Securing serverless and container services - SDD306 - AWS re:Inforce 2019

1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing serverless and container services Tomas Clemente Sanchez Senior Security Consultant AWS ProServe Global Financial Services Amazon Web Services S D D 3 0 6

3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Related breakouts Tuesday, June 25 GRC340 – Container runtime security and automation 4:00 PM–5:00 PM | Level 1, Room 151B, Table 4 Wednesday, June 26 SEP309 – Containers and mission-critical applications 2:00 PM–3:00 PM | Level 2, Room 258B Wednesday, June 26 SDD401 – Securing enterprise-grade serverless applications 3:30 PM–4:30 PM | Level 0, Hall B2, Yellow

6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is serverless? No infrastructure provisioning, no management Automatic scaling Pay for value Highly available and secure

7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Lambda AWS Fargate Amazon API Gateway Amazon SNS Amazon SQS AWS Step Functions Compute Data stores Integration Amazon Aurora Serverless Amazon S3 Amazon DynamoDB AWS AppSync

8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda functions API Gateway Core business logic RESTful microservices DynamoDB https://api.myapp.com AWS Cloud Mobile app Pure serverless can be straightforward

9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. 1-n Lambda function sets 1-n API Gateways Microservices environment ... ... Various clients, potentially including other microservices Various data tier components, as needed AWS Cloud DynamoDBMobile client Amazon ElastiCache Amazon S3 Serverless architectural patterns are easily scalable

10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda functions Amazon S3 API Gateway Dynamic website content Web application Amazon CloudFront distribution Static website content (HTML/JS/CSS) DynamoDB Amazon RDS ElastiCache Amazon S3 https://api.example.com VPC AWS Cloud Web browser Some infrastructure is still there

11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda functions Amazon Cognito API Gateway AWS Security Token Service (AWS STS) Core business logic Mobile backend User identity management DynamoDB Amazon RDS ElastiCache Amazon S3 https://api.myapp.com AWS Cloud VPC Mobile app Core business logic elements can be code or containers Amazon ECS Lambda functions

12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Common security approach • Serverless and containers share a common pattern: microservices • Core business logic can be modeled as code or containers • We can reuse the same thought model for both serverless and containers to design secure architectures

14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security domains Communications (messaging, networking, and streaming) Data Compute Access management and identity Edge Lambda functions API Gateway Step Functions Amazon ECS Amazon EKSAWS Fargate DynamoDB Amazon RDS ElastiCache Amazon S3 AWS AppSync Amazon SNS Amazon Kinesis Amazon VPC Amazon Cognito AWS Identity and Access Management (IAM) Amazon CloudWatch AWS X-Ray Amazon CloudFront Systems Monitoring & Deployment AWS CloudTrail AWS SAM No infra More infra

15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud adoption framework – Security perspective CloudWatch CloudTrailAWS Trusted Advisor Amazon Cognito Amazon GuardDuty AWS Certificate Manager IAM AWS KMS AWS Security Hub AWS Secrets Manager AWS ShieldAWS WAF Amazon VPC PrivateLink Lambda functions CloudWatch X-Ray

16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless compute engine for containers Long-running Bring existing code Fully managed orchestration AWS Fargate Let’s focus on the compute layer Serverless event-driven code execution Short-lived All language runtimes Data source integrations AWS Lambda Elastic container service For Kubernetes No control plane to manage Deploy worker nodes Amazon EKS Kubernetes- certified Amazon EKS Elastic container services Container orchestration Deploy in a VPC Docker-oriented Amazon ECS

17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Comparison of operational responsibility Lambda Serverless functions Fargate Serverless containers Amazon ECS/ Amazon EKS Container management as a service Amazon EC2 Infrastructure as a service More opinionated Less opinionated AWS manages Customer manages • Data source integrations • Physical hardware, software, networking, and facilities • Provisioning • Application code • Container orchestration, provisioning • Cluster scaling • Physical hardware, host OS/kernel, networking, and facilities • Application code • Data source integrations • Security config and updates, network config, management tasks • Container orchestration control plane • Physical hardware software, networking, and facilities • Application code • Data source integrations • Work clusters • Security config and updates, network config, firewall, management tasks • Physical hardware software, networking, and facilities • Application code • Data source integrations • Scaling • Security config and updates, network config, management tasks • Provisioning, managing scaling and patching of servers

18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in compute Layer Input validation • AWS WAF: • XSS rules • SQL injection rules • Use Lambda layers • Secrets Manager • AWS Systems Manager Dependency vulnerabilities Storing secrets

19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda layers Lets functions easily share code: Upload layer once, reference within any function Promote separation of responsibilities, lets developers iterate faster on writing business logic Built-in support for secure sharing by ecosystem

