SlideShare a Scribd company logo

Securing serverless and container services - SDD306 - AWS re:Inforce 2019

Most customers are uncertain of how to secure their serverless services because these services deviate from traditional perimeter security. Additionally, many security stakeholders do not have as much insight into serverless architectures as developer communities. In this session, we provide best practices, patterns, and demos on securing serverless services using a combination of secure coding practices with partner code libraries, DevOps principles, code/container version control using code, and a deep understanding of serverless services such as AWS Lambda, AWS Fargate, and Amazon EKS. We aim to provide some baselining mechanisms and patterns to build full serverless and secure service architectures.

1 of 45
Download to read offline
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securing serverless and container
services
Tomas Clemente Sanchez
Senior Security Consultant
AWS ProServe Global Financial Services
Amazon Web Services
S D D 3 0 6
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• Serverless and containers
• Security of serverless and containers
• Security and deployment
• Demo
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related breakouts
Tuesday, June 25
GRC340 – Container runtime security and automation
4:00 PM–5:00 PM | Level 1, Room 151B, Table 4
Wednesday, June 26
SEP309 – Containers and mission-critical applications
2:00 PM–3:00 PM | Level 2, Room 258B
Wednesday, June 26
SDD401 – Securing enterprise-grade serverless applications
3:30 PM–4:30 PM | Level 0, Hall B2, Yellow
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
“No server is easier to manage than
no server.”
Werner Vogels
Amazon CTO
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is serverless?
No infrastructure provisioning,
no management
Automatic scaling
Pay for value Highly available and secure

Recommended

Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Amazon Web Services
 
Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Architecting security and governance through policy guardrails in Amazon EKS ...
Architecting security and governance through policy guardrails in Amazon EKS ...Amazon Web Services
 
Scale permissions management in AWS with attribute-based access control - SDD...
Scale permissions management in AWS with attribute-based access control - SDD...Scale permissions management in AWS with attribute-based access control - SDD...
Scale permissions management in AWS with attribute-based access control - SDD...Amazon Web Services
 
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Amazon Web Services
 
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...
Pop the hood: Using AWS resources to attest to security of the cloud - GRC310...Amazon Web Services
 
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019 Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019
Securing your block storage on AWS - GRC207 - AWS re:Inforce 2019 Amazon Web Services
 
Building a well-engaged and secure AWS account access management - FND207-R ...
 Building a well-engaged and secure AWS account access management - FND207-R ... Building a well-engaged and secure AWS account access management - FND207-R ...
Building a well-engaged and secure AWS account access management - FND207-R ...Amazon Web Services
 
Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019
Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019 Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019
Containers and mission-critical applications - SEP309-R - AWS re:Inforce 2019 Amazon Web Services
 

More Related Content

What's hot

Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Amazon Web Services
 
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...Amazon Web Services
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Amazon Web Services
 
New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...Amazon Web Services
 
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Amazon Web Services
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...Amazon Web Services
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWSAmazon Web Services
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Amazon Web Services
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...Amazon Web Services
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Amazon Web Services
 
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Amazon Web Services
 
Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...Amazon Web Services
 
Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019
Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019 Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019
Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019 Amazon Web Services
 
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019 Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019 Amazon Web Services
 
Integrating security testing into your container build pipeline - SDD308 - AW...
Integrating security testing into your container build pipeline - SDD308 - AW...Integrating security testing into your container build pipeline - SDD308 - AW...
Integrating security testing into your container build pipeline - SDD308 - AW...Amazon Web Services
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Amazon Web Services
 
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...Amazon Web Services
 
Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Amazon Web Services
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Amazon Web Services
 
Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
 Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019  Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019 Amazon Web Services
 

What's hot (20)

Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
Build end-to-end IT lifecycle management on AWS - FND301-R - AWS re:Inforce 2...
 
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
Don’t be a haven for attackers: Mitigate misconfigurations with AWS Service C...
 
Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...Evolving perimeters with guardrails, not gates: Improving developer agility -...
Evolving perimeters with guardrails, not gates: Improving developer agility -...
 
New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...New ways to automate compliance verification on AWS using provable security -...
New ways to automate compliance verification on AWS using provable security -...
 
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
Enforcing security invariants with AWS Organizations - SDD314 - AWS re:Inforc...
 
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
How to secure your Active Directory deployment on AWS - FND306-R - AWS re:Inf...
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWS
 
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
Cross-account encryption with AWS KMS and Slack Enterprise Key Management - S...
 
