Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing serverless and container services - SDD306 - AWS re:Inforce 2019

214 views

Published on

Most customers are uncertain of how to secure their serverless services because these services deviate from traditional perimeter security. Additionally, many security stakeholders do not have as much insight into serverless architectures as developer communities. In this session, we provide best practices, patterns, and demos on securing serverless services using a combination of secure coding practices with partner code libraries, DevOps principles, code/container version control using code, and a deep understanding of serverless services such as AWS Lambda, AWS Fargate, and Amazon EKS. We aim to provide some baselining mechanisms and patterns to build full serverless and secure service architectures.

  • Be the first to comment

Securing serverless and container services - SDD306 - AWS re:Inforce 2019

  1. 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Securing serverless and container services Tomas Clemente Sanchez Senior Security Consultant AWS ProServe Global Financial Services Amazon Web Services S D D 3 0 6
  2. 2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda • Serverless and containers • Security of serverless and containers • Security and deployment • Demo
  3. 3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Related breakouts Tuesday, June 25 GRC340 – Container runtime security and automation 4:00 PM–5:00 PM | Level 1, Room 151B, Table 4 Wednesday, June 26 SEP309 – Containers and mission-critical applications 2:00 PM–3:00 PM | Level 2, Room 258B Wednesday, June 26 SDD401 – Securing enterprise-grade serverless applications 3:30 PM–4:30 PM | Level 0, Hall B2, Yellow
  4. 4. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  5. 5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. “No server is easier to manage than no server.” Werner Vogels Amazon CTO
  6. 6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What is serverless? No infrastructure provisioning, no management Automatic scaling Pay for value Highly available and secure
  7. 7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Lambda AWS Fargate Amazon API Gateway Amazon SNS Amazon SQS AWS Step Functions Compute Data stores Integration Amazon Aurora Serverless Amazon S3 Amazon DynamoDB AWS AppSync
  8. 8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda functions API Gateway Core business logic RESTful microservices DynamoDB https://api.myapp.com AWS Cloud Mobile app Pure serverless can be straightforward
  9. 9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. 1-n Lambda function sets 1-n API Gateways Microservices environment ... ... Various clients, potentially including other microservices Various data tier components, as needed AWS Cloud DynamoDBMobile client Amazon ElastiCache Amazon S3 Serverless architectural patterns are easily scalable
  10. 10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda functions Amazon S3 API Gateway Dynamic website content Web application Amazon CloudFront distribution Static website content (HTML/JS/CSS) DynamoDB Amazon RDS ElastiCache Amazon S3 https://api.example.com VPC AWS Cloud Web browser Some infrastructure is still there
  11. 11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda functions Amazon Cognito API Gateway AWS Security Token Service (AWS STS) Core business logic Mobile backend User identity management DynamoDB Amazon RDS ElastiCache Amazon S3 https://api.myapp.com AWS Cloud VPC Mobile app Core business logic elements can be code or containers Amazon ECS Lambda functions
  12. 12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Common security approach • Serverless and containers share a common pattern: microservices • Core business logic can be modeled as code or containers • We can reuse the same thought model for both serverless and containers to design secure architectures
  13. 13. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  14. 14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security domains Communications (messaging, networking, and streaming) Data Compute Access management and identity Edge Lambda functions API Gateway Step Functions Amazon ECS Amazon EKSAWS Fargate DynamoDB Amazon RDS ElastiCache Amazon S3 AWS AppSync Amazon SNS Amazon Kinesis Amazon VPC Amazon Cognito AWS Identity and Access Management (IAM) Amazon CloudWatch AWS X-Ray Amazon CloudFront Systems Monitoring & Deployment AWS CloudTrail AWS SAM No infra More infra
  15. 15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Cloud adoption framework – Security perspective CloudWatch CloudTrailAWS Trusted Advisor Amazon Cognito Amazon GuardDuty AWS Certificate Manager IAM AWS KMS AWS Security Hub AWS Secrets Manager AWS ShieldAWS WAF Amazon VPC PrivateLink Lambda functions CloudWatch X-Ray
  16. 16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless compute engine for containers Long-running Bring existing code Fully managed orchestration AWS Fargate Let’s focus on the compute layer Serverless event-driven code execution Short-lived All language runtimes Data source integrations AWS Lambda Elastic container service For Kubernetes No control plane to manage Deploy worker nodes Amazon EKS Kubernetes- certified Amazon EKS Elastic container services Container orchestration Deploy in a VPC Docker-oriented Amazon ECS
  17. 17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Comparison of operational responsibility Lambda Serverless functions Fargate Serverless containers Amazon ECS/ Amazon EKS Container management as a service Amazon EC2 Infrastructure as a service More opinionated Less opinionated AWS manages Customer manages • Data source integrations • Physical hardware, software, networking, and facilities • Provisioning • Application code • Container orchestration, provisioning • Cluster scaling • Physical hardware, host OS/kernel, networking, and facilities • Application code • Data source integrations • Security config and updates, network config, management tasks • Container orchestration control plane • Physical hardware software, networking, and facilities • Application code • Data source integrations • Work clusters • Security config and updates, network config, firewall, management tasks • Physical hardware software, networking, and facilities • Application code • Data source integrations • Scaling • Security config and updates, network config, management tasks • Provisioning, managing scaling and patching of servers
  18. 18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in compute Layer Input validation • AWS WAF: • XSS rules • SQL injection rules • Use Lambda layers • Secrets Manager • AWS Systems Manager Dependency vulnerabilities Storing secrets
  19. 19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda layers Lets functions easily share code: Upload layer once, reference within any function Promote separation of responsibilities, lets developers iterate faster on writing business logic Built-in support for secure sharing by ecosystem
