SlideShare a Scribd company logo
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Chris Munns – Senior Developer Advocate – AWS Serverless
Practical Guidance for
Increasing your Serverless
Application’s Security
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
About me:
Chris Munns - munns@amazon.com, @chrismunns
• Lead Developer Advocate - Serverless
• New Yorker
• Previously:
• AWS Business Development Manager – DevOps, July ’15 - Feb ‘17
• AWS Solutions Architect Nov, 2011- Dec 2014
• Formerly on operations teams @Etsy and @Meetup
• Little time at a hedge fund, Xerox and a few other startups
• Rochester Institute of Technology: Applied Networking and Systems
Administration ’05
• Internet infrastructure geek
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
https://secure.flickr.com/photos/mgifford/4525333972
Why are we
here today?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What should this talk be about?
Me: “Should I have a talk about
how I think people focused on
building self managed
containerized “serverless”
platforms are missing the big
picture and its not the future”
Jefe: “No, talk about security”
Ajay Nair
Lead Product Manager –
AWS Lambda
@ajaynairthinks
Aka “jefe” to me
<Humor Slide />
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What should this talk be about?
Me: “Can I do talk where I tear
apart the FUD currently in the
space showing up by people with
an odd counter productive
personal agendas?”
Product Marketing: “No, please
not that, no. Do something happy
on security.”
<Humor Slide />
Ambiguous representation
of AWS product marketing
folks sitting up front looking
concerned at me
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
But then...
The very wonderful Tim Wagner
(“el jefe jefe”)
and equally wonderful
Mark Nunnikhoven
delivered like 40% of my content yesterday
in their own talks...
<Humor Slide />
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Serverless Dance Routine?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Serverless Dance Routine?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
https://secure.flickr.com/photos/mgifford/4525333972
Why are we
here today?
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Photo by Klára Koszeghyova on Unsplash
Old school security
practices would
have you focused
on putting your
Lambda function
here and hoping no
one had cannons.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Photo by Paul Csogi on Unsplash
But we all
know our
Lambda
functions
live here
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Today’s focus:
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda function
Your function
code
Language
runtime
Execution
Environment
Compute
substrate
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda function
Your function
code
Language
runtime
Execution
Environment
Compute
substrate
Places where
you can
impact
security
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda function
Your function
code
Language
runtime
Execution
Environment
Compute
substrate
Places where
you can
impact
security
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda function
Handler() function
Function to be executed
upon invocation
Event object
Data sent during
Lambda Function
Invocation
Context object
Methods available to
interact with runtime
information (request ID,
log group, etc.)
public String handleRequest(Book book, Context context) {
saveBook(book);
return book.getName() + " saved!";
}
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Serverless applications
SERVICES (ANYTHING)EVENT SOURCE FUNCTION
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda function
Function myhandler(event, context) {
<Event handling logic> {
result = SubfunctionA()
}else {
result = SubfunctionB()
return result;
}
Function subFunctionA(thing){
## logic here
}
Function subFunctionA(thing){
## logic here
}
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Serverless applications
SERVICES (ANYTHING)EVENT SOURCE FUNCTION
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda functionImport sdk
Import http-lib
Import ham-sandwich
Pre-handler-secret-getter()
Pre-handler-db-connect()
Function myhandler(event, context) {
<Event handling logic> {
result = SubfunctionA()
}else {
result = SubfunctionB()
return result;
}
Function Pre-handler-secret-getter() {
}
Function Pre-handler-db-connect(){
}
Function subFunctionA(thing){
## logic here
}
Function subFunctionA(thing){
## logic here
}
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda functionImport sdk
Import http-lib
Import ham-sandwich
Pre-handler-secret-getter()
Pre-handler-db-connect()
Function myhandler(event, context) {
<Event handling logic> {
result = SubfunctionA()
}else {
result = SubfunctionB()
return result;
}
Function Pre-handler-secret-getter() {
}
Function Pre-handler-db-connect(){
}
Function subFunctionA(thing){
## logic here
}
Function subFunctionA(thing){
## logic here
}
Where you
can have a
bad time
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OWASP Top 10 - 2017
• Injection
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access Control
• Security Misconfiguration
• Cross-Site Scripting (XSS)
• Insecure Deserialization
• Using Components with Known Vulnerabilities
• Insufficient Logging&Monitoring
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OWASP Top 10 - 2017
• Injection
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access Control
• Security Misconfiguration
• Cross-Site Scripting (XSS)
• Insecure Deserialization
• Using Components with Known Vulnerabilities
• Insufficient Logging&Monitoring
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda functionImport sdk
Import http-lib
Import ham-sandwich
Pre-handler-secret-getter()
Pre-handler-db-connect()
Function myhandler(event, context) {
<Event handling logic> {
result = SubfunctionA()
}else {
result = SubfunctionB()
return result;
}
Function Pre-handler-secret-getter() {
}
Function Pre-handler-db-connect(){
}
Function subFunctionA(thing){
## logic here
}
Function subFunctionA(thing){
## logic here
}
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Spent 5 minutes, found all these dependency
management tools..
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bonus round: project/repo scoping
If functions share an event
source they can go in the same
repo, if not they go in their own
repo as separate “applications”
• Simplifies permissions
If functions share an event
source but require varying
different imported packages,
make them their own function
files/jars/etc.
• Keep dependency bloat
minimized per function
Monorepo == anti-pattern for FaaS
Two rules:
Bonus round: project/repo scoping
If functions share an event
source they can go in the same
repo, if not they go in their own
repo as separate “applications”
• Simplifies permissions
If functions share an event
source but require varying
different imported packages,
make them their own function
files/jars/etc.
• Keep dependency bloat
minimized per function
Monorepo == anti-pattern for FaaS
Two rules:
Use language native dependency tools and put
shared logic in sub-packages
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda functionImport sdk
Import http-lib
Import ham-sandwich
Pre-handler-secret-getter()
Pre-handler-db-connect()
Function myhandler(event, context) {
