Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks

6,469 views

Published on

Learning Objectives:
- Learn security best practices for AWS Lambda and Amazon API Gateway
- Understand how to use Amazon Cognito to build identity and authentication features into serverless applications
- Learn identity and access management best practices for serverless applications

Securely building and deploying serverless applications requires cloud-native security best practices. In this talk, you will learn how to use AWS Lambda permissions and how to easily set up authentication and authorization for Amazon API Gateway. We will also cover how you can use Amazon Cognito for end user authentication and authorization. You'll also learn how to securely store your application secrets with AWS. This talk also discusses how to implement identity and access management best practices.

Published in: Technology

Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks

  1. 1. © 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Justin Pirtle, AWS Solutions Architect 07/25/17 Security Best Practices for Serverless Applications
  2. 2. Agenda • What is Serverless? • Overview of AWS Lambda, API Gateway, and Cognito • Securing Serverless microservices • Auditing and logging • Summary
  3. 3. No servers to provision or manage Scales with usage Never pay for idle Availability and fault tolerance built in Serverless means…
  4. 4. Serverless is real
  5. 5. Microservices AWS Lambda + Amazon API Gateway is the easiest way to create microservices • Event handlers one function per event type • Serverless backends one function per API / path • Data processing one function per data type
  6. 6. Serverless Microservice Internet Mobile apps Websites Partner Services AWS Lambda
  7. 7. AWS Lambda Programming Model Bring your own code • Node.js, Java, Python, C# • Bring your own libraries (even native ones) Simple resource model • Select power rating from 128 MB to 1.5 GB • CPU and network allocated proportionately • Pay only for what compute you consume Programming model • AWS SDK built in (Python and Node.js) • Lambda is the “webserver” • Use processes, threads, /tmp, sockets normally Stateless • Persist data using Amazon DynamoDB, S3, or ElastiCache • No affinity to infrastructure (can’t “log in to the box”)
  8. 8. Serverless Microservice Internet Mobile apps Websites Partner Services AWS Lambda API Gateway Amazon DynamoDB
  9. 9. Introduction to Amazon API Gateway Create a unified API frontend for multiple micro- services Authenticate and authorize requests to a backend DDoS protection and throttling for your backend Throttle, meter, and monetize API usage by 3rd party developers
  10. 10. Amazon API Gateway: Serverless APIs Internet Mobile apps Websites Partner Services AWS Lambda functions API Gateway response cache Endpoints on Amazon EC2 Any publicly accessible endpoint Amazon CloudWatch Amazon CloudFront API Gateway
  11. 11. Serverless Microservice Internet Mobile apps Websites Partner Services AWS Lambda API Gateway Amazon DynamoDB
  12. 12. Identity is mission critical for your applications Security Revenue Generation Application Backbone  Know your users  Monitor engagement with your application  Store and manage user data  Personalize your users’ experiences  Protect sensitive data  Secure business- critical processes User Identity
  13. 13. Developing Auth Infrastructure is Difficult • Need to develop a reliable user directory to manage identities • Handling user data and passwords and protecting privacy • Prioritizing scalability of your infrastructure upfront • Implementing token-based authentication • Support for multiple social identity providers • Federation with corporate directories for B2E applications 1 2 3 5 6 4
  14. 14. Amazon Cognito Identity Facebook Corporate OIDC Sign in with Your User Pools You can easily and securely add sign-up and sign-in functionality to your mobile and web apps with a fully-managed service that scales to support 100s of millions of users. Federated Identities Your users can sign in with third-party identity providers, such as Facebook and SAML providers, and you can control access to AWS resources from your app. SAML Sign in Username Password Submit
  15. 15. Comprehensive Support for Identity Use Cases
  16. 16. Serverless Microservice Internet Mobile apps Websites Partner Services AWS Lambda API Gateway Amazon DynamoDB Amazon Cognito
  17. 17. Securing Serverless microservices
  18. 18. Securing AWS Lambda
  19. 19. Lambda execution models Synchronous (push) Asynchronous (event) Stream-based Amazon API Gateway AWS Lambda function Amazon DynamoDBAmazon SNS /order AWS Lambda function Amazon S3 reqs Amazon Kinesis changes AWS Lambda service function
  20. 20. The push model and resource policies Function (resource) policy • Permissions you grant to your Lambda function determine which service or event source can invoke your function • Resource policies make it easy to grant cross-account permissions to invoke your Lambda function