21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda execution environments • Upon invocation, Lambda data plane creates execution environment (or chooses an existing one) in a microVM including: • The function code • Any Lambda layers selected for your function • The function runtime, either built-in (Java 8, NodeJS 8, Python 3.7, etc.) or custom runtime • A minimal Linux userland based on Amazon Linux • Execution environments are never shared across functions, and microVMs are never shared across AWS accounts

23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda design considerations • First invocation of a Lambda function requires “bootstrapping,” which adds some latency. • Execution environments can be reused by subsequent invocations, with no memory scrub. • Execution environments includes a writeable file system, available at /tmp. that remains for the lifetime of the execution environment. • Lambda provides patching and updates for supported runtimes. Maintenance of custom runtimes is customer responsibility.

24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda best practices • Plan for cold start to optimize microVM reuse • Minimize package size to necessities • ENIs for VPC support are attached during cold start • Instantiate AWS clients and database clients outside the scope of the Lambda handler • Avoid code to read or write to /tmp if not needed • Leverage AWS-supported runtimes to avoid heavy lifting of custom runtimes import sys import logging import rds_config import pymysql rds_host = "rds-instance" db_name = rds_config.db_name try: conn = pymysql.connect( except: logger.error("ERROR: def handler(event, context): with conn.cursor() as cur: Executes with each invocation Executes during cold start

25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon ECS and AWS Fargate ECS agent Docker agent OS EC2 instance ECS agent Docker agent OS EC2 instance VPC Auto Scaling group AWS Fargate Amazon ECS Task Task 1 Service Cluster Task Service VPC CPU and memory Task 2 Task 1 Task 2 Task 1 Task 2

26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon ECS and AWS Fargate Networking • ECS uses instance ENI by default, and awsvpc (task ENI) as an option • Can use existing VPC SG and NACL IAM • Granular Amazon ECS services role and task roles Host • Customer provisioning, patching, and scaling • Direct access to the underlying infra • Privileged access is allowed Networking • Fargate requires awsvpc, all traffic uses the task ENI • Private and public IP setup for inbound traffic, outbound is allowed IAM • Granular Amazon ECS services role and task roles Host • AWS patches the platform version • No direct access to the underlying infra • Privileged access is forbidden AWS FargateAmazon ECS

27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in data layer Data classification Data backup/replicationData encryption at rest Data flow Data encryption in transit Data tokenization

28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in access management and identity layer Access control between services Authenticate and authorize end users/clients

30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Dive deep on X-Ray Analyze and debug issues quickly End-to-end view of individual services Identify customer impact Support for serverless and container

31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. X-Ray integration with serverless • Lambda instruments incoming requests for all supported languages • Lambda runs the X-Ray daemon on all languages with an SDK var AWSXRay = require(‘aws-xray-sdk-core‘); AWSXRay.middleware.setSamplingRules(‘sampling-rules.json’); var AWS = AWSXRay.captureAWS(require(‘aws-sdk’)); S3Client = AWS.S3();

32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. X-Ray integration with containers • Build your application • Deploy a X-Ray docker/pod on each worker node • EC2Plugin and ECSPlugin can be used to send extra information about the underlying infra (except when using AWS Fargate)

36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS developer tools for CI/CD Source Build Test Deploy Monitor AWS CodeBuild + third-party tools AWS CodeCommit AWS CodeDeploy AWS CodePipeline AWS CodeBuild X-Ray

37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How can we ensure security in the deployment? CodeBuild Amazon SNS S3 bucket Stack Stack Pre-create Create stacks Post-create Deploy region Region Region cfn-nag AWS CloudFormationCodeCommit CodePipeline Developer

38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Integrate security controls in CI/CD pipelines Developer CodeBuild Amazon SNS S3 bucket 65 65 Stack Stack Pre-create Create stacks Post-create Deploy region Region Region cfn-nag AWS CloudFormationCodeCommit CodePipeline Security

39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Delivery via CodePipeline 1. Commit your code to a source code repository 2. Package/test in CodeBuild, including container packaging and security controls 3. Use AWS CloudFormation actions in CodePipeline to create or update stacks via AWS SAM templates • Optional: Make use of ChangeSets 4. Test your application and increase control severity between stages/environments • Optional: Make use of manual approvals

40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. CodeDeploy and Lambda canary deployments • Direct a portion of traffic to a new version • Monitor stability with CloudWatch • Initiate rollback if needed • Incorporate into your AWS SAM templates

44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Pattern architecture Developer AWS CodeCommitCode Code Analysis Test Production Security Source Code Validation Master Pipeline CloudFormation Template CloudFormation Repo CFNCompliance Validation Service Test Controls Security and Compliance Controls Code Code CFNSecurity Validation App Testing Validation App Deployment Pipeline