<Event handling logic> {
result = SubfunctionA()
}else {
result = SubfunctionB()
return result;
}
Function Pre-handler-secret-getter() {
}
Function Pre-handler-db-connect(){
}
Function subFunctionA(thing){
## logic here
}
Function subFunctionA(thing){
## logic here
}
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda Environment Variables
• Key-value pairs that you can dynamically pass to your function
• Available via standard environment variable APIs such as process.env
for Node.js or os.environ for Python
• Can optionally be encrypted via AWS Key Management Service (KMS)
• Allows you to specify in IAM what roles have access to the keys to decrypt
the information
• Useful for creating environments per stage (i.e. dev, testing,
production)
AWS Systems Manager – Parameter Store
Centralized store to manage your
configuration data
• supports hierarchies
• plain-text or encrypted with KMS
• Can send notifications of changes
to Amazon SNS/ AWS Lambda
• Can be secured with IAM
• Calls recorded in CloudTrail
• Can be tagged
• Available via API/SDK
Useful for: centralized environment
variables, secrets control, feature
flags
from __future__ import print_function
import json
import boto3
ssm = boto3.client('ssm', 'us-east-1')
def get_parameters():
response = ssm.get_parameters(
Names=['LambdaSecureString'],WithDe
cryption=True
)
for parameter in
response['Parameters']:
return parameter['Value']
def lambda_handler(event, context):
value = get_parameters()
print("value1 = " + value)
return value # Echo back the first key
value
AWS Systems Manager – Parameter Store
Centralized store to manage your
configuration data
• supports hierarchies
• plain-text or encrypted with KMS
• Can send notifications of changes
to Amazon SNS/ AWS Lambda
• Can be secured with IAM
• Calls recorded in CloudTrail
• Can be tagged
• Available via API/SDK
Useful for: centralized environment
variables, secrets control, feature
flags
from __future__ import print_function
import json
import boto3
ssm = boto3.client('ssm', 'us-east-1')
def get_parameters():
response = ssm.get_parameters(
Names=['LambdaSecureString'],WithDe
cryption=True
)
for parameter in
response['Parameters']:
return parameter['Value']
def lambda_handler(event, context):
value = get_parameters()
print("value1 = " + value)
return value # Echo back the first key
value
#somuchawesome
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda functionImport sdk
Import http-lib
Import ham-sandwich
Pre-handler-secret-getter()
Pre-handler-db-connect()
Function myhandler(event, context) {
<Event handling logic> {
result = SubfunctionA()
}else {
result = SubfunctionB()
return result;
}
Function Pre-handler-secret-getter() {
}
Function Pre-handler-db-connect(){
}
Function subFunctionA(thing){
## logic here
}
Function subFunctionA(thing){
## logic here
}
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OWASP Top 10 - 2017
• Injection
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access Control
• Security Misconfiguration
• Cross-Site Scripting (XSS)
• Insecure Deserialization
• Using Components with Known Vulnerabilities
• Insufficient Logging&Monitoring
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“Insecure Deserialization” – Event parsing
True story: JSON parsing can be tricky
Good news: AWS services give Lambda the event payload in a defined
structure per service.
What to do:
• Explore JSON schema validation tools if processing messages
embedded in the JSON payload itself (see jsonschema npm
package as an example )
• Check data types of attributes in JSON after validation
• If processing a binary objects (say from S3): explore packages that
can help verify/test contents
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda function
Your function
code
Language
runtime
Execution
Environment
Compute
substrate
Places where
you can
impact
security
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OWASP Top 10 - 2017
• Injection
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access Control
• Security Misconfiguration
• Cross-Site Scripting (XSS)
• Insecure Deserialization
• Using Components with Known Vulnerabilities
• Insufficient Logging&Monitoring
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda permissions model
Fine grained security controls for both
execution and invocation:
Execution policies:
• Define what AWS resources/API calls can this
function access via IAM
• Used in streaming invocations
• E.g. “Lambda function A can read from
DynamoDB table users”
Function policies:
• Used for sync and async invocations
• E.g. “Actions on bucket X can invoke Lambda
function Z"
• Resource policies allow for cross account
access
"Action": "s3:*"
makes puppies cry
Photo by Matthew Henry on Unsplash
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Do yourself a favor,
go read the docs..
AWS Serverless Application Model (SAM)
CloudFormation extension optimized for
serverless
New serverless resource types: functions, APIs,
and tables
Supports anything CloudFormation supports
Open specification (Apache 2.0)
- SAM Translator recently open sourced!
https://github.com/awslabs/serverless-application-model
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SAM Policy Templates
MyFunction:
Type: AWS::Serverless::Function
Properties:
...
Policies:
# Give just CRUD permissions to one table
- DynamoDBCrudPolicy:
TableName: !Ref MyTable
...
MyTable:
Type: AWS::Serverless::SimpleTable
SAM Policy Templates
MyFunction:
Type: AWS::Serverless::Function
Properties:
...
Policies:
# Give just CRUD permissions to one table
- DynamoDBCrudPolicy:
TableName: !Ref MyTable
...
MyTable:
Type: AWS::Serverless::SimpleTable
36 Predefined policies
All found here:
https://bit.ly/2LM6qml
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM + Lambda best practices
• Where/when possible try to leverage
the pre-created managed policies that
exist today
• If you are doing “service:*” be REALLY
REALLY REALLY sure that’s what you
should and need to do
• Keep tight lockdown on who/what can
invoke functions
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Do I need to put my functions in an Amazon VPC?
Putting your functions inside of a
VPC provides little extra security
benefit to your AWS Lambda
functions
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Do I need to put my functions in an Amazon VPC?
Should my
Lambda
function be
in a VPC?
Does my function
need to access
any specific
resources in a
VPC?
Does it also need to
access resources or
services in the
public internet?
Don’t put the
function in a
VPC
Put the
function in a
private subnet
Put the
function in a
subnet with a
NAT’d route to
the internet
Yes Yes
No No
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OWASP Top 10 - 2017
• Injection
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access Control
• Security Misconfiguration
• Cross-Site Scripting (XSS)
• Insecure Deserialization
• Using Components with Known Vulnerabilities
• Insufficient Logging & Monitoring
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
aws.amazon.com/serverless
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Chris Munns
munns@amazon.com
@chrismunnshttps://www.flickr.com/photos/theredproject/3302110152/
© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
?
https://secure.flickr.com/photos/dullhunk/202872717/

