Vortrag "Security Boundaries and Functions of Services for Serverless Architectures on AWS" von Bertram Dorn beim AWS Serverless Web Day. Alle Videos und Präsentationen finden Sie hier: http://amzn.to/28QIaxM
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Security Boundaries and Functions of Services for Serverless Architectures on AWS - AWS Serverless Web Day
1. Security Aspekts on Services for
Serverless Architectures
Bertram Dorn
EMEA Specialized Solutions Architect
Security and Compliance
2. Agenda:
• Security in General
• Services in Scope
• Aspects of Services for Serverless Architectures
• API Endpoint Concept
• API Calls
• Some Service Details
3. What is AWS?
AWS Global Infrastructure
Application Services
Networking
Deployment & Administration
DatabaseStorageCompute
4. Service in Scope I
• Architect should not care about AZ setup
• Architect should not care about scaling
• Architect should not care about availability
• Architect should not care about sizing
• Architect should not care about serivce side communication
• Architect should not take action on service side security
5. ENTERPRISE
APPS
DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS
Data
Warehousing
Hadoop/
Spark
Streaming Data
Collection
Machine
Learning
Elastic
Search
Virtual
Desktops
Sharing &
Collaboration
Corporate
Email
Backup
Queuing &
Notifications
Workflow
Search
Email
Transcoding
One-click App
Deployment
Identity
Sync
Single Integrated
Console
Push
Notifications
DevOps Resource
Management
Application Lifecycle
Management
Containers
Triggers
Resource
Templates
TECHNICAL &
BUSINESS
SUPPORT
Account
Management
Support
Professional
Services
Training &
Certification
Security
& Pricing
Reports
Partner
Ecosystem
Solutions
Architects
MARKETPLACE
Business
Apps
Business
Intelligence
Databases
DevOps
Tools
NetworkingSecurity Storage
Regions
Availability
Zones
Points of
Presence
INFRASTRUCTURE
CORE SERVICES
Compute
VMs, Auto-scaling,
& Load Balancing
Storage
Object, Blocks,
Archival, Import/Export
Databases
Relational, NoSQL,
Caching, Migration
Networking
VPC, DX, DNS
CDN
Access
Control
Identity
Management
Key
Management
& Storage
Monitoring
& Logs
Assessment
and reporting
Resource &
Usage Auditing
SECURITY & COMPLIANCE
Configuration
Compliance
Web application
firewall
HYBRID
ARCHITECTURE
Data
Backups
Integrated
App
Deployments
Direct
Connect
Identity
Federation
Integrated
Resource
Management
Integrated
Networking
API
Gateway
IoT
Rules
Engine
Device
Shadows
Device
SDKs
Registry
Device
Gateway
Streaming Data
Analysis
Business
Intelligence
Mobile
Analytics
6. ENTERPRISE
APPS
DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS
Data
Warehousing
Hadoop/
Spark
Streaming Data
Collection
Machine
Learning
Elastic
Search
Virtual
Desktops
Sharing &
Collaboration
Corporate
Email
Backup
Queuing &
Notifications
Workflow
Search
Email
Transcoding
One-click App
Deployment
Identity
Sync
Single Integrated
Console
Push
Notifications
DevOps Resource
Management
Application Lifecycle
Management
Containers
Triggers
Resource
Templates
TECHNICAL &
BUSINESS
SUPPORT
Account
Management
Support
Professional
Services
Training &
Certification
Security
& Pricing
Reports
Partner
Ecosystem
Solutions
Architects
MARKETPLACE
Business
Apps
Business
Intelligence
Databases
DevOps
Tools
NetworkingSecurity Storage
Regions
Availability
Zones
Points of
Presence
INFRASTRUCTURE
CORE SERVICES
Compute
VMs, Auto-scaling,
& Load Balancing
Storage
Object, Blocks,
Archival, Import/Export
Databases
Relational, NoSQL,
Caching, Migration
Networking
VPC, DX, DNS
CDN
Access
Control
Identity
Management
Key
Management
& Storage
Monitoring
& Logs
Assessment
and reporting
Resource &
Usage Auditing
SECURITY & COMPLIANCE
Configuration
Compliance
Web application
firewall
HYBRID
ARCHITECTURE
Data
Backups
Integrated
App
Deployments
Direct
Connect
Identity
Federation
Integrated
Resource
Management
Integrated
Networking
API
Gateway
IoT
Rules
Engine
Device
Shadows
Device
SDKs
Registry
Device
Gateway
Streaming Data
Analysis
Business
Intelligence
Mobile
Analytics
7. AWS Global Footprint
US West (N.California)
US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
Asia Pacific (Tokyo)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
China (Beijing)
São Paulo
EU Central (Frankfurt)
