SlideShare a Scribd company logo

Building secure APIs in the cloud - SDD403-R - AWS re:Inforce 2019

Amazon Web Services
Amazon Web Services

"APIs provide a great opportunity for enterprises to quickly and easily develop and integrate applications. However, it’s a challenge to build enterprise-grade security measures into APIs in order to protect data and meet compliance requirements. In this workshop, you get hands-on experience applying security best practices to improve the security posture of APIs built on AWS. We examine best practices for security and many of the security features and services available on the AWS platform, including Amazon Cognito, AWS WAF, Amazon API Gateway input validation, API Gateway usage plans, API Gateway authentication and authorization, AWS X-Ray, and more.

1 of 41
Download to read offline
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Building Secure APIs in the cloud S D D 4 0 3 - R Xiang Shen Solutions Architect Amazon Web Services Kevin Mccandless Solutions Architect Amazon Web Services
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Related breakouts Wednesday, Jun 26 SDD401 Securing enterprise-grade serverless applications 3:30 PM–4:30 PM | Level 0, Hall B2, Yellow Wednesday, Jun 26 SDD405-R1 Serverless identity management, authentication, and authorization 10:30 AM–12:30 PM | Level 2, Room 210B Wednesday, Jun 26 SDD311 Using AWS WAF to protect against bots and scrapers 1:45 PM–3:45 PM | Level 1, Room 104A
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Security risks for web applications Amazon API Gateway Hands-on labs Q & A
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. OWASP top 10 security risks Rank Security risks 1 Injection 2 Broken authentication 3 Sensitive data exposure 4 XML external entities (XXE) 5 Broken access control 6 Security misconfiguration 7 Cross-site scripting (XSS) 8 Insecure deserialization 9 Using components with known vulnerabilities 10 Insufficient logging and monitoring https://www.owasp.org • Exploitability • Prevalence • Detectability • Technical impact
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. OWASP top 10 mapped to security domains Infrastructure Data Code Identity and access Logging and monitoring • Broken authentication (#2) • Broken access control (#5) • Injection (#1) • XXE (#4) • XSS (#7) • Insecure deserialization (#8) • Using components with known vulnerabilities (#9) • Sensitive data exposure (#3) • Using components with known vulnerabilities (#9) • Security misconfiguration (#6) • Insufficient logging and monitoring (#10)
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Manage APIs with Amazon API Gateway Mobile apps Websites Services Internet Amazon CloudFront Amazon CloudWatch monitoring API Gateway cache Any other AWS service All publicly accessible endpoints AWS Lambda functions Endpoints in your VPC Regional or Private API Endpoints AWS Lambda functions Endpoints on Amazon EC2 Your VPCAWS Cloud
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Manage APIs with Amazon API Gateway Mobile apps Websites Services Internet Amazon CloudFront Amazon CloudWatch monitoring API Gateway cache Any other AWS service All publicly accessible endpoints AWS Lambda functions Endpoints in your VPC Regional or Private API Endpoints AWS Lambda functions Endpoints on Amazon EC2 Your VPCAWS Cloud Resource Policy Input Validation WAF Usage Plan CORS AuthN/Z Private Integrations SSL Client Authentication AWS X-Ray
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. API Gateway: Three types of authorization Amazon Cognito user pools Amazon Cognito federated identities Custom identity providers AWS Identity and Access Management (IAM) authorization Lambda authorizers User pools authorizers
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. API Gateway: Three types of authorization Amazon Cognito user pools Amazon Cognito federated identities Custom identity providers IAM Custom authorizers User pools authorizers
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app API Gateway Amazon Cognito user pools DatabaseBackend API Gateway + Amazon Cognito
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app API Gateway Amazon Cognito user pools Backend User pools authorizers
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app API Gateway Amazon Cognito user pools • Identity • Access • Refresh Backend User pools authorizers
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app API Gateway Amazon Cognito user pools Backend User pools authorizers
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app 4. Validate identity token API Gateway Amazon Cognito user pools Backend User pools authorizers