  21. 21. The pull model and IAM roles IAM execution role • Permissions you grant to this role determine what your AWS Lambda function can do at run-time • If event source is Amazon DynamoDB or Amazon Kinesis, then add read permissions in IAM role
  22. 22. Lambda function security – best practices Application Security Best practices still apply (mandatory code review, static analysis, etc.) Use IAM Role per function and don’t be too permissive – leverage principle of least privilege Encrypt environment variables and sensitive data via KMS and Lambda’s encryption helpers Leverage EC2 SSM Parameter Store for secrets and configuration management at scale
  23. 23. Lambda vulnerabilities and security scan Automate security analysis as part of your CI/CD pipeline Input validation/sanitization, SQLi, etc. still apply in Serverless architectures Continuously scan for vulnerabilities in dependencies used; can be a step in your CI/CD pipeline
  24. 24. Securing API Gateway
  25. 25. API Gateway: three types of authorization Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
  26. 26. API Gateway: three types of authorization Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
  27. 27. Trottling Cache Logging Monitoring Auth Mobile app AmazonAPI Gateway User Pools Authorizers Amazon Cognito User Pools Amazon DynamoDB Lambda function
  28. 28. Trottling Cache Logging Monitoring Auth Mobile app User Pools Authorizers AmazonAPI Gateway Amazon Cognito User Pools Amazon DynamoDB Lambda function
  29. 29. Trottling Cache Logging Monitoring Auth Mobile app User Pools Authorizers AmazonAPI Gateway Amazon Cognito User Pools Amazon DynamoDB Lambda function • Identity • Access • Refresh
  30. 30. Trottling Cache Logging Monitoring Auth Mobile app User Pools Authorizers Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools
  31. 31. Trottling Cache Logging Monitoring Auth Mobile app User Pools Authorizers 4. Validate Identity token Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools
  32. 32. Trottling Cache Logging Monitoring Auth Mobile app User Pools Authorizers 5. Invoke API Call Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools
  33. 33. Trottling Cache Logging Monitoring Auth Mobile app User Pools Authorizers 6. Access AWS Resources Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito User Pools
  34. 34. API Gateway: three types of authorization Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
  35. 35. IAM-based authorization Trottling Cache Logging Monitoring Auth Mobile app Amazon DynamoDB Lambda function AmazonAPI Gateway Amazon Cognito Federated Identities Amazon Cognito User Pools AWS Identity & Access Management
  36. 36. Trottling Cache Logging Monitoring Auth Mobile app Amazon Cognito User Pools Amazon DynamoDB Lambda function AmazonAPI Gateway IAM-based authorization Amazon Cognito Federated Identities AWS Identity & Access Management
  37. 37. Trottling Cache Logging Monitoring Auth Mobile app Amazon DynamoDB Lambda function AmazonAPI Gateway IAM-based authorization Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
  38. 38. Trottling Cache Logging Monitoring Auth Mobile app 3. Request AWS credentials Amazon DynamoDB Lambda function AmazonAPI Gateway IAM-based authorization Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
  39. 39. Trottling Cache Monitoring Auth Mobile app 4. Validate Id token Amazon DynamoDB Lambda function AmazonAPI Gateway IAM-based authorization Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
  40. 40. Trottling Cache Logging Monitoring Auth Mobile app 5. Temp AWS credentials Amazon DynamoDB Lambda function AmazonAPI Gateway IAM-based authorization Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
  41. 41. Trottling Cache Logging Monitoring Mobile app Amazon DynamoDB Lambda function AmazonAPI Gateway IAM-based authorization Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
  42. 42. Trottling Cache Logging Monitoring Mobile app Amazon DynamoDB Lambda function AmazonAPI Gateway IAM-based authorization Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management
  43. 43. Trottling Cache Logging Monitoring Mobile app 8. Invoke Lambda Lambda function AmazonAPI Gateway IAM-based authorization Amazon Cognito User Pools Amazon Cognito Federated Identities AWS Identity & Access Management Amazon DynamoDB
  44. 44. IAM Policy Detail { "Version": "2012-10-17", "Statement": [ { "Action": "execute-api:Invoke", "Effect": ”Allow", "Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*" }, { "Action": "execute-api:Invoke", "Effect": "Deny", "Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*/POST/locations/*" } ] }
  45. 45. API Gateway: three types of authorization Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
  46. 46. Custom Authorizer Lambda function Auth Mobile app Lambda function AmazonAPI Gateway Amazon DynamoDB AWS Identity & Access Management Custom Authorizers
