Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Let’s secure our Serverless applications

Let’s secure our Serverless applications

Presented about AWS Serverless Security at AWS Community Day DevSecOps Edition Pune on Jan 6th, 2024.

Jones Zachariah Noel N

January 06, 2024

More Decks by Jones Zachariah Noel N

Other Decks in Technology


  1. Pune 👋 I’m Jones Zachariah Noel N (zachjonesnoel) 🥑 Senior

    Developer Advocate @ Freshworks ☁ AWS Serverless Hero ⚡ Serverless architect 🚀 AWS UG Bengaluru co-organizer 󰞵 Runs newsletter / blog on The Serverless Terminal ▶ Co-run The Zacs’ Show Talking AWS podcast
  2. Code: Using secrets in Lambda functions Pune AWS Secrets Manager

    AWS Systems Manager Parameter Store AWS Lambda Functions Environment Variables
  3. Code: Audits to check vulnerability Pune Amazon Inspector Scan for

    vulnerability in your Lambda function and Lambda layer code
  4. Data: Encryption in Transit Pune SNS and SQS Supports encryption

    in transit by default Lambda functions Uses Transport Layer Security (TLS) Lambda functions and API Gateway Using HTTPS protocol for all HTTP APIs via Function URLs and API Gateway endpoints
  5. Infrastructure: Protection to attacks Pune AWS WAF Amazon S3 and

    Amazon CloudFront Web hosting and distributions enabled with WAF AWS API Gateway and AWS AppSync Endpoints with WAF enabled SQL Injections Cross-site scripting IP restrictions Geo restrictions HTTPs rules
  6. Infrastructure: Protection to attacks Pune AWS API Gateway Enabling throttling

    Rate Limits Burst Limits To protect from abusive requests
  7. Pune Best practices for secure Serverless applications AWS API Gateway

    Using authentication methods for APIs IAM policies Using least privileges and unique for each resource and execution roles
  8. Pune Best practices for secure Serverless applications Security at layers

    Enabling security in different levels of architecture Security audits Frequent and recurring security audits of infrastructure and code
  9. Pune Best practices for secure Serverless applications Secure credentials and

    configs Using Secrets Managers and System Manager Parameter Stores Resources in VPC Lambda functions or Aurora in VPC with public endpoints of API Gateway