More Related Content

What's hot

Networking Best Practices for Your Serverless Applications
Networking Best Practices for Your Serverless ApplicationsNetworking Best Practices for Your Serverless Applications
Networking Best Practices for Your Serverless Applications
Chris Munns
 
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
Chris Munns
 
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Amazon Web Services
 
Building serverless applications with Amazon S3
Building serverless applications with Amazon S3Building serverless applications with Amazon S3
Building serverless applications with Amazon S3
Chris Munns
 
Build and Deploy Serverless Applications with AWS SAM
Build and Deploy Serverless Applications with AWS SAM Build and Deploy Serverless Applications with AWS SAM
Build and Deploy Serverless Applications with AWS SAM
Amazon Web Services
 
AWS Lambda Layers, the Runtime API, & Nested Applications
AWS Lambda Layers, the Runtime API, & Nested ApplicationsAWS Lambda Layers, the Runtime API, & Nested Applications
AWS Lambda Layers, the Runtime API, & Nested Applications
Amazon Web Services
 
Introduction to Serverless computing and AWS Lambda - Floor28
Introduction to Serverless computing and AWS Lambda - Floor28Introduction to Serverless computing and AWS Lambda - Floor28
Introduction to Serverless computing and AWS Lambda - Floor28
Boaz Ziniman
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts
Amazon Web Services
 
Building Global Multi-Region, Active-Active Serverless Backends I AWS Dev Day...
Building Global Multi-Region, Active-Active Serverless Backends I AWS Dev Day...Building Global Multi-Region, Active-Active Serverless Backends I AWS Dev Day...
Building Global Multi-Region, Active-Active Serverless Backends I AWS Dev Day...
AWS Germany
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS
Amazon Web Services
 
Overview of Serverless Application Deployment Patterns - AWS Online Tech Talks
Overview of Serverless Application Deployment Patterns - AWS Online Tech TalksOverview of Serverless Application Deployment Patterns - AWS Online Tech Talks
Overview of Serverless Application Deployment Patterns - AWS Online Tech Talks
Amazon Web Services
 
Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls
Amazon Web Services
 
Data Design and Modeling for Microservices I AWS Dev Day 2018
Data Design and Modeling for Microservices I AWS Dev Day 2018Data Design and Modeling for Microservices I AWS Dev Day 2018
Data Design and Modeling for Microservices I AWS Dev Day 2018
AWS Germany
 
AWS Lambda Layers, the Runtime API, & Nested Applications: re:Invent 2018 Rec...
AWS Lambda Layers, the Runtime API, & Nested Applications: re:Invent 2018 Rec...AWS Lambda Layers, the Runtime API, & Nested Applications: re:Invent 2018 Rec...
AWS Lambda Layers, the Runtime API, & Nested Applications: re:Invent 2018 Rec...
Amazon Web Services
 
Building Serverless Microservices with AWS
Building Serverless Microservices with AWSBuilding Serverless Microservices with AWS
Building Serverless Microservices with AWS
Donnie Prakoso
 
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Amazon Web Services
 
Building Serverless Enterprise Applications - SRV315 - Anaheim AWS Summit
Building Serverless Enterprise Applications - SRV315 - Anaheim AWS SummitBuilding Serverless Enterprise Applications - SRV315 - Anaheim AWS Summit
Building Serverless Enterprise Applications - SRV315 - Anaheim AWS Summit
Amazon Web Services
 
Lambda Layers & Runtime API
Lambda Layers & Runtime APILambda Layers & Runtime API
Lambda Layers & Runtime API
Amazon Web Services
 
Getting Started with AWS Lambda Serverless Computing
Getting Started with AWS Lambda Serverless ComputingGetting Started with AWS Lambda Serverless Computing
Getting Started with AWS Lambda Serverless Computing
Amazon Web Services
 
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Amazon Web Services
 

What's hot (20)

Networking Best Practices for Your Serverless Applications
Networking Best Practices for Your Serverless ApplicationsNetworking Best Practices for Your Serverless Applications
Networking Best Practices for Your Serverless Applications
 
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
 
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
Best Practices for CI/CD with AWS Lambda and Amazon API Gateway (SRV355-R1) -...
 
Building serverless applications with Amazon S3
Building serverless applications with Amazon S3Building serverless applications with Amazon S3
Building serverless applications with Amazon S3
 
Build and Deploy Serverless Applications with AWS SAM
Build and Deploy Serverless Applications with AWS SAM Build and Deploy Serverless Applications with AWS SAM
Build and Deploy Serverless Applications with AWS SAM
 
AWS Lambda Layers, the Runtime API, & Nested Applications
AWS Lambda Layers, the Runtime API, & Nested ApplicationsAWS Lambda Layers, the Runtime API, & Nested Applications
AWS Lambda Layers, the Runtime API, & Nested Applications
 
Introduction to Serverless computing and AWS Lambda - Floor28
Introduction to Serverless computing and AWS Lambda - Floor28Introduction to Serverless computing and AWS Lambda - Floor28
Introduction to Serverless computing and AWS Lambda - Floor28
 
Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts Secure your AWS Account and your Organization's Accounts
Secure your AWS Account and your Organization's Accounts
 
Building Global Multi-Region, Active-Active Serverless Backends I AWS Dev Day...
Building Global Multi-Region, Active-Active Serverless Backends I AWS Dev Day...Building Global Multi-Region, Active-Active Serverless Backends I AWS Dev Day...
Building Global Multi-Region, Active-Active Serverless Backends I AWS Dev Day...
 
Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS Evolve Your Incident Response Process and Powers for AWS
Evolve Your Incident Response Process and Powers for AWS
 
Overview of Serverless Application Deployment Patterns - AWS Online Tech Talks
Overview of Serverless Application Deployment Patterns - AWS Online Tech TalksOverview of Serverless Application Deployment Patterns - AWS Online Tech Talks
Overview of Serverless Application Deployment Patterns - AWS Online Tech Talks
 
Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls Bridgewater's Model-Based Verification of AWS Security Controls
Bridgewater's Model-Based Verification of AWS Security Controls
 
Data Design and Modeling for Microservices I AWS Dev Day 2018
Data Design and Modeling for Microservices I AWS Dev Day 2018Data Design and Modeling for Microservices I AWS Dev Day 2018
Data Design and Modeling for Microservices I AWS Dev Day 2018
 
AWS Lambda Layers, the Runtime API, & Nested Applications: re:Invent 2018 Rec...
AWS Lambda Layers, the Runtime API, & Nested Applications: re:Invent 2018 Rec...AWS Lambda Layers, the Runtime API, & Nested Applications: re:Invent 2018 Rec...
AWS Lambda Layers, the Runtime API, & Nested Applications: re:Invent 2018 Rec...
 
Building Serverless Microservices with AWS
Building Serverless Microservices with AWSBuilding Serverless Microservices with AWS
Building Serverless Microservices with AWS
 
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
Build a dashboard using serverless security analytics - SDD201 - AWS re:Infor...
 
Building Serverless Enterprise Applications - SRV315 - Anaheim AWS Summit
Building Serverless Enterprise Applications - SRV315 - Anaheim AWS SummitBuilding Serverless Enterprise Applications - SRV315 - Anaheim AWS Summit
Building Serverless Enterprise Applications - SRV315 - Anaheim AWS Summit
 
Lambda Layers & Runtime API
Lambda Layers & Runtime APILambda Layers & Runtime API
Lambda Layers & Runtime API
 
Getting Started with AWS Lambda Serverless Computing
Getting Started with AWS Lambda Serverless ComputingGetting Started with AWS Lambda Serverless Computing
Getting Started with AWS Lambda Serverless Computing
 
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
Tax returns in the cloud: The journey of Intuit’s data platform - SDD330 - AW...
 

Similar to Practical Guidance for Increasing your Serverless Application's Security

Best Practices and Hard Lessons of Serverless- AWS Startup Day Toronto- Diego...
Best Practices and Hard Lessons of Serverless- AWS Startup Day Toronto- Diego...Best Practices and Hard Lessons of Serverless- AWS Startup Day Toronto- Diego...
Best Practices and Hard Lessons of Serverless- AWS Startup Day Toronto- Diego...
Amazon Web Services
 
The Best Practices and Hard Lessons Learned of Serverless Applications
The Best Practices and Hard Lessons Learned of Serverless ApplicationsThe Best Practices and Hard Lessons Learned of Serverless Applications
The Best Practices and Hard Lessons Learned of Serverless Applications
Amazon Web Services LATAM
 
The Best Practices and Hard Lessons Learned of Serverless Applications - AWS ...
The Best Practices and Hard Lessons Learned of Serverless Applications - AWS ...The Best Practices and Hard Lessons Learned of Serverless Applications - AWS ...
The Best Practices and Hard Lessons Learned of Serverless Applications - AWS ...
Amazon Web Services
 
AWS18 Startup Day Toronto- The Best Practices and Hard Lessons Learned of Ser...
AWS18 Startup Day Toronto- The Best Practices and Hard Lessons Learned of Ser...AWS18 Startup Day Toronto- The Best Practices and Hard Lessons Learned of Ser...
AWS18 Startup Day Toronto- The Best Practices and Hard Lessons Learned of Ser...
Amazon Web Services
 
Build Enterprise-Grade Serverless Apps
Build Enterprise-Grade Serverless Apps Build Enterprise-Grade Serverless Apps
Build Enterprise-Grade Serverless Apps
Amazon Web Services
 
Build Enterprise-Grade Serverless Apps - SRV315 - Chicago AWS Summit
Build Enterprise-Grade Serverless Apps - SRV315 - Chicago AWS SummitBuild Enterprise-Grade Serverless Apps - SRV315 - Chicago AWS Summit
Build Enterprise-Grade Serverless Apps - SRV315 - Chicago AWS Summit
Amazon Web Services
 
The Future of Enterprise Applications is Serverless
The Future of Enterprise Applications is ServerlessThe Future of Enterprise Applications is Serverless
The Future of Enterprise Applications is Serverless
Eficode
 
Taking serverless to the edge
Taking serverless to the edgeTaking serverless to the edge
Taking serverless to the edge
Amazon Web Services
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2
Amazon Web Services
 
SRV328 Designing and Implementing a Serverless Media-Processing Workflow
SRV328 Designing and Implementing a Serverless Media-Processing WorkflowSRV328 Designing and Implementing a Serverless Media-Processing Workflow
SRV328 Designing and Implementing a Serverless Media-Processing Workflow
Amazon Web Services
 
Building Real-time Serverless Backends with GraphQL
Building Real-time Serverless Backends with GraphQLBuilding Real-time Serverless Backends with GraphQL
Building Real-time Serverless Backends with GraphQL
Amazon Web Services
 
Building serverless enterprise applications - SRV315 - Toronto AWS Summit
Building serverless enterprise applications - SRV315 - Toronto AWS SummitBuilding serverless enterprise applications - SRV315 - Toronto AWS Summit
Building serverless enterprise applications - SRV315 - Toronto AWS Summit
Amazon Web Services
 
