Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Securing Serverless Applications
Part 1
Karthi Thyagarajan
Enterprise Solutions Architect
Using Amazon API Gateway, AWS La...
Imagine for a minute…
Being able to develop a mobile backend API that:
• Requires no infrastructure
• Scales automatically...
The services we are going to use
Amazon API GatewayAWS Lambda Amazon Cognito Amazon DynamoDB
Host the API and
route API ca...
What to Expect from the Session
1. Start with a basic 3-tier web app
• Pure serverless
2. Add authentication with Amazon C...
Key takeaways
AWS Lambda + Amazon API Gateway means no
infrastructure to manage – we scale for you
Security is important, ...
First building block:
AWS Lambda
High performance at any scale;
Cost-effective and efficient
No Infrastructure to manage
Pay only for what you use: Lambda
...
AWS Lambda Console
Develop, test and
publish your Lambda
functions either by the
AWS Management
Console, AWS CLI or
our SD...
Second building block:
Amazon API Gateway
Amazon API Gateway overview
Manage deployments to
multiple versions and
environments
Define and host APIs
Leverage Identit...
Your Feedback
Managing multiple versions and stages of an API is difficult
Monitoring 3rd party developers’ access is time...
Host multiple versions and stages of your APIs
Create and distribute API Keys to developers
Authenticate and authorise API...
Introducing Amazon API Gateway
Managed cache to store API responses
Reduced latency and DDoS protection through CloudFront...
Serverless 3-tier Web Architecture
Amazon API
Gateway
AWS
Lambda
Amazon
DynamoDB
Data tier App tier Presentation
tier
Amaz...
Demo – notes app
Third building block:
Amazon Cognito
Amazon Cognito overview
Manage authenticated and
guest users across identity
providers
Identity management
Synchronize use...
The notes API
Unauthenticated
API call flows
Clients AWS Lambda lambdaHandler
Register
Login
API Gateway
Authenticated
Clients AWS Lambd...
Retrieving AWS credentials
The API definition
• POST
• Receives a user name and password
• Encrypts the password and creates the user
account in Dyna...
Retrieving temporary AWS credentials
Call Login API,
no auth required
Client API Gateway Backend
/login
Login
action
User
...
Demo – login with Cognito
Authorizing API calls
The Pets resources require authorization
• POST
• Receives a Pet model
• Saves it in DynamoDB
• Returns the new Pet ID
• G...
Using the caller credentials
credentials:
arn:aws:iam::*:user/*
Using the console Using Swagger
The IAM role defines access permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamo...
One step further: Fine-grained access permissions
Internet
Client
API
Gateway
AWS Lambda
functions
Amazon
CloudFront
Dynam...
Authenticated flow in depth
Clients AWS Lambda lambdaHandler
API Gateway
Sigv4
Invoke with
caller credentials
Service call...
Demo – Authorization
Benefits of using AWS auth & IAM
• Separation of concerns – our authorization strategy is
delegated to a dedicated service...
AWS credentials on the client
1-click SDK generation from the console
The client SDK declares all methods
The AWSCredentialsProvider
We implement the AWSCredentialsProvider interface
The refresh() method is called whenever the S...
Generated SDK benefits
The generated client SDK knows how to:
• Sign API calls using AWS signature version 4
• Handle-thro...
Options for authentication and
authorization
Options
• Cognito facilitates BYOI
• Google, FB, etc…
• Roll your own
• Cognito User Pools
• Authorization options – facil...
Manage authenticated
and guest users’
access to your AWS
resources
Federated Identities
Add sign-up and sign-
in with a fu...
What have we learned?
AWS Lambda + Amazon API Gateway means no
infrastructure to manage – we scale for you
Security is imp...
Questions?
Upcoming SlideShare
Loading in …5
×

Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Security Day

13,919 views

Published on

In this talk, we’ll describe ways in which you can secure your server-less architectures on AWS.