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app 5. Call backend API Gateway Amazon Cognito user pools Backend User pools authorizers
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. API Gateway: Three types of authorization Amazon Cognito user pools Amazon Cognito federated identities Custom identity providers IAM authorization Custom authorizers User pools authorizers
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app API Gateway Amazon Cognito federated identities Amazon Cognito user pools IAM Backend IAM-based authorization
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app Amazon Cognito user pools API Gateway Amazon Cognito federated identities IAM Backend IAM-based authorization
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app API Gateway Amazon Cognito user pools Amazon Cognito federated identities IAM Backend IAM-based authorization
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app 3. Request AWS credentials API Gateway Amazon Cognito user pools Amazon Cognito federated identities IAM Backend IAM-based authorization
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app 4. Validate ID token API Gateway Amazon Cognito user pools Amazon Cognito federated identities IAM Backend IAM-based authorization
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app 5. Temp AWS credentials API Gateway Amazon Cognito user pools Amazon Cognito federated identities IAM Backend IAM-based authorization
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app AmazonAPI Gateway Amazon Cognito user pools Amazon Cognito federated identities Backend IAM-based authorization IAM
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app API Gateway Amazon Cognito user pools Amazon Cognito federated identities IAM Backend IAM-based authorization
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app 8. Call backend API Gateway Amazon Cognito user pools Amazon Cognito federated identities IAM Backend IAM-based authorization
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM policy detail { "Version": "2012-10-17", "Statement": [ { "Action": "execute-api:Invoke", "Effect": ”Allow", "Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*" }, { "Action": "execute-api:Invoke", "Effect": "Deny", "Resource": "arn:aws:execute- api:*:*:ff5h9tpwfh/*/POST/locations/*" } ] }
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. API Gateway: Three types of authorization Amazon Cognito user pools Amazon Cognito federated identities Custom identity providers IAM authorization Custom authorizers User pools authorizers
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda authorizer Mobileapp API Gateway IAM Backend Lambda authorizers
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobileapp API Gateway Lambda authorizer Backend Lambda authorizers IAM
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobileapp API Gateway Lambda authorizer Backend Lambda authorizers IAM
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobileapp API Gateway Lambda authorizer Backend Lambda authorizers IAM
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobileapp 4. Check policy cache API Gateway Lambda authorizer Backend Lambda authorizers IAM
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobileapp 5. Validate token API Gateway Lambda authorizer Backend Lambda authorizers IAM
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambdaauthorizer Mobileapp 6. Generate and return user IAM policy API Gateway Backend IAM Lambda authorizers
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobileapp API Gateway Lambda authorizer Backend IAM Lambda authorizers
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobileapp 8. Call backend API Gateway Lambda authorizer Backend IAM Lambda authorizers
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. var testPolicy = new AuthPolicy(”userIdentifier", "XXXXXXXXXXXX", apiOptions); testPolicy.allowMethod(AuthPolicy.HttpVerb.POST, "/locations/*"); testPolicy.allowMethod(AuthPolicy.HttpVerb.DELETE, "/locations/*"); callback(null, testPolicy.getPolicy()); Sample code Lambda authorizers
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT Gateway lab-backend Workshop labs – Starting point Private subnet1 Private subnet2 Public subnet1 Public subnet2 NAT Gateway AWS Cloud9 Internet gateway
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT Gateway lab-backend Lab project architecture Private subnet1 Private subnet2 Public subnet1 Public subnet2 NAT Gateway API Gateway AWS Cloud9 Internet gateway Network Load Balancing Amazon Cognito AWS X-Ray CloudWatch
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Hands-on labs http://bit.ly/2WFWKiD http://workshop.reinforce.awsdemo.me/
Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.