Serverless Architectural Patterns I AWS Dev Day 2018
Serverless Architectural Patterns I AWS Dev Day 2018Serverless Architectural Patterns I AWS Dev Day 2018
Serverless Architectural Patterns I AWS Dev Day 2018
AWS Germany
 
Building Real-time Serverless Backends
Building Real-time Serverless BackendsBuilding Real-time Serverless Backends
Building Real-time Serverless Backends
Amazon Web Services
 
Websites go Serverless - Floor28
Websites go Serverless - Floor28Websites go Serverless - Floor28
Websites go Serverless - Floor28
Boaz Ziniman
 
Websites go Serverless | AWS Floor28
Websites go Serverless | AWS Floor28Websites go Serverless | AWS Floor28
Websites go Serverless | AWS Floor28
Amazon Web Services
 
Thirty Serverless Architectures in 30 Minutes - SRV325 - Chicago AWS Summit
Thirty Serverless Architectures in 30 Minutes - SRV325 - Chicago AWS SummitThirty Serverless Architectures in 30 Minutes - SRV325 - Chicago AWS Summit
Thirty Serverless Architectures in 30 Minutes - SRV325 - Chicago AWS Summit
Amazon Web Services
 
Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...
Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...
Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...
Amazon Web Services
 
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
Amazon Web Services
 
Build Enterprise-Grade Serverless Apps - SRV315 - Atlanta AWS Summit
Build Enterprise-Grade Serverless Apps - SRV315 - Atlanta AWS SummitBuild Enterprise-Grade Serverless Apps - SRV315 - Atlanta AWS Summit
Build Enterprise-Grade Serverless Apps - SRV315 - Atlanta AWS Summit
Amazon Web Services
 

Similar to Practical Guidance for Increasing your Serverless Application's Security (20)

Best Practices and Hard Lessons of Serverless- AWS Startup Day Toronto- Diego...
Best Practices and Hard Lessons of Serverless- AWS Startup Day Toronto- Diego...Best Practices and Hard Lessons of Serverless- AWS Startup Day Toronto- Diego...
Best Practices and Hard Lessons of Serverless- AWS Startup Day Toronto- Diego...
 
The Best Practices and Hard Lessons Learned of Serverless Applications
The Best Practices and Hard Lessons Learned of Serverless ApplicationsThe Best Practices and Hard Lessons Learned of Serverless Applications
The Best Practices and Hard Lessons Learned of Serverless Applications
 
The Best Practices and Hard Lessons Learned of Serverless Applications - AWS ...
The Best Practices and Hard Lessons Learned of Serverless Applications - AWS ...The Best Practices and Hard Lessons Learned of Serverless Applications - AWS ...
The Best Practices and Hard Lessons Learned of Serverless Applications - AWS ...
 
AWS18 Startup Day Toronto- The Best Practices and Hard Lessons Learned of Ser...
AWS18 Startup Day Toronto- The Best Practices and Hard Lessons Learned of Ser...AWS18 Startup Day Toronto- The Best Practices and Hard Lessons Learned of Ser...
AWS18 Startup Day Toronto- The Best Practices and Hard Lessons Learned of Ser...
 
Build Enterprise-Grade Serverless Apps
Build Enterprise-Grade Serverless Apps Build Enterprise-Grade Serverless Apps
Build Enterprise-Grade Serverless Apps
 
Build Enterprise-Grade Serverless Apps - SRV315 - Chicago AWS Summit
Build Enterprise-Grade Serverless Apps - SRV315 - Chicago AWS SummitBuild Enterprise-Grade Serverless Apps - SRV315 - Chicago AWS Summit
Build Enterprise-Grade Serverless Apps - SRV315 - Chicago AWS Summit
 
The Future of Enterprise Applications is Serverless
The Future of Enterprise Applications is ServerlessThe Future of Enterprise Applications is Serverless
The Future of Enterprise Applications is Serverless
 
Taking serverless to the edge
Taking serverless to the edgeTaking serverless to the edge
Taking serverless to the edge
 
Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2Threat Detection & Remediation Workshop - Module 2
Threat Detection & Remediation Workshop - Module 2
 
SRV328 Designing and Implementing a Serverless Media-Processing Workflow
SRV328 Designing and Implementing a Serverless Media-Processing WorkflowSRV328 Designing and Implementing a Serverless Media-Processing Workflow
SRV328 Designing and Implementing a Serverless Media-Processing Workflow
 
Building Real-time Serverless Backends with GraphQL
Building Real-time Serverless Backends with GraphQLBuilding Real-time Serverless Backends with GraphQL
Building Real-time Serverless Backends with GraphQL
 
Building serverless enterprise applications - SRV315 - Toronto AWS Summit
Building serverless enterprise applications - SRV315 - Toronto AWS SummitBuilding serverless enterprise applications - SRV315 - Toronto AWS Summit
Building serverless enterprise applications - SRV315 - Toronto AWS Summit
 
Serverless Architectural Patterns I AWS Dev Day 2018
Serverless Architectural Patterns I AWS Dev Day 2018Serverless Architectural Patterns I AWS Dev Day 2018
Serverless Architectural Patterns I AWS Dev Day 2018
 
Building Real-time Serverless Backends
Building Real-time Serverless BackendsBuilding Real-time Serverless Backends
Building Real-time Serverless Backends
 
Websites go Serverless - Floor28
Websites go Serverless - Floor28Websites go Serverless - Floor28
Websites go Serverless - Floor28
 
Websites go Serverless | AWS Floor28
Websites go Serverless | AWS Floor28Websites go Serverless | AWS Floor28
Websites go Serverless | AWS Floor28
 
Thirty Serverless Architectures in 30 Minutes - SRV325 - Chicago AWS Summit
Thirty Serverless Architectures in 30 Minutes - SRV325 - Chicago AWS SummitThirty Serverless Architectures in 30 Minutes - SRV325 - Chicago AWS Summit
Thirty Serverless Architectures in 30 Minutes - SRV325 - Chicago AWS Summit
 
Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...
Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...
Eliminate Migration Confusion: Speed Migration with Automated Tracking (ENT31...
 
