Let’s secure our Serverless applications

Transcript

1. Pune

2. Let’s secure our Serverless applications Jones Zachariah Noel N Pune

3. Pune 👋 I’m Jones Zachariah Noel N (zachjonesnoel) 🥑 Senior

   Developer Advocate @ Freshworks ☁ AWS Serverless Hero ⚡ Serverless architect 🚀 AWS UG Bengaluru co-organizer 󰞵 Runs newsletter / blog on The Serverless Terminal ▶ Co-run The Zacs’ Show Talking AWS podcast

4. Pune

5. Pune

6. Pune https://docs.aws.amazon.com/whitepapers/latest/security-overview-aws-lambda/the-shared-responsibility-model.html

7. Pune https://docs.aws.amazon.com/whitepapers/latest/security-overview-aws-lambda/the-shared-responsibility-model.html

8. Pune Security in Serverless Identity and access Code Data Infrastructure

9. Identity and access Pune

10. Identity and access Pune Least privileges Unique privileges

11. Code: Request validations with Model Pune

12. Code: Using secrets in Lambda functions Pune AWS Secrets Manager

    AWS Systems Manager Parameter Store AWS Lambda Functions Environment Variables

13. Code: Audits to check vulnerability Pune Amazon Inspector Scan for

    vulnerability in your Lambda function and Lambda layer code

14. Data: Encryption at Rest Pune

15. Data: Encryption in Transit Pune SNS and SQS Supports encryption

    in transit by default Lambda functions Uses Transport Layer Security (TLS) Lambda functions and API Gateway Using HTTPS protocol for all HTTP APIs via Function URLs and API Gateway endpoints

16. Infrastructure: Protection to attacks Pune AWS WAF Amazon S3 and

    Amazon CloudFront Web hosting and distributions enabled with WAF AWS API Gateway and AWS AppSync Endpoints with WAF enabled SQL Injections Cross-site scripting IP restrictions Geo restrictions HTTPs rules

17. Infrastructure: Protection to attacks Pune AWS API Gateway Enabling throttling

    Rate Limits Burst Limits To protect from abusive requests

18. Pune

19. Pune Best practices for secure Serverless applications AWS API Gateway

    Using authentication methods for APIs IAM policies Using least privileges and unique for each resource and execution roles

20. Pune Best practices for secure Serverless applications Security at layers

    Enabling security in different levels of architecture Security audits Frequent and recurring security audits of infrastructure and code

21. Pune Best practices for secure Serverless applications Secure credentials and

    configs Using Secrets Managers and System Manager Parameter Stores Resources in VPC Lambda functions or Aurora in VPC with public endpoints of API Gateway

22. Thank you Jones Zachariah Noel N Pune https://zachjonesnoel.com https://theserverlessterminal.com jones-zachariah-noel-n