Recommended

How policymakers can fulfill promises of security for cloud services - SEP205...
How policymakers can fulfill promises of security for cloud services - SEP205...How policymakers can fulfill promises of security for cloud services - SEP205...
How policymakers can fulfill promises of security for cloud services - SEP205...Amazon Web Services
 
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...Amazon Web Services
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Amazon Web Services
 
Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...
Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...
Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...Amazon Web Services
 
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...Amazon Web Services
 
Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Amazon Web Services
 
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Amazon Web Services
 
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019 Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019 Amazon Web Services
 

Recommended

How policymakers can fulfill promises of security for cloud services - SEP205...
How policymakers can fulfill promises of security for cloud services - SEP205...How policymakers can fulfill promises of security for cloud services - SEP205...
How policymakers can fulfill promises of security for cloud services - SEP205...Amazon Web Services
 
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...Amazon Web Services
 
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...
Deploying critical Microsoft workloads on AWS at Capital One - SDD337 - AWS r...Amazon Web Services
 
Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...
Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...
Serverless remediation in Financial Services: A custom tool - SEP311 - AWS re...Amazon Web Services
 
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...Amazon Web Services
 
Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Best practices for choosing identity solutions for applications + workloads -...
Best practices for choosing identity solutions for applications + workloads -...Amazon Web Services
 
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019
Integrating AppSec into Your DevSecOps on AWS - DEM14 - AWS re:Inforce 2019 Amazon Web Services
 
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019 Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019
Leadership session: Aspirational security - SEP318-L - AWS re:Inforce 2019 Amazon Web Services
 
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 Amazon Web Services
 
The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...Amazon Web Services
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Amazon Web Services
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Amazon Web Services
 
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Amazon Web Services
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Amazon Web Services
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Amazon Web Services
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...Amazon Web Services
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Amazon Web Services
 
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...Amazon Web Services
 
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...Amazon Web Services
 
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019 Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019 Amazon Web Services
 
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019 DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019 Amazon Web Services
 
An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...Amazon Web Services
 
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ... How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...Amazon Web Services
 
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Amazon Web Services
 
Best practices for privileged access & secrets management in the cloud - DEM0...
Best practices for privileged access & secrets management in the cloud - DEM0...Best practices for privileged access & secrets management in the cloud - DEM0...
Best practices for privileged access & secrets management in the cloud - DEM0...Amazon Web Services
 
Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...Amazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Amazon Web Services
 
Building Private API’s for Security Automation at Monash University
Building Private API’s for Security Automation at Monash UniversityBuilding Private API’s for Security Automation at Monash University
Building Private API’s for Security Automation at Monash UniversityAmazon Web Services
 
AWS Webinar Series - Developing and Implementing APIs at Scale
AWS Webinar Series - Developing and Implementing APIs at ScaleAWS Webinar Series - Developing and Implementing APIs at Scale
AWS Webinar Series - Developing and Implementing APIs at ScaleAmazon Web Services
 

More Related Content

What's hot

AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 Amazon Web Services
 
The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...Amazon Web Services
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Amazon Web Services
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Amazon Web Services
 
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Amazon Web Services
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Amazon Web Services
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Amazon Web Services
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...Amazon Web Services
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Amazon Web Services
 
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...Amazon Web Services
 
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...Amazon Web Services
 
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019 Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019 Amazon Web Services
 
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019 DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019 Amazon Web Services
 
An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...Amazon Web Services
 
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ... How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...Amazon Web Services
 
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Amazon Web Services
 
Best practices for privileged access & secrets management in the cloud - DEM0...
Best practices for privileged access & secrets management in the cloud - DEM0...Best practices for privileged access & secrets management in the cloud - DEM0...
Best practices for privileged access & secrets management in the cloud - DEM0...Amazon Web Services
 
Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...Amazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Amazon Web Services
 
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Amazon Web Services
 

What's hot (20)

AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019 AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
AWS Executive Security Simulation - FND201-R - AWS re:Inforce 2019
 
The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...The economics of incidents, and creative ways to thwart future threats - SEP3...
The economics of incidents, and creative ways to thwart future threats - SEP3...
 
Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...Serverless identity management, authentication, and authorization - SDD405-R ...
Serverless identity management, authentication, and authorization - SDD405-R ...
 
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019 Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
Scaling threat detection and response in AWS - SDD312-R - AWS re:Inforce 2019
 
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
 
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
Accelerated Threat Detection: Alert Logic and AWS - DEM02-R - AWS re:Inforce ...
 
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
AWS GovCloud (US): A path to high compliance in the cloud - GRC344 - AWS re:I...
 
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019 Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
Leadership session: Security deep dive - SDD334-L - AWS re:Inforce 2019
 
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019 DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
 
An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...An open-source adventure in the cloud, containers, and incident response - SE...
An open-source adventure in the cloud, containers, and incident response - SE...
 
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ... How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
How to Leverage Traffic Analysis to Navigate through Cloudy Skies - DEM03-R ...
 