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
Configuration Management and Service Discovery with AWS Lambda (SRV338-R1) - ...
 
Build Enterprise-Grade Serverless Apps - SRV315 - Atlanta AWS Summit
Build Enterprise-Grade Serverless Apps - SRV315 - Atlanta AWS SummitBuild Enterprise-Grade Serverless Apps - SRV315 - Atlanta AWS Summit
Build Enterprise-Grade Serverless Apps - SRV315 - Atlanta AWS Summit
 

Recently uploaded

Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
revolutionary575
 
Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...
Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...
Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...
bhumivarma35300
 
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
simran hot girls
 
Mobile App Development Company in Noida - Drona Infotech.
Mobile App Development Company in Noida - Drona Infotech.Mobile App Development Company in Noida - Drona Infotech.
Mobile App Development Company in Noida - Drona Infotech.
Mobile App Development Company in Noida - Drona Infotech
 
Shivam Pandit working on Php Web Developer.
Shivam Pandit working on Php Web Developer.Shivam Pandit working on Php Web Developer.
Shivam Pandit working on Php Web Developer.
shivamt017
 
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
neshakor5152
 
Celebrity Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Servic...
Celebrity Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Servic...Celebrity Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Servic...
Celebrity Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Servic...
45unexpected
 
Software development... for all? (keynote at ICSOFT'2024)
Software development... for all? (keynote at ICSOFT'2024)Software development... for all? (keynote at ICSOFT'2024)
Software development... for all? (keynote at ICSOFT'2024)
miso_uam
 
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
norina2645
 
ThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and DjangoThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and Django
akshesh doshi
 
Attendance Tracking From Paper To Digital
Attendance Tracking From Paper To DigitalAttendance Tracking From Paper To Digital
Attendance Tracking From Paper To Digital
Task Tracker
 
How To Fill Timesheet in TaskSprint: Quick Guide 2024
How To Fill Timesheet in TaskSprint: Quick Guide 2024How To Fill Timesheet in TaskSprint: Quick Guide 2024
How To Fill Timesheet in TaskSprint: Quick Guide 2024
TaskSprint | Employee Efficiency Software
 
Folding Cheat Sheet #7 - seventh in a series
Folding Cheat Sheet #7 - seventh in a seriesFolding Cheat Sheet #7 - seventh in a series
Folding Cheat Sheet #7 - seventh in a series
Philip Schwarz
 
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
ashiklo9823
 
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptxWired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
SimonedeGijt
 
Artificial intelligence in customer services or chatbots
Artificial intelligence  in customer services or chatbotsArtificial intelligence  in customer services or chatbots
Artificial intelligence in customer services or chatbots
kayash1656
 
bangalore Girls call 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
bangalore Girls call  👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Deliverybangalore Girls call  👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
bangalore Girls call 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...
Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...
Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...
confluent
 
Google ML-Kit - Understanding on-device machine learning
Google ML-Kit - Understanding on-device machine learningGoogle ML-Kit - Understanding on-device machine learning
Google ML-Kit - Understanding on-device machine learning
VishrutGoyani1
 
TEQnation 2024: Sustainable Software: May the Green Code Be with You
TEQnation 2024: Sustainable Software: May the Green Code Be with YouTEQnation 2024: Sustainable Software: May the Green Code Be with You
TEQnation 2024: Sustainable Software: May the Green Code Be with You
marcofolio
 

Recently uploaded (20)

Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
Busty Girls Call Mumbai 9930245274 Unlimited Short Providing Girls Service Av...
 
Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...
Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...
Independent Girls call Service Pune 000XX00000 Provide Best And Top Girl Serv...
 
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
Girls Call Jogeshwari 9967584737 Provide Best And Top Girl Service And No1 in...
 
Mobile App Development Company in Noida - Drona Infotech.
Mobile App Development Company in Noida - Drona Infotech.Mobile App Development Company in Noida - Drona Infotech.
Mobile App Development Company in Noida - Drona Infotech.
 
Shivam Pandit working on Php Web Developer.
Shivam Pandit working on Php Web Developer.Shivam Pandit working on Php Web Developer.
Shivam Pandit working on Php Web Developer.
 
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in CityGirls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
Girls Call Mysore 000XX00000 Provide Best And Top Girl Service And No1 in City
 
Celebrity Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Servic...
Celebrity Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Servic...Celebrity Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Servic...
Celebrity Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Servic...
 
Software development... for all? (keynote at ICSOFT'2024)
Software development... for all? (keynote at ICSOFT'2024)Software development... for all? (keynote at ICSOFT'2024)
Software development... for all? (keynote at ICSOFT'2024)
 
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
Celebrity Girls Call Mumbai 🛵🚡9910780858 💃 Choose Best And Top Girl Service A...
 
ThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and DjangoThaiPy meetup - Indexes and Django
ThaiPy meetup - Indexes and Django
 
Attendance Tracking From Paper To Digital
Attendance Tracking From Paper To DigitalAttendance Tracking From Paper To Digital
Attendance Tracking From Paper To Digital
 
How To Fill Timesheet in TaskSprint: Quick Guide 2024
How To Fill Timesheet in TaskSprint: Quick Guide 2024How To Fill Timesheet in TaskSprint: Quick Guide 2024
How To Fill Timesheet in TaskSprint: Quick Guide 2024
 
Folding Cheat Sheet #7 - seventh in a series
Folding Cheat Sheet #7 - seventh in a seriesFolding Cheat Sheet #7 - seventh in a series
Folding Cheat Sheet #7 - seventh in a series
 
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
Vip Girls Call ServiCe Hyderabad 0000000000 Pooja Best High Class Hyderabad A...
 
