securing serverless architecturesaws-de-media.s3.amazonaws.com/images/webinar/2016... · securing...
TRANSCRIPT
![Page 1: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/1.jpg)
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Dave Walker
Specialist Solutions Architect, Security and Compliance
23/06/16
Securing Serverless Architectures
![Page 2: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/2.jpg)
With Thanks To:
![Page 3: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/3.jpg)
Agenda
• Serverless Architectures: What they Are
• “Caveat Emptor”?
• Constraining Access and Permissions
• Wrapping AWS Lambda Functions
• Amazon API Gateway and AWS Service API Endpoints
• Generalising Across Serverless Functions
• Conclusions
![Page 4: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/4.jpg)
Serverless Architectures:
What They Are
![Page 5: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/5.jpg)
Serverless Architectures: What they Are
• “The shiny new thing”
• …though Amazon S3 has been around for 10 years, now
• “Object stores, object transmission and aggregation
pipelines, object format tranformers, standalone code
execution systems”
• Abstract (and sometimes, Container) Services
• AWS looks after the underlying OS, High Availability, Scaling,
often Application, transparently
• Often event-driven (Lambda triggers etc)
• “Customers only need to worry about their functionality”
![Page 6: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/6.jpg)
Serverless Services
![Page 7: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/7.jpg)
For Example…
InternetWebsite
Activity
Indicator
Chat Service
Activity
Messages
Search
Service
Dynamo Streams
Elasticsearch
Service
Web HostingTwilio
Slack Chat
API Gateway
IoT
Backend Logic
![Page 8: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/8.jpg)
“Caveat Emptor”?
![Page 9: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/9.jpg)
“Everything Starts with a Threat Model”
• STRIDE, DREAD, others
• Identify:
• Actors
• Vectors
• “Bad stuff that could happen, when bad people get creative”
• Probabilities and consequences of bad stuff happening
• Apply technical and procedural mitigations
• …all the way up the OSI stack, from Network to Application
![Page 10: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/10.jpg)
Attack Vectors
• Application-level and API-level attacks
• “If it takes input, it likely has an in-band attack vector”
• “If it has a control point, it likely has an out-of-band attack
vector”
• “Even if it doesn’t itself have a useful compromise, it might be
a useful propagation vector”
• A successful attack = disruption or corruption of service
output, or reduction in responsiveness to future service
calls, or being a conduit of “bad content” to vulnerable
consumers of the service.
• Consider the OWASP Top 10 and other application-level
attacks…
![Page 11: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/11.jpg)
Control Points and Out-of-band Attacks
• (Almost) everything in our list has an API Endpoint.
• API Endpoints are exposed to the Internet over https, using
TLS 1.2 and unidirectional trust via s2n
• API Endpoints are scaled, rate-managed and connection-
monitored
• API Endpoint calls need Sigv4
• SHA256 HMAC with Secret Access Key (240-bit entropic) over
REST request
• REST calls are checked for formation correctness
• Looking pretty well-covered…
![Page 12: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/12.jpg)
In-band Attacks
• There are more variables here – consider access
methods and content sizes:
![Page 13: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/13.jpg)
Constraining Access and
Permissions
![Page 14: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/14.jpg)
IAM is your First Port of Call
• Quickest and highly effective way to reduce risk of
serverless “misbehaviour” at sub-data level
• All API access should be Role-based
• Roles can be given to EC2 Instances and Lambda functions
• Roles use ephemeral STS tokens rather than static keys
• Reduces consequences of static key mishandling, no motivation
to hard-wire into code
• Cross-account access gets close to Mandatory Access
Control
• See video of presentation from UK Security Roadshow
(Coming Soon)
![Page 15: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/15.jpg)
IAM is your First Port of Call
• API calls can be constrained in IAM by Source IP
address
• Get the AWS range from https://ip-
ranges.amazonaws.com/ip-ranges.json
• We could use this to ensure that only our wrapper functions
can call our main Lambda functions or the real API endpoints
• Recent development: verify when permissions were last
used
• See
https://blogs.aws.amazon.com/security/post/Tx280RX2WH6
WUD7/Remove-Unnecessary-Permissions-in-Your-IAM-
Policies-by-Using-Service-Last-Access
![Page 16: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/16.jpg)
Wrapping Lambda Functions
![Page 17: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/17.jpg)
Let’s start with Lambda…
• Why?