  47. 47. Custom Authorizer Lambda function Mobile app Lambda function AmazonAPI Gateway Amazon DynamoDB AWS Identity & Access Management Custom Authorizers
  48. 48. Custom Authorizer Lambda function Auth Mobile app Lambda function AmazonAPI Gateway Amazon DynamoDB AWS Identity & Access Management Custom Authorizers
  49. 49. Custom Authorizer Lambda function Auth Mobile app Lambda function AmazonAPI Gateway Amazon DynamoDB AWS Identity & Access Management Custom Authorizers
  50. 50. Auth Mobile app Lambda function AmazonAPI Gateway Custom Authorizers Amazon DynamoDB 4. Check policy cache AWS Identity & Access Management Custom Authorizer Lambda function
  51. 51. Auth Mobile app Lambda function AmazonAPI Gateway Custom Authorizers Amazon DynamoDB 5.Validatetoken AWS Identity & Access Management Custom Authorizer Lambda function
  52. 52. Custom Authorizer Lambda function Auth Mobile app Lambda function AmazonAPI Gateway Custom Authorizers Amazon DynamoDB 6.Generateandreturn userIAMpolicy AWS Identity & Access Management
  53. 53. Custom Authorizer Lambda function Auth Mobile app Lambda function AmazonAPI Gateway Custom Authorizers Amazon DynamoDB AWS Identity & Access Management
  54. 54. Custom Authorizer Lambda function Auth Mobile app Lambda function AmazonAPI Gateway Custom Authorizers Amazon DynamoDB 8. Invoke Lambda AWS Identity & Access Management
  55. 55. Custom Authorizer Lambda var testPolicy = new AuthPolicy(”userIdentifier", "XXXXXXXXXXXX", apiOptions); testPolicy.allowMethod(AuthPolicy.HttpVerb.POST, "/locations/*"); testPolicy.allowMethod(AuthPolicy.HttpVerb.DELETE, "/locations/*"); callback(null, testPolicy.getPolicy()); Sample Code
  56. 56. API Gateway: three types of authorization Amazon Cognito User Pools Amazon Cognito Federated Identities Custom Identity Providers AWS IAM authorization Custom Authorizers User Pools Authorizers
  57. 57. Throttle Usage Plans: Throttle specific consumers Internet Mobile apps Websites Partner Services AWS Lambda functions API Gateway response cache Endpoints on Amazon EC2 Any publicly accessible endpoint Amazon CloudWatch Amazon CloudFront API Gateway
  58. 58. Usage Plans: Quotas and Throttling • Prevents one customer from consuming all your backend system’s capacity • Let’s you decide how to allocate capacity among your API consumers. Sample plan: • Professional plan users: 10 TPS, up to 100 calls / day • Premium plan users: 100 TPS, up to 1000 calls / day • Enterprise plan users: 500 TPS, no limit on calls / day
  59. 59. Set daily quota Usage Plans: Enforce per-consumer quotas Internet Mobile apps Websites Partner Services AWS Lambda functions API Gateway response cache Endpoints on Amazon EC2 Any publicly accessible endpoint Amazon CloudWatch Amazon CloudFront API Gateway
  60. 60. Example Serverless Architecture
  61. 61. Amazon API Gateway AWS Lambda Amazon DynamoDB Amazon S3 Amazon CloudFront • Bucket Policies • ACLs • Geo-Restriction • Private Content • DDOS AuthZ Serverless app security • Throttling • Caching • Usage Plans Browser • Invocation Policies • Execution Roles • Secure Parameters • IAM Fine- grained Access Control
  62. 62. Audit and log your Serverless application
  63. 63. Cloudwatch – Log streaming and metrics Leverage built-in metrics and alarm on aggregates (throttling) Create Custom Metrics via Metric Filter out of logs Captures Lambda invocation details, and all logging statement output Stream and centralize logs from multiple accounts to Amazon ElasticSearch for near real-time analysis built-in custom Amazon Cloudwatch
  64. 64. Different log categories AWS infrastructure logs  AWS CloudTrail  Amazon VPC Flow Logs AWS service logs  AWS Lambda  Amazon API Gateway  Amazon S3  Amazon CloudFront  Amazon Kinesis  …
  65. 65. Different log categories AWS infrastructure logs  AWS CloudTrail  Amazon VPC Flow Logs AWS service logs  AWS Lambda  Amazon API Gateway  Amazon S3  Amazon CloudFront  Amazon Kinesis  … Security-related events
  66. 66. AWS CloudTrail Records AWS API calls for your account
  67. 67. What can you answer using a CloudTrail event?  Who made the API call?  What was the API call?  When was the API call made?  Where was the API call made from and made to?  Which resources were acted upon in the API call? Supported services: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html
  68. 68. AWS Config • Get inventory of AWS resources • Discover new and deleted resources • Record configuration changes continuously • Get notified when configurations change
  69. 69. Summary • What is Serverless? • Overview of AWS Lambda, API Gateway, and Cognito • Securing Serverless microservices • Auditing and logging • Summary
  70. 70. Additional Resources - Serverless on AWS - Serverless Computing on AWS - re:Invent Talks and Webinars - Serverless Auth: Identity Management - Add User Sign-in, Management, and Security with Cognito - Deep Dive on AWS Lambda - Reference Projects - Serverless Auth Reference App - Cognito Angular 2 Quickstart - Cognito API Gateway Auth Reference
  71. 71. Thank you!

×