Korea (Seul)
Region
An independent collection of AWS
resources in a defined geography
A solid foundation for meeting location-
dependent privacy and compliance
requirements
8. AWS Global Footprint
Availability Zone
Designed as independent failure zones
Physically separated within a typical
metropolitan region
9. Shared Responsibility
Cross-service Controls
Service-specific Controls
Managed by
AWS
Managed by
Customer
Security of the Cloud
Security in the Cloud
Cloud Service Provider
Controls
Optimized
Network/OS/App Controls
Request reports at:
aws.amazon.com/compliance/#contact
ISO
27000
ISO
9001
10. Service in Scope II
• Architect needs to care about IAM
• Architect must secuire his access keys
• Architect should be aware of service features
• Architect should cross check service against compliance setup
• Architect must take care of encryption
• Knowledge of the service features
• Know how to work his own encryption into the architecture
11. ENTERPRISE
APPS
DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS
Data
Warehousing
Hadoop/
Spark
Streaming Data
Collection
Machine
Learning
Elastic
Search
Virtual
Desktops
Sharing &
Collaboration
Corporate
Email
Backup
Queuing &
Notifications
Workflow
Search
Email
Transcoding
One-click App
Deployment
Identity
Sync
Single Integrated
Console
Push
Notifications
DevOps Resource
Management
Application Lifecycle
Management
Containers
Triggers
Resource
Templates
TECHNICAL &
BUSINESS
SUPPORT
Account
Management
Support
Professional
Services
Training &
Certification
Security
& Pricing
Reports
Partner
Ecosystem
Solutions
Architects
MARKETPLACE
Business
Apps
Business
Intelligence
Databases
DevOps
Tools
NetworkingSecurity Storage
Regions
Availability
Zones
Points of
Presence
INFRASTRUCTURE
CORE SERVICES
Compute
VMs, Auto-scaling,
& Load Balancing
Storage
Object, Blocks,
Archival, Import/Export
Databases
Relational, NoSQL,
Caching, Migration
Networking
VPC, DX, DNS
CDN
Access
Control
Identity
Management
Key
Management
& Storage
Monitoring
& Logs
Assessment
and reporting
Resource &
Usage Auditing
SECURITY & COMPLIANCE
Configuration
Compliance
Web application
firewall
HYBRID
ARCHITECTURE
Data
Backups
Integrated
App
Deployments
Direct
Connect
Identity
Federation
Integrated
Resource
Management
Integrated
Networking
API
Gateway
IoT
Rules
Engine
Device
Shadows
Device
SDKs
Registry
Device
Gateway
Streaming Data
Analysis
Business
Intelligence
Mobile
Analytics
12. API
• WebInterface
• CLI
• SDK
• API
Architect
AWS
IAM
Resource / Application
User
Amazon
S3
Amazon
DynamoDB
Amazon API
Gateway Amazon
SES
Amazon
SQS
Application
API Features
• DDoS Protected
• MultiAZ
• Available
• Encryption in
Transport
• Authenticated
• Logging
15. Amazon
S3 • Secure Transport
• Sever Side Encryption
• Individual Vector for each object
• Re-Encryption through copy and versioning
• KMS Integration
• Customer Managed KEYs
• IAM integration
• Versioning
• MFA Delete
• Storage Class
• S3 Logging
Security related features which need to be instrumented by the Architect
16. A view on S3
Bucket with
Objects
Region S3
Bucket with
Objects
• WebInterface
• CLI
• SDK
• API
Admin
For instrumentation
AWS
AWS
IAM
Command PATH
S3 Endpoints
Datapath
HTTP(s)
Bucket Policy
Object Policy
User Policy S3 Logging
Amazon
S3
17. Amazon API
Gateway
• Secure Transport
• Setup of Paths
• Secure coding inside the Lambda functions
• Client Certificates
• CloudWatchLogs Logging
Security related features which need to be instrumented by the Architect
18. A view on API Gateway
AWS Region
• WebInterface
• CLI
• SDK
• API
Admin
For instrumentation
AWS
AWS
IAM
Command PATH
APP GW Endpoints
Datapath
HTTP(s)
CloudWatch
Logs
Amazon API
Gateway
Mockups Proxy
19. AWS
Lambda
Possibilities which need to be instrumented by the Architect
• IAM Role needs to be focussed
• Secure Coding
• CloudWatchLogs Logging
• Well choosen triggers
20. A view on Lambda
AWS Region
• WebInterface
• CLI
• SDK
• API
Admin
For instrumentation
AWS
AWS
IAM
Command PATH
APP GW Endpoints
Datapath
HTTP(s)
CloudWatch
Logs
AWS
Lambda
Other Services
22. A view on Messaging
AWS Region
• WebInterface
• CLI
• SDK
• API
Admin
For instrumentation
AWS
AWS
IAM
Command PATH
APP GW Endpoints
Datapath
HTTP(s)
CloudTrail
Other Services
Amazon
SES
Amazon
SQS