Your system is composed of highly decoupled, independent, fast, and modular microservices. But how can they share common configurations, dynamic endpoints, database references, and properly rotate secrets? Based on the size and complexity of your serverless system, you may use AWS Lambda environment variables, AWS Systems Manager's Parameter Store, and the recently announced AWS Secrets Manager. In this session, we showcase the best use cases for each solution, as well as corresponding best practices to achieve the highest standards for security and performance.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Configuration Management and
Service Discovery with AWS Lambda
Alex Casalboni
Technical Evangelist
Amazon Web Services
S R V 3 3 8 - R
Ben Kehoe
Cloud Robotics Research Scientist @ iRobot
AWS Serverless Hero

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Introduction
Serverless security background
Serverless service mesh at iRobot
Whiteboard discussion

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Chalk Talk repeats
Friday, Nov 28th
9.15 – 10:15 | Mirage

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related breakouts
Thursday, November 29
Leadership Session: Using DevOps, Microservices, and Serverless
to Accelerate Innovation (SRV325)
12:15 – 1:15 PM | Venetian Theatre (Level 2)

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lambda permission model
Fine-grained security controls for both execution and invocation
Execution policies
Define what AWS resources/API calls can this function access via AWS Identity and Access
Management (IAM)
Used in streaming invocations
For example, “Lambda function A can read from DynamoDB table users”
Function policies
Used for sync and async invocations
For example, “Actions on bucket X can invoke Lambda function Z"
Resource policies allow for cross account access

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Action: “s3:*”
… make puppies cry!Action: “dynamodb:*"
Action: “sns:*“
Photo by Matthew Henry on Unsplash

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Fine-grained IAM policy with AWS SAM
MyFunction:
Type: AWS::Serverless::Function
Properties:
Handler: index.handler
Runtime: python2.7
Policies:
- AWSLambdaExecute # Managed Policy
- Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- dynamodb:GetItem
Resource: !GetAtt MyDynamoDBTable.Arn

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Hardcoded secrets make fish cry!
Photo by Julieann Ragojo on Unsplash

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Lambda environment variables
Key-value pairs that you can dynamically pass to your function
Available via standard environment variable APIs (based on runtime)
Can optionally be encrypted via AWS Key Management Service (AWS KMS)
Allows you to specify in IAM what roles have access to the keys to decrypt the information
Useful for creating environments per stage (such as dev, test, prod)

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Systems Manager―Parameter Store
Centralized store to manage your configuration data
Supports hierarchies
Plaintext or encrypted with AWS KMS
Can send notifications of changes to Amazon Simple Notification Service (Amazon SNS) or Lambda
Can be secured with IAM
Calls recorded in AWS CloudTrail
Can be tagged
Available via API/SDK
Useful for centralized environment variables, secrets control, feature flags

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Parameter Store access via SDK
import json, boto3
ssm = boto3.client('ssm')
def get_parameter():
response = ssm.get_parameter(
Name='LambdaSecureString’,
WithDecryption=True
)
return response['Parameter']['Value']
def lambda_handler(event, context):
value = get_parameter()
print(”value = %s" % value)

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Parameter Store access via SDK with ssm_cache
import json, boto3
ssm = boto3.client('ssm')
def get_parameter():
response = ssm.get_parameter(
Name='LambdaSecureString’,
WithDecryption=True
)
return response['Parameter']['Value']
def lambda_handler(event, context):
value = get_parameter()
print(”value = %s" % value)
from ssm_cache import SSMParameter
param = SSMParameter(‘LambdaSecureString’)
def lambda_handler(event, context):
value = param.value
print(”value = %s" % value)

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Secrets Manager
Allows you to manage, retrieve, and rotate credentials
Helps you rotate secrets regularly without breaking stuff
Keeps track of different password versions
Implements security controls associated with credential management
Built-in support for Amazon Relational Database Service (Amazon RDS)

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Secrets Manager + Parameter Store
Uniform and consistent access to both services
You can reference Secrets Manager secrets with PS APIs
Rotation & Refresh delegated to the client
As simple as using a prefix: /aws/reference/secretsmanager/

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secrets access via Parameter Store
import json, boto3
ssm = boto3.client('ssm’)
prefix = ‘/aws/reference/secretsmanager’
def get_secret():
response = ssm.get_parameter(
Names=[‘%s/my_secret’ % prefix],
WithDecryption=True
)
return response['Parameter']['Value']
def lambda_handler(event, context):
value = get_secret()
print(”value = %s" % value)

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Secrets access via Parameter Store with ssm_cache
import json, boto3
ssm = boto3.client('ssm’)
prefix = ‘/aws/reference/secretsmanager’
def get_secret():
response = ssm.get_parameter(
Names=[‘%s/my_secret’ % prefix],
WithDecryption=True
)
return response['Parameter']['Value']
def lambda_handler(event, context):
value = get_secret()
print(”value = %s" % value)
from ssm_cache import SecretsManagerParameter
secret = SecretsManagerParameter(‘my_secret’)
def lambda_handler(event, context):
value = secret.value
print(”value = %s" % value)
github.com/alexcasalboni/ssm-cache-python

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Parameters & secrets grouping with ssm_cache
from ssm_cache import SSMParameterGroup
group1 = SSMParameterGroup(max_age=300) # 5min cache
param1 = group.parameter('param_1’)
param2 = group.parameter('param_2’)
group2 = SSMParameterGroup(base_path="/Foo") # common prefix
foo_bar = group2.parameter('/Bar') # will fetch /Foo/Bar
baz_params = group2.parameters('/Baz') # will fetch /Foo/Baz/1 and /Foo/Baz/2
secret = group2.secret(‘my_secret’) # will fetch /aws/reference/secretsmanager/my_secret
group1.refresh()
group2.refresh()

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Deployment

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Deployment: Blue-green or red-black?

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Red/black deployments
• An entirely new copy of the
whole system
• Including a new endpoint
• Pay-per-use means this has little cost
• No platform support required
• Clients must use some
mechanism to switch over
• DNS
• HTTP service
• Challenge: obstinate clients

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Blue-green deployments
• Keep the same endpoint, roll
out behind
• Requires platform support
• Does not involve clients
• Challenge: blue-green
deployments of complete
infrastructure graphs, not
just individual components

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Authentication and authorization

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Policy
Resource
Authorization: A role links a principal to a resource
Different directions are possible

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Policy
Resource
Challenges:
• Cross-account
• # of policies attached
Traditional:
Attach policy to principal

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Policy
Resource
Challenges:
• Deployment to add
permission
• Limit on # of callers
Resource policies:
Attached to resource

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Policy
Resource
Challenges:
• Coarse, or
• 1-1 service-group
Group/OU
Resource policies
with AWS Organizations

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Policy
Resource
Challenges:
• Push the problem
to AssumeRole
permissions
Role
Provide a role to assume

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What are our desired characteristics?
Caller defines desired permissions
Service could provide standard polices
Checked against organizational rules
Attached to caller
Assuming cross-account and policy-number-limit concerns don’t matter

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Auto-generated policies
Deriving policies from code can be troublesome
Permissions should help stop malicious code
But you’d derive malicious permissions from malicious code
Need explicit declarations
Then check against code for mismatch
For either too broad or narrow

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

34. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Alex Casalboni
@alex_casalboni
Ben Kehoe
@ben11kehoe

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.