  20. 20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. What about insecure code?
  21. 21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda execution environments • Upon invocation, Lambda data plane creates execution environment (or chooses an existing one) in a microVM including: • The function code • Any Lambda layers selected for your function • The function runtime, either built-in (Java 8, NodeJS 8, Python 3.7, etc.) or custom runtime • A minimal Linux userland based on Amazon Linux • Execution environments are never shared across functions, and microVMs are never shared across AWS accounts
  22. 22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Isolation between MicroVMs Two models: EC2 instances and Firecracker (open source hypervisor)
  23. 23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda design considerations • First invocation of a Lambda function requires “bootstrapping,” which adds some latency. • Execution environments can be reused by subsequent invocations, with no memory scrub. • Execution environments includes a writeable file system, available at /tmp. that remains for the lifetime of the execution environment. • Lambda provides patching and updates for supported runtimes. Maintenance of custom runtimes is customer responsibility.
  24. 24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda best practices • Plan for cold start to optimize microVM reuse • Minimize package size to necessities • ENIs for VPC support are attached during cold start • Instantiate AWS clients and database clients outside the scope of the Lambda handler • Avoid code to read or write to /tmp if not needed • Leverage AWS-supported runtimes to avoid heavy lifting of custom runtimes import sys import logging import rds_config import pymysql rds_host = "rds-instance" db_name = rds_config.db_name try: conn = pymysql.connect( except: logger.error("ERROR: def handler(event, context): with conn.cursor() as cur: Executes with each invocation Executes during cold start
  25. 25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon ECS and AWS Fargate ECS agent Docker agent OS EC2 instance ECS agent Docker agent OS EC2 instance VPC Auto Scaling group AWS Fargate Amazon ECS Task Task 1 Service Cluster Task Service VPC CPU and memory Task 2 Task 1 Task 2 Task 1 Task 2
  26. 26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon ECS and AWS Fargate Networking • ECS uses instance ENI by default, and awsvpc (task ENI) as an option • Can use existing VPC SG and NACL IAM • Granular Amazon ECS services role and task roles Host • Customer provisioning, patching, and scaling • Direct access to the underlying infra • Privileged access is allowed Networking • Fargate requires awsvpc, all traffic uses the task ENI • Private and public IP setup for inbound traffic, outbound is allowed IAM • Granular Amazon ECS services role and task roles Host • AWS patches the platform version • No direct access to the underlying infra • Privileged access is forbidden AWS FargateAmazon ECS
  27. 27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in data layer Data classification Data backup/replicationData encryption at rest Data flow Data encryption in transit Data tokenization
  28. 28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in access management and identity layer Access control between services Authenticate and authorize end users/clients
  29. 29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. X-Ray Security in system monitoring layer Logging and tracing Metrics Compliance validation
  30. 30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Dive deep on X-Ray Analyze and debug issues quickly End-to-end view of individual services Identify customer impact Support for serverless and container
  31. 31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. X-Ray integration with serverless • Lambda instruments incoming requests for all supported languages • Lambda runs the X-Ray daemon on all languages with an SDK var AWSXRay = require(‘aws-xray-sdk-core‘); AWSXRay.middleware.setSamplingRules(‘sampling-rules.json’); var AWS = AWSXRay.captureAWS(require(‘aws-sdk’)); S3Client = AWS.S3();
  32. 32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. X-Ray integration with containers • Build your application • Deploy a X-Ray docker/pod on each worker node • EC2Plugin and ECSPlugin can be used to send extra information about the underlying infra (except when using AWS Fargate)
  33. 33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. X-Ray view example
  34. 34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. X-Ray trace example
  35. 35. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  36. 36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS developer tools for CI/CD Source Build Test Deploy Monitor AWS CodeBuild + third-party tools AWS CodeCommit AWS CodeDeploy AWS CodePipeline AWS CodeBuild X-Ray
  37. 37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. How can we ensure security in the deployment? CodeBuild Amazon SNS S3 bucket Stack Stack Pre-create Create stacks Post-create Deploy region Region Region cfn-nag AWS CloudFormationCodeCommit CodePipeline Developer
  38. 38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Integrate security controls in CI/CD pipelines Developer CodeBuild Amazon SNS S3 bucket 65 65 Stack Stack Pre-create Create stacks Post-create Deploy region Region Region cfn-nag AWS CloudFormationCodeCommit CodePipeline Security
  39. 39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Delivery via CodePipeline 1. Commit your code to a source code repository 2. Package/test in CodeBuild, including container packaging and security controls 3. Use AWS CloudFormation actions in CodePipeline to create or update stacks via AWS SAM templates • Optional: Make use of ChangeSets 4. Test your application and increase control severity between stages/environments • Optional: Make use of manual approvals
  40. 40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. CodeDeploy and Lambda canary deployments • Direct a portion of traffic to a new version • Monitor stability with CloudWatch • Initiate rollback if needed • Incorporate into your AWS SAM templates
  41. 41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Security in deployment layer Code quality StrategiesVersion control
  42. 42. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
  43. 43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Pipeline pattern Developer Code CloudFormation template Ingest Code Analysis Test Deployment Prod DeploymentSecurity
  44. 44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Pattern architecture Developer AWS CodeCommitCode Code Analysis Test Production Security Source Code Validation Master Pipeline CloudFormation Template CloudFormation Repo CFNCompliance Validation Service Test Controls Security and Compliance Controls Code Code CFNSecurity Validation App Testing Validation App Deployment Pipeline
  45. 45. Thank you! © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved. Tomas Clemente Sanchez tomascle@amazon.com

×