Serverless Security Workshop - 24 September - 13:00

Published: October 13, 2019

AWS Loft Istanbul 2019 Serverless Security Workshop - 24 September - 13:00

Comments

Serverless Security Workshop - 24 September - 13:00

1. Slide1 Building secure serverless applications with AWS Lambda
4. Serverless Computing in a nutshell Serverless Computing in a nutshell No servers to provision or manage Scales with usage Never pay for idle Built-in availability and fault tolerance
5. Domains of security for (serverless) applications Domains of security for (serverless) applications Infrastructure Data Code Identity & Access Logging & Monitoring
6. OWASP 2017- Top 10 Web Application Security Risks OWASP 2017- Top 10 Web Application Security Risks https://www.owasp.org •Exploitability •Prevalence •Detectability •Technical impact
7. OWASP Top 10 mapped to security domains OWASP Top 10 mapped to security domains Infrastructure Data Code Identity & Access Logging & Monitoring Broken Authentication(#2) Broken Access Control (#5) Injection (#1) XXE (#4) XSS (#7) Insecure Deserialization (#8) Using Components with Known Vulnerabilities (#9) Sensitive Data Exposure (#3) Using Components with Known Vulnerabilities (#9) Security Misconfiguration (#6) Insufficient Logging & Monitoring (#10)
8. AWS Lambda Fine-grained pricing AWS Lambda Fine-grained pricing Buy compute time in 100-ms increments Low request charge No hourly, daily, or monthly minimums No per-device fees Never pay for idle Free Tier 1 M requests and 400,000 GB-s of compute Every month, every customer © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
9. AWS Lambda execution model AWS Lambda execution model Synchronous (push) Asynchronous (event) Stream-based Amazon SNS Amazon S3 reqs Amazon Kinesis changes AWS Lambda service function © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon API Gateway AWS Lambda function Amazon DynamoDB /order AWS Lambda function
10. Permissions model Permissions model Fine-grained security controls for both execution and invocation Execution policies: •Define what AWS resources/API calls this function can access via IAM •Used in streaming invocations •For example, "Lambda function A can read from DynamoDB table users" Function policies: •Used for sync and async invocations •For example, "Actions on bucket X can invoke Lambda function Z" •Resource policies allow for cross-account access © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
14. 3rd party functionality– unicorn customization © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 3rd party functionality– unicorn customization Sock image Credit: Freepik from www.flaticon.com Visit beautiful Unicornpolis!
15. 3rd party API: Unicorn customization 3rd party API: Unicorn customization List customization options and prices: GET /capes GET /glasses GET /horns GET /socks Image Credit: Smashicons, Freepik from www.flaticon.com johnny_automatic from www.openclipart.org
16. 3rd party API: Unicorn customization 3rd party API: Unicorn customization Create and manage customizations POST /customizations GET /customizations GET /customizations/{id} DELETE /customizations/{id}
17. Admin API: register 3rd party partners Admin API: register 3rd party partners Register new partners POST /partners
18. Workshop architecture – starting point Workshop architecture – starting point Amazon API Gateway AWS Lambda Amazon RDS 3rd party Not secure! Deployed using SAM (Serverless Application Model )
19. Your task: secure the application against attackers! Your task: secure the application against attackers! Image Credit: pongsakornred, Freepik from www.flaticon.com Bad guys Partners

AWS TR Marketing

Serverless Security Workshop - 24 September - 13:00

cinema8.com

Kişisel Bilgi Güvenliği

Presentation using Trigger

DEVOPS Fundamentels

Platform for security services

A Web Developer's Journey

Future Of C#

Serverless Security Workshop - 24 September - 13:00