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
 
Best practices for privileged access & secrets management in the cloud - DEM0...
Best practices for privileged access & secrets management in the cloud - DEM0...Best practices for privileged access & secrets management in the cloud - DEM0...
Best practices for privileged access & secrets management in the cloud - DEM0...
 
Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...Security at the speed of cloud: How to think about it & how you can do it now...
Security at the speed of cloud: How to think about it & how you can do it now...
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
 
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
Lean and clean SecOps using AWS native services cloud - SDD301 - AWS re:Infor...
 

Similar to Building secure APIs in the cloud - SDD403-R - AWS re:Inforce 2019

Building Private API’s for Security Automation at Monash University
Building Private API’s for Security Automation at Monash UniversityBuilding Private API’s for Security Automation at Monash University
Building Private API’s for Security Automation at Monash UniversityAmazon Web Services
 
AWS Webinar Series - Developing and Implementing APIs at Scale
AWS Webinar Series - Developing and Implementing APIs at ScaleAWS Webinar Series - Developing and Implementing APIs at Scale
AWS Webinar Series - Developing and Implementing APIs at ScaleAmazon Web Services
 
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018Amazon Web Services Korea
 
Serverless days Stockholm - How to build a full-stack airline ticketing web app
Serverless days Stockholm - How to build a full-stack airline ticketing web appServerless days Stockholm - How to build a full-stack airline ticketing web app
Serverless days Stockholm - How to build a full-stack airline ticketing web appHeitor Lessa
 
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...Amazon Web Services
 
Serverless applications with AWS
Serverless applications with AWSServerless applications with AWS
Serverless applications with AWSjavier ramirez
 
20190402 AWS Black Belt Online Seminar Let's Dive Deep into AWS Lambda Part1 ...
20190402 AWS Black Belt Online Seminar Let's Dive Deep into AWS Lambda Part1 ...20190402 AWS Black Belt Online Seminar Let's Dive Deep into AWS Lambda Part1 ...
20190402 AWS Black Belt Online Seminar Let's Dive Deep into AWS Lambda Part1 ...Amazon Web Services Japan
 
20200520 - Como empezar a desarrollar aplicaciones serverless
20200520 - Como empezar a desarrollar aplicaciones serverless 20200520 - Como empezar a desarrollar aplicaciones serverless
20200520 - Como empezar a desarrollar aplicaciones serverless Marcia Villalba
 
AWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAmazon Web Services
 
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...Amazon Web Services
 
ArmadaJS - how to build a full-stack airline ticketing web app
ArmadaJS - how to build a full-stack airline ticketing web appArmadaJS - how to build a full-stack airline ticketing web app
ArmadaJS - how to build a full-stack airline ticketing web appHeitor Lessa
 
Building APIs with Amazon API Gateway
Building APIs with Amazon API GatewayBuilding APIs with Amazon API Gateway
Building APIs with Amazon API GatewayAmazon Web Services
 
Building APIs with Amazon API Gateway: re:Invent 2018 Recap at the AWS Loft -...
Building APIs with Amazon API Gateway: re:Invent 2018 Recap at the AWS Loft -...Building APIs with Amazon API Gateway: re:Invent 2018 Recap at the AWS Loft -...
Building APIs with Amazon API Gateway: re:Invent 2018 Recap at the AWS Loft -...Amazon Web Services
 
Serverless APIs and you
Serverless APIs and youServerless APIs and you
Serverless APIs and youJames Beswick
 
How to build a FullStack Airline Ticketing Web App.pdf
How to build a FullStack Airline Ticketing Web App.pdfHow to build a FullStack Airline Ticketing Web App.pdf
How to build a FullStack Airline Ticketing Web App.pdfAmazon Web Services
 
Solution-Lab-Serverless-Web-Application
Solution-Lab-Serverless-Web-ApplicationSolution-Lab-Serverless-Web-Application
Solution-Lab-Serverless-Web-ApplicationAmazon Web Services
 
Websites go Serverless - AWS Summit Berlin
Websites go Serverless - AWS Summit BerlinWebsites go Serverless - AWS Summit Berlin
Websites go Serverless - AWS Summit BerlinBoaz Ziniman
 
