • Execution environments includes a writeable file system, available at /tmp. that remains for the lifetime of the execution environment. • Lambda provides patching and updates for supported runtimes. Maintenance of custom runtimes is customer responsibility.

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda best practices • Plan for cold start to optimize microVM reuse • Minimize package size to necessities • ENIs for VPC support are attached during cold start • Instantiate AWS clients and database clients outside the scope of the Lambda handler • Avoid code to read or write to /tmp if not needed • Leverage AWS-supported runtimes to avoid heavy lifting of custom runtimes import sys import logging import rds_config import pymysql rds_host = "rds-instance" db_name = rds_config.db_name try: conn = pymysql.connect( except: logger.error("ERROR: def handler(event, context): with conn.cursor() as cur: Executes with each invocation Executes during cold start

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Integrate security controls in CI/CD pipelines Developer CodeBuild Amazon SNS S3 bucket 6 5 6 5 Stack Stack Pre-create Create stacks Post-create Deploy region Region Region cfn-nag AWS CloudFormation CodeCommit CodePipeline Security

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. CodeDeploy and Lambda canary deployments • Direct a portion of traffic to a new version • Monitor stability with CloudWatch • Initiate rollback if needed • Incorporate into your AWS SAM templates

© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS account maintenance Scheduled Lambda to shut down unused resources Amazon CloudWatch Schedule AWS Lambda EC2 start/stop/tag Amazon EC2 control plane AWS Cloud

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS account management Lambda + Step Functions workflow to create AWS accounts and setup projects CLI utility Step Functions workflow Multiple functions to: Create account Set permissions Configure monitoring AWS Organizations AWS Account AWS Identity and Access Management (IAM) Permissions Role AWS CloudTrail

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Create dedicated, locked down accounts per project Use AWS Organizations Use the third party org-formation solution https://github.com/OlafConijn/AwsO rganizationFormation

© 2020, Amazon Web Services, Inc. or its affiliates. All rights reserved. Security and compliance Rules engine in Lambda consumes logs and checks for breaches AWS Lambda Rules engine function CloudWatch Logs CloudTrail Logs Account A CloudWatch Logs CloudTrail Logs Account B Ingestion Kinesis Firehose raw storage Raw archive Alarm Compliance team AWS account

Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Marek Kuczynski Serverless Specialist SA marekku@amazon.nl marekq@