How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...How encryption works in AWS: What assurances do you have that unauthorized us...
How encryption works in AWS: What assurances do you have that unauthorized us...
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
 
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019 Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
Cloud auditing workshop - GRC323 - AWS re:Inforce 2019
 
Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...Capital One case study: Addressing compliance and security within AWS - FND21...
Capital One case study: Addressing compliance and security within AWS - FND21...
 
Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019
Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019 Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019
Innovating FIPS crypto validation in the Cloud - SEP321 - AWS re:Inforce 2019
 
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019 Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
Audibility in Kubernetes with Amazon EKS - GRC302 - AWS re:Inforce 2019
 
Integrating security testing into your container build pipeline - SDD308 - AW...
Integrating security testing into your container build pipeline - SDD308 - AW...Integrating security testing into your container build pipeline - SDD308 - AW...
Integrating security testing into your container build pipeline - SDD308 - AW...
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
 
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
Permissions boundaries: how to truly delegate permissions on AWS - SDD406-R -...
 
Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...Design for compliance: Practical patterns for meeting your IT compliance requ...
Design for compliance: Practical patterns for meeting your IT compliance requ...
 
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019 Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
Build security into your golden AMI pipeline - DEM08 - AWS reInforce 2019
 
Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
 Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019  Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
 

Similar to Securing serverless and container services - SDD306 - AWS re:Inforce 2019

Serverless use cases with AWS Lambda
Serverless use cases with AWS Lambda Serverless use cases with AWS Lambda
Serverless use cases with AWS Lambda Boaz Ziniman
 
Architecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-PracticesArchitecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-PracticesAmazon Web Services
 
Java Developer on AWS 在AWS上開發Java應用
Java Developer on AWS 在AWS上開發Java應用Java Developer on AWS 在AWS上開發Java應用
Java Developer on AWS 在AWS上開發Java應用Amazon Web Services
 
AWS SSA Webinar 7 - Getting Started on AWS
AWS SSA Webinar 7 - Getting Started on AWSAWS SSA Webinar 7 - Getting Started on AWS
AWS SSA Webinar 7 - Getting Started on AWSCobus Bernard
 
AWSomeDay Zurich 2018 - How to go serverless
AWSomeDay Zurich 2018 - How to go serverless AWSomeDay Zurich 2018 - How to go serverless
AWSomeDay Zurich 2018 - How to go serverless Roman Plessl
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 
Twelve-factor serverless applications - MAD302 - Santa Clara AWS Summit
Twelve-factor serverless applications - MAD302 - Santa Clara AWS SummitTwelve-factor serverless applications - MAD302 - Santa Clara AWS Summit
Twelve-factor serverless applications - MAD302 - Santa Clara AWS SummitAmazon Web Services
 
Simplifying Microsoft Architectures with AWS Services
Simplifying Microsoft Architectures with AWS Services Simplifying Microsoft Architectures with AWS Services
Simplifying Microsoft Architectures with AWS Services Amazon Web Services
 
Cloud computing-Practical Example
Cloud computing-Practical ExampleCloud computing-Practical Example
Cloud computing-Practical ExampleTasawar Gulzar
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 
Introduction to Serverless Computing - OOP Munich
 Introduction to Serverless Computing - OOP Munich Introduction to Serverless Computing - OOP Munich
Introduction to Serverless Computing - OOP MunichBoaz Ziniman
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudAmazon Web Services
 
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...Chris Munns
 
SRV203 Getting Started with AWS Lambda and the Serverless Cloud
SRV203 Getting Started with AWS Lambda and the Serverless CloudSRV203 Getting Started with AWS Lambda and the Serverless Cloud
SRV203 Getting Started with AWS Lambda and the Serverless CloudAmazon Web Services
 
Fast-Track Your Application Modernisation Journey with Containers - AWS Summi...
Fast-Track Your Application Modernisation Journey with Containers - AWS Summi...Fast-Track Your Application Modernisation Journey with Containers - AWS Summi...
Fast-Track Your Application Modernisation Journey with Containers - AWS Summi...Amazon Web Services
 
Getting Started with Serverless Architectures
Getting Started with Serverless ArchitecturesGetting Started with Serverless Architectures
Getting Started with Serverless ArchitecturesAmazon Web Services
 
Getting started building your first serverless web application on AWS
Getting started building  your first serverless web application on AWSGetting started building  your first serverless web application on AWS
Getting started building your first serverless web application on AWSIoannis Polyzos
 

Similar to Securing serverless and container services - SDD306 - AWS re:Inforce 2019 (20)

Serverless use cases with AWS Lambda
Serverless use cases with AWS Lambda Serverless use cases with AWS Lambda
Serverless use cases with AWS Lambda
 
Architecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-PracticesArchitecting-for-the-cloud-Best-Practices
Architecting-for-the-cloud-Best-Practices
 
Java Developer on AWS 在AWS上開發Java應用
Java Developer on AWS 在AWS上開發Java應用Java Developer on AWS 在AWS上開發Java應用
Java Developer on AWS 在AWS上開發Java應用
 
Java-Developer-on-AWS
Java-Developer-on-AWSJava-Developer-on-AWS
Java-Developer-on-AWS
 
AWS SSA Webinar 7 - Getting Started on AWS
AWS SSA Webinar 7 - Getting Started on AWSAWS SSA Webinar 7 - Getting Started on AWS
AWS SSA Webinar 7 - Getting Started on AWS
 
AWSomeDay Zurich 2018 - How to go serverless
AWSomeDay Zurich 2018 - How to go serverless AWSomeDay Zurich 2018 - How to go serverless
AWSomeDay Zurich 2018 - How to go serverless
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 
Twelve-factor serverless applications - MAD302 - Santa Clara AWS Summit
Twelve-factor serverless applications - MAD302 - Santa Clara AWS SummitTwelve-factor serverless applications - MAD302 - Santa Clara AWS Summit
Twelve-factor serverless applications - MAD302 - Santa Clara AWS Summit
 
AWS 101
AWS 101AWS 101
AWS 101
 
Simplifying Microsoft Architectures with AWS Services
Simplifying Microsoft Architectures with AWS Services Simplifying Microsoft Architectures with AWS Services
Simplifying Microsoft Architectures with AWS Services
 
Cloud computing-Practical Example
Cloud computing-Practical ExampleCloud computing-Practical Example
Cloud computing-Practical Example
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
Introduction to Serverless Computing - OOP Munich
 Introduction to Serverless Computing - OOP Munich Introduction to Serverless Computing - OOP Munich
Introduction to Serverless Computing - OOP Munich
 
Introduction to Serverless
Introduction to ServerlessIntroduction to Serverless
Introduction to Serverless
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
 
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
 
SRV203 Getting Started with AWS Lambda and the Serverless Cloud
SRV203 Getting Started with AWS Lambda and the Serverless CloudSRV203 Getting Started with AWS Lambda and the Serverless Cloud
SRV203 Getting Started with AWS Lambda and the Serverless Cloud
 
Fast-Track Your Application Modernisation Journey with Containers - AWS Summi...
Fast-Track Your Application Modernisation Journey with Containers - AWS Summi...Fast-Track Your Application Modernisation Journey with Containers - AWS Summi...
Fast-Track Your Application Modernisation Journey with Containers - AWS Summi...
 
Getting Started with Serverless Architectures
Getting Started with Serverless ArchitecturesGetting Started with Serverless Architectures
Getting Started with Serverless Architectures
 
Getting started building your first serverless web application on AWS
Getting started building  your first serverless web application on AWSGetting started building  your first serverless web application on AWS
Getting started building your first serverless web application on AWS
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Come costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWSCome costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWSAmazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Come costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWSCome costruire un'architettura Serverless nel Cloud AWS
Come costruire un'architettura Serverless nel Cloud AWS
 