Developing and Implementing APIs at Scale, the Servless Way - Ed Lima - AWS T...
Developing and Implementing APIs at Scale, the Servless Way - Ed Lima - AWS T...Developing and Implementing APIs at Scale, the Servless Way - Ed Lima - AWS T...
Developing and Implementing APIs at Scale, the Servless Way - Ed Lima - AWS T...Amazon Web Services
 
AWS DevDay Berlin 2019 - Simplify your Web & Mobile apps with cloud-based ser...
AWS DevDay Berlin 2019 - Simplify your Web & Mobile apps with cloud-based ser...AWS DevDay Berlin 2019 - Simplify your Web & Mobile apps with cloud-based ser...
AWS DevDay Berlin 2019 - Simplify your Web & Mobile apps with cloud-based ser...Darko Mesaroš
 

Similar to Building secure APIs in the cloud - SDD403-R - AWS re:Inforce 2019 (20)

Building Private API’s for Security Automation at Monash University
Building Private API’s for Security Automation at Monash UniversityBuilding Private API’s for Security Automation at Monash University
Building Private API’s for Security Automation at Monash University
 
AWS Webinar Series - Developing and Implementing APIs at Scale
AWS Webinar Series - Developing and Implementing APIs at ScaleAWS Webinar Series - Developing and Implementing APIs at Scale
AWS Webinar Series - Developing and Implementing APIs at Scale
 
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
Serverless 개발에서의 인증 완벽 가이드::박선용::AWS Summit Seoul 2018
 
Serverless days Stockholm - How to build a full-stack airline ticketing web app
Serverless days Stockholm - How to build a full-stack airline ticketing web appServerless days Stockholm - How to build a full-stack airline ticketing web app
Serverless days Stockholm - How to build a full-stack airline ticketing web app
 
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
How FINRA achieves DevOps agility while securing its AWS environments - GRC33...
 
Serverless applications with AWS
Serverless applications with AWSServerless applications with AWS
Serverless applications with AWS
 
20190402 AWS Black Belt Online Seminar Let's Dive Deep into AWS Lambda Part1 ...
20190402 AWS Black Belt Online Seminar Let's Dive Deep into AWS Lambda Part1 ...20190402 AWS Black Belt Online Seminar Let's Dive Deep into AWS Lambda Part1 ...
20190402 AWS Black Belt Online Seminar Let's Dive Deep into AWS Lambda Part1 ...
 
20200520 - Como empezar a desarrollar aplicaciones serverless
20200520 - Como empezar a desarrollar aplicaciones serverless 20200520 - Como empezar a desarrollar aplicaciones serverless
20200520 - Como empezar a desarrollar aplicaciones serverless
 
AWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei serverAWS Serverless per startup: come innovare senza preoccuparsi dei server
AWS Serverless per startup: come innovare senza preoccuparsi dei server
 
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
AWS Security, IAM, Databases, Elasticity, Management Tools - AWSome Day Phila...
 
ArmadaJS - how to build a full-stack airline ticketing web app
ArmadaJS - how to build a full-stack airline ticketing web appArmadaJS - how to build a full-stack airline ticketing web app
ArmadaJS - how to build a full-stack airline ticketing web app
 
Fundamentals of AWS Security
Fundamentals of AWS SecurityFundamentals of AWS Security
Fundamentals of AWS Security
 
Building APIs with Amazon API Gateway
Building APIs with Amazon API GatewayBuilding APIs with Amazon API Gateway
Building APIs with Amazon API Gateway
 
Building APIs with Amazon API Gateway: re:Invent 2018 Recap at the AWS Loft -...
Building APIs with Amazon API Gateway: re:Invent 2018 Recap at the AWS Loft -...Building APIs with Amazon API Gateway: re:Invent 2018 Recap at the AWS Loft -...
Building APIs with Amazon API Gateway: re:Invent 2018 Recap at the AWS Loft -...
 
