Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Veliswa Boya

Veliswa Boya
November 05, 2020
Technology
0
86

Veliswa Boya

How to secure a serverless web application on AWS

Veliswa Boya

November 05, 2020
Tweet

More Decks by Veliswa Boya

See All by Veliswa Boya
Tools for building your MVP on AWS
veliswaboya
0
120
Chaos Engineering on AWS
veliswaboya
1
280

Other Decks in Technology

See All in Technology
20240717_イケコパ代表Copilot_in_Teams会社でこう使ってます
ponponmikankan
2
430
たくさん本を読んだけど 1年後には綺麗サッパリ!を乗り越えて 学習の鬼になるぞ👹
yum3
0
160
AIエージェントを現場に導入する目線とは
masahiro_nishimi
1
1.5k
クラウド利用者の「責任」をどう果たす?AWSセキュリティ対策のススメ #AWSSummit
hiashisan
0
270
ペパボのオブザーバビリティ研修2024 説明資料
kesompochy
0
1.1k
データ分析を支える技術 生成AI再入門
ishikawa_satoru
0
380
プレイドにおけるDatadog APMの活用方法
plaidtech
PRO
2
120
Azure AI ことはじめ
tsubakimoto_s
0
130
RAGのサービスをリリースして1年3ヶ月が経ちました
segavvy
4
900
Classmethod Odyssey 登壇資料
yamahiro
0
390
LLMアプリケーションの評価の実践と課題 ~PharmaXにおける今後の展望~
pharma_x_tech
2
160
ギークの理想が7つ集まるエムスリーで夢を叶えよう - エムスリー株式会社
m3_engineering
1
260

Featured

See All Featured
Rails Girls Zürich Keynote
gr2m
93
13k
A better future with KSS
kneath
231
17k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
17
1.5k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
245
1.2M
Gamification - CAS2011
davidbonilla
78
4.9k
The Illustrated Children's Guide to Kubernetes
chrisshort
39
47k
Happy Clients
brianwarren
94
6.5k
Building Your Own Lightsaber
phodgson
101
5.9k
Fontdeck: Realign not Redesign
paulrobertlloyd
79
5.1k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
105
6.8k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
24
1.8k
VelocityConf: Rendering Performance Case Studies
addyosmani
321
23k

Transcript

  1. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Veliswa Boya 04 November 2020 Securing a serverless web app on AWS

  2. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Agenda • The case for serverless • Security principles in the serverless context • Serverless architectures and security patterns

  3. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. The case for serverless The Shared Responsibility Model

  4. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved.

  5. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Security Principles in the serverless context

  6. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Security Principles in the serverless context ❑ Keep security simple ❑ The Principle of Least Privilege ❑ Defence in depth (defence at every layer) https://blog.threatpress.com/security-design-principles-owasp/

  7. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ❶Keep security simple Client Amazon Cognito Amazon API Gateway AWS Lambda Amazon DynamoDB AWS WAF AWS IAM AWS KMS AWS Secrets Manager AWS Firewall Manager AWS Shield

  8. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ❷The Principle of Least Privilege - Only assign what’s needed to perform the task at hand { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "dynamodb:PutItem", "Resource": "arn:aws:dynamodb:eu-west-1:084642048058:table/Flowers" } }

  9. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ❸Defence in depth (defence at every layer) Client Amazon Cognito Amazon API Gateway AWS Lambda Amazon DynamoDB AWS WAF AWS IAM AWS KMS AWS Secrets Manager AWS Firewall Manager AWS Shield

  10. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Security Patterns for Serverless architectures

  11. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Security Patterns for Serverless architectures ❑ Protect against web attacks ❑ Authenticate access to web application ❑ Control access to APIs ❑ Secure storage of credentials ❑ Control access to AWS resources ❑ Protect against data loss

  12. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Client AWS WAF DDoS XSS SQLi AWS Firewall Manager Layer 3 Network, 4 Transport and 7 of OSI Model. Does your app have high visibility? Prone to frequent DDoS attacks? Simplifies admin and management across accounts. Using your WAF across accounts and need to accelerate your AWS WAF configurations? Application Layer 7 of OSI Model. Granular control over the protection that is added to your resources? Protect against web attacks or ALB or API Gateway Which to choose?

  13. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved.

  14. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Client JWT JWT Authenticate access to web application • For user pools >> scalable user directories that provide sign-up and sign- in options for the app users • For identity pools >> provide temporary credentials to grant users access to AWS services (guest or signed in) >> federated identities for social sign- in (Facebook, Google, Amazon, Apple)

  15. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved.

  16. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to APIs √

  17. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to APIs

  18. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to APIs

  19. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to APIs

  20. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Secrets Manager for securing credentials AWS Secrets Manager Amazon RDS OR Automatic rotation very 30 days

  21. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Secrets Manager for securing credentials

  22. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Secrets Manager for securing credentials

  23. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to AWS resources AWS IAM ❑ Granular permissions ❑ Integrated with many AWS services ❑ Free to use

  24. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to AWS resources

  25. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to AWS resources – Lambda Execution Role { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }

  26. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to AWS resources – DynamoDB table Inline Policy

  27. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Protect against data loss ❑ AWS Key Management Service (KMS) is a managed service that makes it easy for you to create encryption keys ❑ Manage keys ❑ Control the use of encryption across a wide range of AWS services. ❑ KMS is secure ❑ KMS is a resilient service

  28. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Protect against data loss

  29. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Conclusion Privacy regulations e.g. GDPR places an imperative upon us to invest to limit information loss https://www.accenture.com/us-en/insights/security/cost-cybercrime-study

  30. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Thank You!

  31. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Q&A

  32. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Contact me @vel12171 https://dev.to/vel12171 https://aws-community.africa/ https://veliswaboya.africa