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptxWired_2.0_Create_AmsterdamJUG_09072024.pptx
Wired_2.0_Create_AmsterdamJUG_09072024.pptx
 
Artificial intelligence in customer services or chatbots
Artificial intelligence  in customer services or chatbotsArtificial intelligence  in customer services or chatbots
Artificial intelligence in customer services or chatbots
 
bangalore Girls call 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
bangalore Girls call  👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Deliverybangalore Girls call  👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
bangalore Girls call 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...
Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...
Unleashing the Future: Building a Scalable and Up-to-Date GenAI Chatbot with ...
 
Google ML-Kit - Understanding on-device machine learning
Google ML-Kit - Understanding on-device machine learningGoogle ML-Kit - Understanding on-device machine learning
Google ML-Kit - Understanding on-device machine learning
 
TEQnation 2024: Sustainable Software: May the Green Code Be with You
TEQnation 2024: Sustainable Software: May the Green Code Be with YouTEQnation 2024: Sustainable Software: May the Green Code Be with You
TEQnation 2024: Sustainable Software: May the Green Code Be with You
 

Practical Guidance for Increasing your Serverless Application's Security

  • 1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Chris Munns – Senior Developer Advocate – AWS Serverless Practical Guidance for Increasing your Serverless Application’s Security
  • 2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. About me: Chris Munns - munns@amazon.com, @chrismunns • Lead Developer Advocate - Serverless • New Yorker • Previously: • AWS Business Development Manager – DevOps, July ’15 - Feb ‘17 • AWS Solutions Architect Nov, 2011- Dec 2014 • Formerly on operations teams @Etsy and @Meetup • Little time at a hedge fund, Xerox and a few other startups • Rochester Institute of Technology: Applied Networking and Systems Administration ’05 • Internet infrastructure geek
  • 3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. https://secure.flickr.com/photos/mgifford/4525333972 Why are we here today?
  • 4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What should this talk be about? Me: “Should I have a talk about how I think people focused on building self managed containerized “serverless” platforms are missing the big picture and its not the future” Jefe: “No, talk about security” Ajay Nair Lead Product Manager – AWS Lambda @ajaynairthinks Aka “jefe” to me <Humor Slide />
  • 5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. What should this talk be about? Me: “Can I do talk where I tear apart the FUD currently in the space showing up by people with an odd counter productive personal agendas?” Product Marketing: “No, please not that, no. Do something happy on security.” <Humor Slide /> Ambiguous representation of AWS product marketing folks sitting up front looking concerned at me
  • 6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. But then... The very wonderful Tim Wagner (“el jefe jefe”) and equally wonderful Mark Nunnikhoven delivered like 40% of my content yesterday in their own talks... <Humor Slide />
  • 7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Serverless Dance Routine?
  • 8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Serverless Dance Routine?
  • 9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. https://secure.flickr.com/photos/mgifford/4525333972 Why are we here today?
  • 10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Photo by Klára Koszeghyova on Unsplash Old school security practices would have you focused on putting your Lambda function here and hoping no one had cannons.
  • 11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Photo by Paul Csogi on Unsplash But we all know our Lambda functions live here
  • 12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Today’s focus:
  • 13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anatomy of a Lambda function Your function code Language runtime Execution Environment Compute substrate
  • 14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anatomy of a Lambda function Your function code Language runtime Execution Environment Compute substrate Places where you can impact security
  • 15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anatomy of a Lambda function Your function code Language runtime Execution Environment Compute substrate Places where you can impact security
  • 16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anatomy of a Lambda function Handler() function Function to be executed upon invocation Event object Data sent during Lambda Function Invocation Context object Methods available to interact with runtime information (request ID, log group, etc.) public String handleRequest(Book book, Context context) { saveBook(book); return book.getName() + " saved!"; }
  • 17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Serverless applications SERVICES (ANYTHING)EVENT SOURCE FUNCTION
  • 18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anatomy of a Lambda function Function myhandler(event, context) { <Event handling logic> { result = SubfunctionA() }else { result = SubfunctionB() return result; } Function subFunctionA(thing){ ## logic here } Function subFunctionA(thing){ ## logic here }
  • 19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Serverless applications SERVICES (ANYTHING)EVENT SOURCE FUNCTION
  • 20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anatomy of a Lambda functionImport sdk Import http-lib Import ham-sandwich Pre-handler-secret-getter() Pre-handler-db-connect() Function myhandler(event, context) { <Event handling logic> { result = SubfunctionA() }else { result = SubfunctionB() return result; } Function Pre-handler-secret-getter() { } Function Pre-handler-db-connect(){ } Function subFunctionA(thing){ ## logic here } Function subFunctionA(thing){ ## logic here }
  • 21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anatomy of a Lambda functionImport sdk Import http-lib Import ham-sandwich Pre-handler-secret-getter() Pre-handler-db-connect() Function myhandler(event, context) { <Event handling logic> { result = SubfunctionA() }else { result = SubfunctionB() return result; } Function Pre-handler-secret-getter() { } Function Pre-handler-db-connect(){ } Function subFunctionA(thing){ ## logic here } Function subFunctionA(thing){ ## logic here } Where you can have a bad time
  • 22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. OWASP Top 10 - 2017 • Injection • Broken Authentication • Sensitive Data Exposure • XML External Entities (XXE) • Broken Access Control • Security Misconfiguration • Cross-Site Scripting (XSS) • Insecure Deserialization • Using Components with Known Vulnerabilities • Insufficient Logging&Monitoring
  • 23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. OWASP Top 10 - 2017 • Injection • Broken Authentication • Sensitive Data Exposure • XML External Entities (XXE) • Broken Access Control • Security Misconfiguration • Cross-Site Scripting (XSS) • Insecure Deserialization • Using Components with Known Vulnerabilities • Insufficient Logging&Monitoring