Serverless APIs and you
Serverless APIs and youServerless APIs and you
Serverless APIs and you
 
How to build a FullStack Airline Ticketing Web App.pdf
How to build a FullStack Airline Ticketing Web App.pdfHow to build a FullStack Airline Ticketing Web App.pdf
How to build a FullStack Airline Ticketing Web App.pdf
 
Solution-Lab-Serverless-Web-Application
Solution-Lab-Serverless-Web-ApplicationSolution-Lab-Serverless-Web-Application
Solution-Lab-Serverless-Web-Application
 
Websites go Serverless - AWS Summit Berlin
Websites go Serverless - AWS Summit BerlinWebsites go Serverless - AWS Summit Berlin
Websites go Serverless - AWS Summit Berlin
 
Developing and Implementing APIs at Scale, the Servless Way - Ed Lima - AWS T...
Developing and Implementing APIs at Scale, the Servless Way - Ed Lima - AWS T...Developing and Implementing APIs at Scale, the Servless Way - Ed Lima - AWS T...
Developing and Implementing APIs at Scale, the Servless Way - Ed Lima - AWS T...
 
AWS DevDay Berlin 2019 - Simplify your Web & Mobile apps with cloud-based ser...
AWS DevDay Berlin 2019 - Simplify your Web & Mobile apps with cloud-based ser...AWS DevDay Berlin 2019 - Simplify your Web & Mobile apps with cloud-based ser...
AWS DevDay Berlin 2019 - Simplify your Web & Mobile apps with cloud-based ser...
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Building secure APIs in the cloud - SDD403-R - AWS re:Inforce 2019

