Serverless applications are a hot topic today. By now, many are well versed in the benefits and uses for serverless, but there remain many misconceptions about serverless security.
Serverless applications bring with them numerous benefits, they also change the way that you think about building applications by changing up the way that data and customer requests move in and around them. As developers adopt fully managed services, the shared responsibility model between developers and cloud providers changes, and we argue that it changes for the better.
In this session we’ll cover how to think about security end to end of your serverless applications, from your code to the AWS services such as Amazon API Gateway and Amazon S3. We’ll talk about the importance of automated governance and how to best to organize your own processes for security first development.
30. Bonus round: project/repo scoping
If functions share an event
source they can go in the same
repo, if not they go in their own
repo as separate “applications”
• Simplifies permissions
If functions share an event
source but require varying
different imported packages,
make them their own function
files/jars/etc.
• Keep dependency bloat
minimized per function
Monorepo == anti-pattern for FaaS
Two rules:
Use language native dependency tools and put
shared logic in sub-packages
33. AWS Systems Manager – Parameter Store
Centralized store to manage your
configuration data
• supports hierarchies
• plain-text or encrypted with KMS
• Can send notifications of changes
to Amazon SNS/ AWS Lambda
• Can be secured with IAM
• Calls recorded in CloudTrail
• Can be tagged
• Available via API/SDK
Useful for: centralized environment
variables, secrets control, feature
flags
from __future__ import print_function
import json
import boto3
ssm = boto3.client('ssm', 'us-east-1')
def get_parameters():
response = ssm.get_parameters(
Names=['LambdaSecureString'],WithDe
cryption=True
)
for parameter in
response['Parameters']:
return parameter['Value']
def lambda_handler(event, context):
value = get_parameters()
print("value1 = " + value)
return value # Echo back the first key
value
34. AWS Systems Manager – Parameter Store
Centralized store to manage your
configuration data
• supports hierarchies
• plain-text or encrypted with KMS
• Can send notifications of changes
to Amazon SNS/ AWS Lambda
• Can be secured with IAM
• Calls recorded in CloudTrail
• Can be tagged
• Available via API/SDK
Useful for: centralized environment
variables, secrets control, feature
flags
from __future__ import print_function
import json
import boto3
ssm = boto3.client('ssm', 'us-east-1')
def get_parameters():
response = ssm.get_parameters(
Names=['LambdaSecureString'],WithDe
cryption=True
)
for parameter in
response['Parameters']:
return parameter['Value']
def lambda_handler(event, context):
value = get_parameters()
print("value1 = " + value)
return value # Echo back the first key
value
#somuchawesome
43. AWS Serverless Application Model (SAM)
CloudFormation extension optimized for
serverless
New serverless resource types: functions, APIs,
and tables
Supports anything CloudFormation supports
Open specification (Apache 2.0)
- SAM Translator recently open sourced!
https://github.com/awslabs/serverless-application-model
45. SAM Policy Templates
MyFunction:
Type: AWS::Serverless::Function
Properties:
...
Policies:
# Give just CRUD permissions to one table
- DynamoDBCrudPolicy:
TableName: !Ref MyTable
...
MyTable:
Type: AWS::Serverless::SimpleTable
36 Predefined policies
All found here:
https://bit.ly/2LM6qml
50. I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events