Securing serverless and container services - SDD306 - AWS re:Inforce 2019

  • 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing serverless and container services Tomas Clemente Sanchez Senior Security Consultant AWS ProServe Global Financial Services Amazon Web Services S D D 3 0 6
  • 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda • Serverless and containers • Security of serverless and containers • Security and deployment • Demo
  • 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Related breakouts Tuesday, June 25 GRC340 – Container runtime security and automation 4:00 PM–5:00 PM | Level 1, Room 151B, Table 4 Wednesday, June 26 SEP309 – Containers and mission-critical applications 2:00 PM–3:00 PM | Level 2, Room 258B Wednesday, June 26 SDD401 – Securing enterprise-grade serverless applications 3:30 PM–4:30 PM | Level 0, Hall B2, Yellow
  • 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. “No server is easier to manage than no server.” Werner Vogels Amazon CTO
  • 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is serverless? No infrastructure provisioning, no management Automatic scaling Pay for value Highly available and secure
  • 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Lambda AWS Fargate Amazon API Gateway Amazon SNS Amazon SQS AWS Step Functions Compute Data stores Integration Amazon Aurora Serverless Amazon S3 Amazon DynamoDB AWS AppSync
  • 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda functions API Gateway Core business logic RESTful microservices DynamoDB https://api.myapp.com AWS Cloud Mobile app Pure serverless can be straightforward
  • 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. 1-n Lambda function sets 1-n API Gateways Microservices environment ... ... Various clients, potentially including other microservices Various data tier components, as needed AWS Cloud DynamoDBMobile client Amazon ElastiCache Amazon S3 Serverless architectural patterns are easily scalable
  • 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda functions Amazon S3 API Gateway Dynamic website content Web application Amazon CloudFront distribution Static website content (HTML/JS/CSS) DynamoDB Amazon RDS ElastiCache Amazon S3 https://api.example.com VPC AWS Cloud Web browser Some infrastructure is still there
  • 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda functions Amazon Cognito API Gateway AWS Security Token Service (AWS STS) Core business logic Mobile backend User identity management DynamoDB Amazon RDS ElastiCache Amazon S3 https://api.myapp.com AWS Cloud VPC Mobile app Core business logic elements can be code or containers Amazon ECS Lambda functions
  • 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Common security approach • Serverless and containers share a common pattern: microservices • Core business logic can be modeled as code or containers • We can reuse the same thought model for both serverless and containers to design secure architectures
  • 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security domains Communications (messaging, networking, and streaming) Data Compute Access management and identity Edge Lambda functions API Gateway Step Functions Amazon ECS Amazon EKSAWS Fargate DynamoDB Amazon RDS ElastiCache Amazon S3 AWS AppSync Amazon SNS Amazon Kinesis Amazon VPC Amazon Cognito AWS Identity and Access Management (IAM) Amazon CloudWatch AWS X-Ray Amazon CloudFront Systems Monitoring & Deployment AWS CloudTrail AWS SAM No infra More infra
  • 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud adoption framework – Security perspective CloudWatch CloudTrailAWS Trusted Advisor Amazon Cognito Amazon GuardDuty AWS Certificate Manager IAM AWS KMS AWS Security Hub AWS Secrets Manager AWS ShieldAWS WAF Amazon VPC PrivateLink Lambda functions CloudWatch X-Ray
  • 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless compute engine for containers Long-running Bring existing code Fully managed orchestration AWS Fargate Let’s focus on the compute layer Serverless event-driven code execution Short-lived All language runtimes Data source integrations AWS Lambda Elastic container service For Kubernetes No control plane to manage Deploy worker nodes Amazon EKS Kubernetes- certified Amazon EKS Elastic container services Container orchestration Deploy in a VPC Docker-oriented Amazon ECS
  • 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Comparison of operational responsibility Lambda Serverless functions Fargate Serverless containers Amazon ECS/ Amazon EKS Container management as a service Amazon EC2 Infrastructure as a service More opinionated Less opinionated AWS manages Customer manages • Data source integrations • Physical hardware, software, networking, and facilities • Provisioning • Application code • Container orchestration, provisioning • Cluster scaling • Physical hardware, host OS/kernel, networking, and facilities • Application code • Data source integrations • Security config and updates, network config, management tasks • Container orchestration control plane • Physical hardware software, networking, and facilities • Application code • Data source integrations • Work clusters • Security config and updates, network config, firewall, management tasks • Physical hardware software, networking, and facilities • Application code • Data source integrations • Scaling • Security config and updates, network config, management tasks • Provisioning, managing scaling and patching of servers
  • 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in compute Layer Input validation • AWS WAF: • XSS rules • SQL injection rules • Use Lambda layers • Secrets Manager • AWS Systems Manager Dependency vulnerabilities Storing secrets
  • 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda layers Lets functions easily share code: Upload layer once, reference within any function Promote separation of responsibilities, lets developers iterate faster on writing business logic Built-in support for secure sharing by ecosystem
  • 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What about insecure code?
  • 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda execution environments • Upon invocation, Lambda data plane creates execution environment (or chooses an existing one) in a microVM including: • The function code • Any Lambda layers selected for your function • The function runtime, either built-in (Java 8, NodeJS 8, Python 3.7, etc.) or custom runtime • A minimal Linux userland based on Amazon Linux • Execution environments are never shared across functions, and microVMs are never shared across AWS accounts