Published in: Technology

Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Security Day

  1. 1. Securing Serverless Applications Part 1 Karthi Thyagarajan Enterprise Solutions Architect Using Amazon API Gateway, AWS Lambda and Amazon Cognito
  2. 2. Imagine for a minute… Being able to develop a mobile backend API that: • Requires no infrastructure • Scales automatically to meet demand • Has granular costs that grow with usage
  3. 3. The services we are going to use Amazon API GatewayAWS Lambda Amazon Cognito Amazon DynamoDB Host the API and route API calls Execute our app’s business logic Generate temporary AWS credentials Data store
  4. 4. What to Expect from the Session 1. Start with a basic 3-tier web app • Pure serverless 2. Add authentication with Amazon Cognito • Integrate with Cognito • Login by leveraging BYOI (bring your own identity) 3. Authorization with AWS IAM 4. Segue to part 2
  5. 5. Key takeaways AWS Lambda + Amazon API Gateway means no infrastructure to manage – we scale for you Security is important, and complex – make the most of AWS Identity and Access Management by leveraging Cognito Flexibility – API Gateway, Lambda and Cognito give you choices for authentication and authorization
  6. 6. First building block: AWS Lambda
  7. 7. High performance at any scale; Cost-effective and efficient No Infrastructure to manage Pay only for what you use: Lambda automatically matches capacity to your request rate. Purchase compute in 100ms increments. Bring Your Own Code Lambda functions: Stateless, trigger-based code execution Run code in a choice of standard languages. Use threads, processes, files, and shell scripts normally. Focus on business logic, not infrastructure. You upload code; AWS Lambda handles everything else. AWS Lambda Overview
  8. 8. AWS Lambda Console Develop, test and publish your Lambda functions either by the AWS Management Console, AWS CLI or our SDKs. Or use community frameworks such as serverless.com, gosparta.io and more…
  9. 9. Second building block: Amazon API Gateway
  10. 10. Amazon API Gateway overview Manage deployments to multiple versions and environments Define and host APIs Leverage Identity and Access Management to authorize access to your cloud resources Leverage AWS Auth DDoS protection and request throttling to safeguard your back end Manage network traffic
  11. 11. Your Feedback Managing multiple versions and stages of an API is difficult Monitoring 3rd party developers’ access is time consuming Access authorization is a challenge Traffic spikes create operational burden What if I don’t want servers at all?
  12. 12. Host multiple versions and stages of your APIs Create and distribute API Keys to developers Authenticate and authorise API consumers Throttle and monitor requests to protect your backend Utilizes AWS Lambda Introducing Amazon API Gateway
  13. 13. Introducing Amazon API Gateway Managed cache to store API responses Reduced latency and DDoS protection through CloudFront SDK Generation for iOS, Android and JavaScript Swagger import and export support Request / Response data transformation and API mocking
  14. 14. Serverless 3-tier Web Architecture Amazon API Gateway AWS Lambda Amazon DynamoDB Data tier App tier Presentation tier Amazon S3 Amazon CloudFront
  15. 15. Demo – notes app
  16. 16. Third building block: Amazon Cognito
  17. 17. Amazon Cognito overview Manage authenticated and guest users across identity providers Identity management Synchronize users’ data across devices and platforms via the cloud Data synchronization Securely access AWS services from mobile devices and platforms Secure AWS access
  18. 18. The notes API
  19. 19. Unauthenticated API call flows Clients AWS Lambda lambdaHandler Register Login API Gateway Authenticated Clients AWS Lambda lambdaHandler ListNotes CreateNote API Gateway Assume Role Etc.. Sigv4 Invoke with caller credentials Authorized by IAM
  20. 20. Retrieving AWS credentials
