UPLOAD

    952

    Serverless Security Workshop - 24 September - 13:00

    Published: October 13, 2019

    AWS Loft Istanbul 2019 Serverless Security Workshop - 24 September - 13:00

    Comments

    Serverless Security Workshop - 24 September - 13:00

    • 1. Slide1 Building secure serverless applications with AWS Lambda
    • 2. Slide120 © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Agenda 1.Serverless Tips 2.Workshop background 3.Hands-on on AWS!
    • 3. Slide121 © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Serverless Tips
    • 4. Serverless Computing in a nutshell Serverless Computing in a nutshell No servers to provision or manage Scales with usage Never pay for idle Built-in availability and fault tolerance
    • 5. Domains of security for (serverless) applications Domains of security for (serverless) applications Infrastructure Data Code Identity & Access Logging & Monitoring
    • 6. OWASP 2017- Top 10 Web Application Security Risks  OWASP 2017- Top 10 Web Application Security Risks https://www.owasp.org •Exploitability •Prevalence •Detectability •Technical impact
    • 7. OWASP Top 10 mapped to security domains OWASP Top 10 mapped to security domains Infrastructure Data Code Identity & Access Logging & Monitoring Broken Authentication(#2) Broken Access Control (#5) Injection (#1) XXE (#4) XSS (#7) Insecure Deserialization (#8) Using Components with Known Vulnerabilities (#9) Sensitive Data Exposure (#3) Using Components with Known Vulnerabilities (#9) Security Misconfiguration (#6) Insufficient Logging & Monitoring (#10)
    • 8. AWS Lambda Fine-grained pricing AWS Lambda Fine-grained pricing Buy compute time in 100-ms increments Low request charge No hourly, daily, or monthly minimums No per-device fees Never pay for idle Free Tier 1 M requests and 400,000 GB-s of compute Every month, every customer © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    • 9. AWS Lambda execution model AWS Lambda execution model Synchronous (push) Asynchronous (event) Stream-based Amazon SNS Amazon S3 reqs Amazon Kinesis changes AWS Lambda service function © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon API Gateway AWS Lambda function Amazon DynamoDB /order AWS Lambda function
    • 10. Permissions model Permissions model Fine-grained security controls for both execution and invocation Execution policies: •Define what AWS resources/API calls this function can access via IAM •Used in streaming invocations •For example, "Lambda function A can read from DynamoDB table users" Function policies: •Used for sync and async invocations •For example, "Actions on bucket X can invoke Lambda function Z" •Resource policies allow for cross-account access © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    • 11. Slide211 © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Workshop Background
    • 12. Slide213 © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. wildrydes.com
    • 13. Slide215 © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved.
    • 14. 3rd party functionality– unicorn customization  © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. 3rd party functionality– unicorn customization Sock image Credit: Freepik from www.flaticon.com Visit beautiful Unicornpolis!
    • 15. 3rd party API: Unicorn customization 3rd party API: Unicorn customization List customization options and prices: GET /capes GET /glasses GET /horns GET /socks Image Credit: Smashicons, Freepik from www.flaticon.com johnny_automatic from www.openclipart.org
    • 16. 3rd party API: Unicorn customization 3rd party API: Unicorn customization Create and manage customizations POST /customizations GET /customizations GET /customizations/{id} DELETE /customizations/{id}
    • 17. Admin API: register 3rd party partners Admin API: register 3rd party partners Register new partners POST /partners
    • 18. Workshop architecture – starting point  Workshop architecture – starting point Amazon API Gateway AWS Lambda Amazon RDS 3rd party Not secure! Deployed using SAM (Serverless Application Model )
    • 19. Your task: secure the application against attackers!  Your task: secure the application against attackers! Image Credit: pongsakornred, Freepik from www.flaticon.com Bad guys Partners
    • 20. Slide212 © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. Hands-on!
    • 21. Slide210 © 2018 Amazon Web Services, Inc. or its Affiliates. All rights reserved. amzn.to/serverless-security