  • 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Building Secure APIs in the cloud S D D 4 0 3 - R Xiang Shen Solutions Architect Amazon Web Services Kevin Mccandless Solutions Architect Amazon Web Services
  • 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Related breakouts Wednesday, Jun 26 SDD401 Securing enterprise-grade serverless applications 3:30 PM–4:30 PM | Level 0, Hall B2, Yellow Wednesday, Jun 26 SDD405-R1 Serverless identity management, authentication, and authorization 10:30 AM–12:30 PM | Level 2, Room 210B Wednesday, Jun 26 SDD311 Using AWS WAF to protect against bots and scrapers 1:45 PM–3:45 PM | Level 1, Room 104A
  • 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda Security risks for web applications Amazon API Gateway Hands-on labs Q & A
  • 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. OWASP top 10 security risks Rank Security risks 1 Injection 2 Broken authentication 3 Sensitive data exposure 4 XML external entities (XXE) 5 Broken access control 6 Security misconfiguration 7 Cross-site scripting (XSS) 8 Insecure deserialization 9 Using components with known vulnerabilities 10 Insufficient logging and monitoring https://www.owasp.org • Exploitability • Prevalence • Detectability • Technical impact
  • 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. OWASP top 10 mapped to security domains Infrastructure Data Code Identity and access Logging and monitoring • Broken authentication (#2) • Broken access control (#5) • Injection (#1) • XXE (#4) • XSS (#7) • Insecure deserialization (#8) • Using components with known vulnerabilities (#9) • Sensitive data exposure (#3) • Using components with known vulnerabilities (#9) • Security misconfiguration (#6) • Insufficient logging and monitoring (#10)
  • 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Manage APIs with Amazon API Gateway Mobile apps Websites Services Internet Amazon CloudFront Amazon CloudWatch monitoring API Gateway cache Any other AWS service All publicly accessible endpoints AWS Lambda functions Endpoints in your VPC Regional or Private API Endpoints AWS Lambda functions Endpoints on Amazon EC2 Your VPCAWS Cloud
  • 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Manage APIs with Amazon API Gateway Mobile apps Websites Services Internet Amazon CloudFront Amazon CloudWatch monitoring API Gateway cache Any other AWS service All publicly accessible endpoints AWS Lambda functions Endpoints in your VPC Regional or Private API Endpoints AWS Lambda functions Endpoints on Amazon EC2 Your VPCAWS Cloud Resource Policy Input Validation WAF Usage Plan CORS AuthN/Z Private Integrations SSL Client Authentication AWS X-Ray
  • 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. API Gateway: Three types of authorization Amazon Cognito user pools Amazon Cognito federated identities Custom identity providers AWS Identity and Access Management (IAM) authorization Lambda authorizers User pools authorizers
  • 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. API Gateway: Three types of authorization Amazon Cognito user pools Amazon Cognito federated identities Custom identity providers IAM Custom authorizers User pools authorizers
  • 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app API Gateway Amazon Cognito user pools DatabaseBackend API Gateway + Amazon Cognito
  • 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app API Gateway Amazon Cognito user pools Backend User pools authorizers
  • 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app API Gateway Amazon Cognito user pools • Identity • Access • Refresh Backend User pools authorizers
  • 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app API Gateway Amazon Cognito user pools Backend User pools authorizers
  • 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app 4. Validate identity token API Gateway Amazon Cognito user pools Backend User pools authorizers
  • 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app 5. Call backend API Gateway Amazon Cognito user pools Backend User pools authorizers
  • 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. API Gateway: Three types of authorization Amazon Cognito user pools Amazon Cognito federated identities Custom identity providers IAM authorization Custom authorizers User pools authorizers
  • 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app API Gateway Amazon Cognito federated identities Amazon Cognito user pools IAM Backend IAM-based authorization
  • 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app Amazon Cognito user pools API Gateway Amazon Cognito federated identities IAM Backend IAM-based authorization
  • 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app API Gateway Amazon Cognito user pools Amazon Cognito federated identities IAM Backend IAM-based authorization
  • 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app 3. Request AWS credentials API Gateway Amazon Cognito user pools Amazon Cognito federated identities IAM Backend IAM-based authorization
  • 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app 4. Validate ID token API Gateway Amazon Cognito user pools Amazon Cognito federated identities IAM Backend IAM-based authorization
  • 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app 5. Temp AWS credentials API Gateway Amazon Cognito user pools Amazon Cognito federated identities IAM Backend IAM-based authorization
  • 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app AmazonAPI Gateway Amazon Cognito user pools Amazon Cognito federated identities Backend IAM-based authorization IAM
  • 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app API Gateway Amazon Cognito user pools Amazon Cognito federated identities IAM Backend IAM-based authorization
  • 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobile app 8. Call backend API Gateway Amazon Cognito user pools Amazon Cognito federated identities IAM Backend IAM-based authorization
  • 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. IAM policy detail { "Version": "2012-10-17", "Statement": [ { "Action": "execute-api:Invoke", "Effect": ”Allow", "Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*" }, { "Action": "execute-api:Invoke", "Effect": "Deny", "Resource": "arn:aws:execute- api:*:*:ff5h9tpwfh/*/POST/locations/*" } ] }
  • 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. API Gateway: Three types of authorization Amazon Cognito user pools Amazon Cognito federated identities Custom identity providers IAM authorization Custom authorizers User pools authorizers
  • 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda authorizer Mobileapp API Gateway IAM Backend Lambda authorizers
  • 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobileapp API Gateway Lambda authorizer Backend Lambda authorizers IAM
  • 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobileapp API Gateway Lambda authorizer Backend Lambda authorizers IAM
  • 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobileapp API Gateway Lambda authorizer Backend Lambda authorizers IAM
  • 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobileapp 4. Check policy cache API Gateway Lambda authorizer Backend Lambda authorizers IAM
  • 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobileapp 5. Validate token API Gateway Lambda authorizer Backend Lambda authorizers IAM
  • 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambdaauthorizer Mobileapp 6. Generate and return user IAM policy API Gateway Backend IAM Lambda authorizers
  • 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobileapp API Gateway Lambda authorizer Backend IAM Lambda authorizers
  • 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Mobileapp 8. Call backend API Gateway Lambda authorizer Backend IAM Lambda authorizers
  • 37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. var testPolicy = new AuthPolicy(”userIdentifier", "XXXXXXXXXXXX", apiOptions); testPolicy.allowMethod(AuthPolicy.HttpVerb.POST, "/locations/*"); testPolicy.allowMethod(AuthPolicy.HttpVerb.DELETE, "/locations/*"); callback(null, testPolicy.getPolicy()); Sample code Lambda authorizers
  • 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT Gateway lab-backend Workshop labs – Starting point Private subnet1 Private subnet2 Public subnet1 Public subnet2 NAT Gateway AWS Cloud9 Internet gateway
  • 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. VPC AWS Cloud Availability Zone 1 Availability Zone 2 NAT Gateway lab-backend Lab project architecture Private subnet1 Private subnet2 Public subnet1 Public subnet2 NAT Gateway API Gateway AWS Cloud9 Internet gateway Network Load Balancing Amazon Cognito AWS X-Ray CloudWatch
  • 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Hands-on labs http://bit.ly/2WFWKiD http://workshop.reinforce.awsdemo.me/
  • 41. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.