  • 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Isolation between MicroVMs Two models: EC2 instances and Firecracker (open source hypervisor)
  • 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda design considerations • First invocation of a Lambda function requires “bootstrapping,” which adds some latency. • Execution environments can be reused by subsequent invocations, with no memory scrub. • Execution environments includes a writeable file system, available at /tmp. that remains for the lifetime of the execution environment. • Lambda provides patching and updates for supported runtimes. Maintenance of custom runtimes is customer responsibility.
  • 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda best practices • Plan for cold start to optimize microVM reuse • Minimize package size to necessities • ENIs for VPC support are attached during cold start • Instantiate AWS clients and database clients outside the scope of the Lambda handler • Avoid code to read or write to /tmp if not needed • Leverage AWS-supported runtimes to avoid heavy lifting of custom runtimes import sys import logging import rds_config import pymysql rds_host = "rds-instance" db_name = rds_config.db_name try: conn = pymysql.connect( except: logger.error("ERROR: def handler(event, context): with conn.cursor() as cur: Executes with each invocation Executes during cold start
  • 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon ECS and AWS Fargate ECS agent Docker agent OS EC2 instance ECS agent Docker agent OS EC2 instance VPC Auto Scaling group AWS Fargate Amazon ECS Task Task 1 Service Cluster Task Service VPC CPU and memory Task 2 Task 1 Task 2 Task 1 Task 2
  • 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon ECS and AWS Fargate Networking • ECS uses instance ENI by default, and awsvpc (task ENI) as an option • Can use existing VPC SG and NACL IAM • Granular Amazon ECS services role and task roles Host • Customer provisioning, patching, and scaling • Direct access to the underlying infra • Privileged access is allowed Networking • Fargate requires awsvpc, all traffic uses the task ENI • Private and public IP setup for inbound traffic, outbound is allowed IAM • Granular Amazon ECS services role and task roles Host • AWS patches the platform version • No direct access to the underlying infra • Privileged access is forbidden AWS FargateAmazon ECS
  • 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in data layer Data classification Data backup/replicationData encryption at rest Data flow Data encryption in transit Data tokenization
  • 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in access management and identity layer Access control between services Authenticate and authorize end users/clients
  • 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. X-Ray Security in system monitoring layer Logging and tracing Metrics Compliance validation
  • 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Dive deep on X-Ray Analyze and debug issues quickly End-to-end view of individual services Identify customer impact Support for serverless and container
  • 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. X-Ray integration with serverless • Lambda instruments incoming requests for all supported languages • Lambda runs the X-Ray daemon on all languages with an SDK var AWSXRay = require(‘aws-xray-sdk-core‘); AWSXRay.middleware.setSamplingRules(‘sampling-rules.json’); var AWS = AWSXRay.captureAWS(require(‘aws-sdk’)); S3Client = AWS.S3();
  • 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. X-Ray integration with containers • Build your application • Deploy a X-Ray docker/pod on each worker node • EC2Plugin and ECSPlugin can be used to send extra information about the underlying infra (except when using AWS Fargate)
  • 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. X-Ray view example
  • 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. X-Ray trace example
  • 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS developer tools for CI/CD Source Build Test Deploy Monitor AWS CodeBuild + third-party tools AWS CodeCommit AWS CodeDeploy AWS CodePipeline AWS CodeBuild X-Ray
  • 37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How can we ensure security in the deployment? CodeBuild Amazon SNS S3 bucket Stack Stack Pre-create Create stacks Post-create Deploy region Region Region cfn-nag AWS CloudFormationCodeCommit CodePipeline Developer
  • 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Integrate security controls in CI/CD pipelines Developer CodeBuild Amazon SNS S3 bucket 65 65 Stack Stack Pre-create Create stacks Post-create Deploy region Region Region cfn-nag AWS CloudFormationCodeCommit CodePipeline Security
  • 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Delivery via CodePipeline 1. Commit your code to a source code repository 2. Package/test in CodeBuild, including container packaging and security controls 3. Use AWS CloudFormation actions in CodePipeline to create or update stacks via AWS SAM templates • Optional: Make use of ChangeSets 4. Test your application and increase control severity between stages/environments • Optional: Make use of manual approvals
  • 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. CodeDeploy and Lambda canary deployments • Direct a portion of traffic to a new version • Monitor stability with CloudWatch • Initiate rollback if needed • Incorporate into your AWS SAM templates
  • 41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in deployment layer Code quality StrategiesVersion control
  • 42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Pipeline pattern Developer Code CloudFormation template Ingest Code Analysis Test Deployment Prod DeploymentSecurity
  • 44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Pattern architecture Developer AWS CodeCommitCode Code Analysis Test Production Security Source Code Validation Master Pipeline CloudFormation Template CloudFormation Repo CFNCompliance Validation Service Test Controls Security and Compliance Controls Code Code CFNSecurity Validation App Testing Validation App Deployment Pipeline
  • 45. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Tomas Clemente Sanchez tomascle@amazon.com