• It’s a great test case, as:
• It can take input from (almost) anywhere
• It can do (almost) anything with that input, given appropriate
permissions
• It can output (almost) anything to (almost) anywhere
• Customers have control over what happens between input and
output
• Risk: “you can write insecure code in any language (including
Node.js, Java, Python and anything you can call from them…)”
![Page 18: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/18.jpg)
Let’s start with Lambda…
• Already good info on developing Lambda functions -
https://aws.amazon.com/blogs/compute/continuous-
integration-deployment-for-aws-lambda-functions-with-
jenkins-and-grunt-part-1/ ,
https://aws.amazon.com/blogs/compute/continuous-
integration-deployment-for-aws-lambda-functions-with-
jenkins-and-grunt-part-2/
• Lambda functions run in an IAM role
• Consider cross-account function calls (see
https://aws.amazon.com/blogs/compute/easy-authorization-
of-aws-lambda-functions/ )
• Now let’s add a front-end wrapper / filter and back-end / side
API checker…
![Page 19: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/19.jpg)
Wrapping Lambda Functions
bucketAWS
Lambda
AWS
Lambda
AWS
Lambda
Amazon
API
Gateway
API endpoint
![Page 20: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/20.jpg)
Wrapping Lambda Functions
bucketAWS
Lambda
AWS
Lambda
AWS
Lambda
Amazon
API
Gateway
“Back end”
“Front end”
Our original functionTrigger event source
API endpoint
![Page 21: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/21.jpg)
Wrapping Lambda Functions
bucketAWS
Lambda
AWS
Lambda
AWS
Lambda
Amazon
API
Gateway
1. Event triggers wrapper
API endpoint
![Page 22: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/22.jpg)
Wrapping Lambda Functions
bucketAWS
Lambda
AWS
Lambda
AWS
Lambda
Amazon
API
Gateway
1. Event triggers wrapper
2. Wrapper passes trigger data
to analyser
API endpoint
![Page 23: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/23.jpg)
Wrapping Lambda Functions
bucketAWS
Lambda
AWS
Lambda
AWS
Lambda
Amazon
API
Gateway
3. Analyser reads data
1. Event triggers wrapper
2. Wrapper passes trigger data
to analyser
API endpoint
![Page 24: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/24.jpg)
Wrapping Lambda Functions
bucketAWS
Lambda
AWS
Lambda
AWS
Lambda
Amazon
API
Gateway
3. Analyser reads data
1. Event triggers wrapper
2. Wrapper passes trigger data
to analyser
4. Wrapper invokes FunctionAPI endpoint
![Page 25: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/25.jpg)
Wrapping Lambda Functions
bucketAWS
Lambda
AWS
Lambda
AWS
Lambda
Amazon
API
Gateway
5. Function reads data and processes as normal
3. Analyser reads data
1. Event triggers wrapper
2. Wrapper passes trigger data
to analyser
4. Wrapper invokes FunctionAPI endpoint
![Page 26: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/26.jpg)
Wrapping Lambda Functions
• First function, configured to trigger on the Lambda event,
is a front-end wrapper
• Passes copy of trigger event input and context to analysis
engine (hello, Alert Logic )
• Optionally, waits for “content OK” response from analysis
engine (in-band checking) to determine whether main
Lambda function should be invoked
• …or calls main Lambda function immediately, if performance
is more critical (out-of-band checking)
• Has the same IAM Read / Get permissions in its role as the
main Lambda function, plus what’s needed to send trigger
info and invoke the main Lambda function
![Page 27: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/27.jpg)
Wrapping Lambda Functions
• Analysis Engine
• Needs IAM permissions to be able to read from the trigger
source
• Needs to be configurable to respond to the calling Lambda
function after checks are complete (in-band checking, IPS-
style) and / or raise alerts – eg via SNS – if “badness” is
found (out-of-band checking, IDS-style)
• In discussion with Alert Logic (co-inventors), but concept and
invocation mechanisms are non-exclusive
![Page 28: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/28.jpg)
Wrapping Lambda Functions