  21. 21. The API definition • POST • Receives a user name and password • Encrypts the password and creates the user account in DynamoDB • Calls Amazon Cognito to generate credentials • Returns the user + its credentials /users • POST • Receives a user name and password • Authenticates the user against the DynamoDB database • Calls Amazon Cognito to generate credentials • Returns a set of temporary credentials /login
  22. 22. Retrieving temporary AWS credentials Call Login API, no auth required Client API Gateway Backend /login Login action User accounts database Credentials verified Get OpenID token for developer identity Receives credentials to sign API calls Identity ID + token Get credentials for identity Access key + secret key + session token /login 1. 2. 3.
  23. 23. Demo – login with Cognito
  24. 24. Authorizing API calls
  25. 25. The Pets resources require authorization • POST • Receives a Pet model • Saves it in DynamoDB • Returns the new Pet ID • GET • Returns the list of Pets stored in DynamoDB /pets • GET • Receives a Pet ID from the path • Uses mapping templates to pass the path parameter to the Lambda function • Loads the Pet from DynamoDB • Returns a Pet model /pets/{petId}
  26. 26. Using the caller credentials credentials: arn:aws:iam::*:user/* Using the console Using Swagger
  27. 27. The IAM role defines access permissions { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Scan", "lambda:InvokeFunction", "execute-api:invoke" ], "Resource": [ "arn:aws:dynamodb:us-east-1:xxxxxx:table/notes", "arn:aws:lambda:us-east-1:xxxxx:function:NotesGet”, "arn:aws:execute-api:us-east-1:xxxx:API_ID/*/POST/notes" ] } ] } The role allows calls to: • DynamoDB • API Gateway • Lambda The role can access specific resources in these services
  28. 28. One step further: Fine-grained access permissions Internet Client API Gateway AWS Lambda functions Amazon CloudFront DynamoDB CognitoId2 … "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [”${cognito- identity.amazonaws.com:sub}"], "dynamodb:Attributes": [ "UserId","GameTitle","Wins","Losses", "TopScore","TopScoreDateTime” ] }, "StringEqualsIfExists": { "dynamodb:Select": "SPECIFIC_ATTRIBUTES” } } … Executes with this role UserID Wins Losses cognitoId1 3 2 cognitoId2 5 8 cognitoId3 2 3 The credentials and context (Cognito ID) are passed along Both AWS Lambda & DynamoDB will follow the access policy
  29. 29. Authenticated flow in depth Clients AWS Lambda lambdaHandler API Gateway Sigv4 Invoke with caller credentials Service calls are authorized using the IAM role Learn more about fine-grained access permissions http://amzn.to/1YkxcjR DynamoDB
  30. 30. Demo – Authorization
  31. 31. Benefits of using AWS auth & IAM • Separation of concerns – our authorization strategy is delegated to a dedicated service • We have centralized access management to a single set of policies • Roles and credentials can be disabled with a single API call
  32. 32. AWS credentials on the client
  33. 33. 1-click SDK generation from the console
  34. 34. The client SDK declares all methods
  35. 35. The AWSCredentialsProvider We implement the AWSCredentialsProvider interface The refresh() method is called whenever the SDK needs new credentials
  36. 36. Generated SDK benefits The generated client SDK knows how to: • Sign API calls using AWS signature version 4 • Handle-throttled responses with exponential back-off • Marshal and unmarshal requests and responses to model objects
  37. 37. Options for authentication and authorization
  38. 38. Options • Cognito facilitates BYOI • Google, FB, etc… • Roll your own • Cognito User Pools • Authorization options – facilitated by API Gateway • AWS IAM • Custom Authorizer
  39. 39. Manage authenticated and guest users’ access to your AWS resources Federated Identities Add sign-up and sign- in with a fully managed user directory Your User Pool GuestYour own auth Amazon Cognito Identity Amazon Cognito Identity
  40. 40. What have we learned? AWS Lambda + Amazon API Gateway means no infrastructure to manage – we scale for you Security is important, and complex – make the most of AWS Identity and Access Management by leveraging Cognito Flexibility – API Gateway, Lambda and Cognito give you choices for authentication and authorization
  41. 41. Questions?

×