• Second function, invoked by the first, is our main
Lambda function
• Modify the permission conditions in the IAM role so that this
function can only be called from IP addresses in the
AMAZON range in the same Region
• ie our wrapping Lambda function
• Consider passing and verifying a shared secret
• With the front-end wrapped, now let’s look at the back…
![Page 29: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/29.jpg)
API Gateway and API
Endpoints
![Page 30: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/30.jpg)
API Gateway and API Endpoints
bucketAWS
Lambda
AWS
Lambda
AWS
Lambda
Amazon
API
Gateway
“Back end”
API endpoint
![Page 31: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/31.jpg)
API Gateway and API Endpoints
• Consider API Gateway as a protective front-end onto the
main AWS API Endpoints
• Can rate-limit calling frequency
• Can have back-end Lambda functions on each of REST GET,
PUT, POST, PATCH, DELETE, HEAD, OPTIONS to check
call content
• Supports Sigv4 – and generates logs
• So, we have a back-end wrapper function
• …But we need to make API Gateway the target(s) for
calls to API Endpoints, in our main Lambda function…
• Easy!
![Page 32: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/32.jpg)
Endpoint mappings in boto and Java SDK:
{
"autoscaling": {
"ap-northeast-1": "autoscaling.ap-northeast-1.amazonaws.com",
"ap-northeast-2": "autoscaling.ap-northeast-2.amazonaws.com",
"ap-southeast-1": "autoscaling.ap-southeast-1.amazonaws.com",
"ap-southeast-2": "autoscaling.ap-southeast-2.amazonaws.com",
"cn-north-1": "autoscaling.cn-north-1.amazonaws.com.cn",
"eu-central-1": "autoscaling.eu-central-1.amazonaws.com",
"eu-west-1": "autoscaling.eu-west-1.amazonaws.com",
"sa-east-1": "autoscaling.sa-east-1.amazonaws.com",
"us-east-1": "autoscaling.us-east-1.amazonaws.com",
"us-gov-west-1": "autoscaling.us-gov-west-1.amazonaws.com",
"us-west-1": "autoscaling.us-west-1.amazonaws.com",
"us-west-2": "autoscaling.us-west-2.amazonaws.com"
},
• boto/boto/endpoints.json and aws-java-sdk-
core/src/main/resources/com/amazonaws/partitions/end
points.json
![Page 33: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/33.jpg)
Wrapping Lambda Functions
• Hack the in-environment SDK for your own main
Lambda function!
• 2-stage function needed, in the execution context:
• 1. Verify that the endpoints as defined in the SDK are your
own API Gateway endpoints; set them if not
• 2. Invoke the actual “doing stuff” function
![Page 34: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/34.jpg)
Generalising Across
Serverless Functions
![Page 35: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/35.jpg)
Filtering API Calls
AWS
Lambda
Amazon API
GatewayAPI endpoint
![Page 36: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/36.jpg)
Filtering Kinesis (and some other) Streams
AWS
Lambda
Amazon
ElastiCache
Amazon
KinesisAmazon
KinesisAmazon
DynamoDB
![Page 37: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/37.jpg)
Offloading Encryption in Transit
Amazon
API
Gateway
AWS
KMS
data
encryption key
AWS
Lambda
role
API Endpoints
Amazon
SQS
instance
Amazon
Kinesisrole
![Page 38: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/38.jpg)
Services with Lambda Trigger Support
• Config
• CloudWatch
• S3
• DynamoDB
• Kinesis
• SNS
• SES
• Cognito
• CloudFormation
![Page 39: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/39.jpg)
Conclusions
![Page 40: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/40.jpg)
Threats and Mitigations
• IAM is your first port of call, for limiting API calls and their
scope
• Cross-account access can also be useful here
• API Endpoints are well-protected, but API Gateways can
add hooks for further protection at Layer 7 to any service
• …though they’re most applicable to serverless ones
• Lambda functions can provide useful tap / inspection /
filter hook points for queues and pipelines
• Lambda functions can themselves be used as wrap and
filter hook points on the input to Lambda functions
![Page 41: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/41.jpg)
Further Food for Thought…?
• Using Serverless Capabilities to Add Security
Functionality to More Traditional Services
• Config Rules already does this
• GitHub repo at https://github.com/awslabs/aws-config-rules
• CI / CD: Add a final post-deploy Lambda step onto
CodePipeline, and API Gateway as a front-end to pentest
infrastructure, to automatically call a pentest down onto the
newly-deployed components
• Let’s discuss…
![Page 42: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/42.jpg)
Extra: “Serverless” Management of Arbitrary Secrets
instancesinstance
![Page 43: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/43.jpg)
Extra: “Serverless” Management of Arbitrary Secrets
instancesinstance
instance
![Page 44: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/44.jpg)
Extra: “Serverless” Management of Arbitrary Secrets
instancesinstance
long-term security
credential
instance
![Page 45: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/45.jpg)
Extra: “Serverless” Management of Arbitrary Secrets
instancesinstance
AWS
KMS
long-term security
credential
data encryption key
instance
![Page 46: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/46.jpg)
Extra: “Serverless” Management of Arbitrary Secrets
instancesinstance
AWS
KMS
data encryption key
long-term security
credential
data encryption key
instance
![Page 47: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/47.jpg)
Extra: “Serverless” Management of Arbitrary Secrets
instancesinstance
AWS
KMS
data encryption key
long-term security
credential
bucket
data encryption key
instance
![Page 48: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/48.jpg)
Extra: “Serverless” Management of Arbitrary Secrets
instancesinstance
AWS
KMS
data encryption key
long-term security
credential
bucket
data encryption key
instance VPC Private Endpoint
![Page 49: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/49.jpg)
Extra: “Serverless” Management of Arbitrary Secrets
instancesinstance
AWS
KMS
data encryption key
role
long-term security
credential
bucket
data encryption key
instance
role
VPC Private Endpoint
![Page 50: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/50.jpg)
Extra: “Serverless” Management of Arbitrary Secrets
instancesinstance
AWS
KMS
data encryption key
role
long-term security
credential
bucket
data encryption key
instance
role
ARN of encrypted
https key in S3 bucket
ARN of data
encryption key in KMS
Instance UserData
VPC Private Endpoint
![Page 51: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/51.jpg)
Extra: “Serverless” Management of Arbitrary Secrets
instancesinstance
AWS
KMS
data encryption key
role
long-term security
credential
bucket
data encryption key
instance
role
ARN of encrypted
https key in S3 bucket
ARN of data
encryption key in KMS
Instance UserData
VPC Private Endpoint
![Page 52: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/52.jpg)
Industry Best Practices for Securing AWS Resources
CIS Amazon Web Services Foundations
Architecture agnostic set of security
configuration best practices
provides set-by-step implementation and
assessment procedures
![Page 53: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/53.jpg)
Helpful Resources
Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/
Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-
compliance/
Compliance Centre Website: https://aws.amazon.com/compliance
Security Centre: https://aws.amazon.com/security
Security Blog: https://blogs.aws.amazon.com/security/
AWS Audit Training: [email protected]
![Page 54: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/54.jpg)
Helpful Resources: New Videos
The AWS Shared Security Responsibility Model in Practice: https://youtu.be/RwUSPklR24M
IAM Recommended Practices: https://youtu.be/R-PyVnhxx-U
Encryption Options on AWS: https://youtu.be/9bn7p2tdym0
Compliance, Logging, Analysis and Alerting: https://youtu.be/42-1xpT-s6U
![Page 55: Securing Serverless Architecturesaws-de-media.s3.amazonaws.com/images/Webinar/2016... · Securing Serverless Architectures. With Thanks To: Agenda • Serverless Architectures: What](https://reader034.vdocuments.net/reader034/viewer/2022042218/5ec452ba1f007e7e72574a4b/html5/thumbnails/55.jpg)