  • 24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anatomy of a Lambda functionImport sdk Import http-lib Import ham-sandwich Pre-handler-secret-getter() Pre-handler-db-connect() Function myhandler(event, context) { <Event handling logic> { result = SubfunctionA() }else { result = SubfunctionB() return result; } Function Pre-handler-secret-getter() { } Function Pre-handler-db-connect(){ } Function subFunctionA(thing){ ## logic here } Function subFunctionA(thing){ ## logic here }
  • 25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 28. Spent 5 minutes, found all these dependency management tools..
  • 29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Bonus round: project/repo scoping If functions share an event source they can go in the same repo, if not they go in their own repo as separate “applications” • Simplifies permissions If functions share an event source but require varying different imported packages, make them their own function files/jars/etc. • Keep dependency bloat minimized per function Monorepo == anti-pattern for FaaS Two rules:
  • 30. Bonus round: project/repo scoping If functions share an event source they can go in the same repo, if not they go in their own repo as separate “applications” • Simplifies permissions If functions share an event source but require varying different imported packages, make them their own function files/jars/etc. • Keep dependency bloat minimized per function Monorepo == anti-pattern for FaaS Two rules: Use language native dependency tools and put shared logic in sub-packages
  • 31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anatomy of a Lambda functionImport sdk Import http-lib Import ham-sandwich Pre-handler-secret-getter() Pre-handler-db-connect() Function myhandler(event, context) { <Event handling logic> { result = SubfunctionA() }else { result = SubfunctionB() return result; } Function Pre-handler-secret-getter() { } Function Pre-handler-db-connect(){ } Function subFunctionA(thing){ ## logic here } Function subFunctionA(thing){ ## logic here }
  • 32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda Environment Variables • Key-value pairs that you can dynamically pass to your function • Available via standard environment variable APIs such as process.env for Node.js or os.environ for Python • Can optionally be encrypted via AWS Key Management Service (KMS) • Allows you to specify in IAM what roles have access to the keys to decrypt the information • Useful for creating environments per stage (i.e. dev, testing, production)
  • 33. AWS Systems Manager – Parameter Store Centralized store to manage your configuration data • supports hierarchies • plain-text or encrypted with KMS • Can send notifications of changes to Amazon SNS/ AWS Lambda • Can be secured with IAM • Calls recorded in CloudTrail • Can be tagged • Available via API/SDK Useful for: centralized environment variables, secrets control, feature flags from __future__ import print_function import json import boto3 ssm = boto3.client('ssm', 'us-east-1') def get_parameters(): response = ssm.get_parameters( Names=['LambdaSecureString'],WithDe cryption=True ) for parameter in response['Parameters']: return parameter['Value'] def lambda_handler(event, context): value = get_parameters() print("value1 = " + value) return value # Echo back the first key value
  • 34. AWS Systems Manager – Parameter Store Centralized store to manage your configuration data • supports hierarchies • plain-text or encrypted with KMS • Can send notifications of changes to Amazon SNS/ AWS Lambda • Can be secured with IAM • Calls recorded in CloudTrail • Can be tagged • Available via API/SDK Useful for: centralized environment variables, secrets control, feature flags from __future__ import print_function import json import boto3 ssm = boto3.client('ssm', 'us-east-1') def get_parameters(): response = ssm.get_parameters( Names=['LambdaSecureString'],WithDe cryption=True ) for parameter in response['Parameters']: return parameter['Value'] def lambda_handler(event, context): value = get_parameters() print("value1 = " + value) return value # Echo back the first key value #somuchawesome
  • 35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anatomy of a Lambda functionImport sdk Import http-lib Import ham-sandwich Pre-handler-secret-getter() Pre-handler-db-connect() Function myhandler(event, context) { <Event handling logic> { result = SubfunctionA() }else { result = SubfunctionB() return result; } Function Pre-handler-secret-getter() { } Function Pre-handler-db-connect(){ } Function subFunctionA(thing){ ## logic here } Function subFunctionA(thing){ ## logic here }
  • 36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. OWASP Top 10 - 2017 • Injection • Broken Authentication • Sensitive Data Exposure • XML External Entities (XXE) • Broken Access Control • Security Misconfiguration • Cross-Site Scripting (XSS) • Insecure Deserialization • Using Components with Known Vulnerabilities • Insufficient Logging&Monitoring
  • 37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. “Insecure Deserialization” – Event parsing True story: JSON parsing can be tricky Good news: AWS services give Lambda the event payload in a defined structure per service. What to do: • Explore JSON schema validation tools if processing messages embedded in the JSON payload itself (see jsonschema npm package as an example ) • Check data types of attributes in JSON after validation • If processing a binary objects (say from S3): explore packages that can help verify/test contents
  • 38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Anatomy of a Lambda function Your function code Language runtime Execution Environment Compute substrate Places where you can impact security
  • 39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. OWASP Top 10 - 2017 • Injection • Broken Authentication • Sensitive Data Exposure • XML External Entities (XXE) • Broken Access Control • Security Misconfiguration • Cross-Site Scripting (XSS) • Insecure Deserialization • Using Components with Known Vulnerabilities • Insufficient Logging&Monitoring
  • 40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Lambda permissions model Fine grained security controls for both execution and invocation: Execution policies: • Define what AWS resources/API calls can this function access via IAM • Used in streaming invocations • E.g. “Lambda function A can read from DynamoDB table users” Function policies: • Used for sync and async invocations • E.g. “Actions on bucket X can invoke Lambda function Z" • Resource policies allow for cross account access
  • 41. "Action": "s3:*" makes puppies cry Photo by Matthew Henry on Unsplash
  • 42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Do yourself a favor, go read the docs..
  • 43. AWS Serverless Application Model (SAM) CloudFormation extension optimized for serverless New serverless resource types: functions, APIs, and tables Supports anything CloudFormation supports Open specification (Apache 2.0) - SAM Translator recently open sourced! https://github.com/awslabs/serverless-application-model
  • 44. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. SAM Policy Templates MyFunction: Type: AWS::Serverless::Function Properties: ... Policies: # Give just CRUD permissions to one table - DynamoDBCrudPolicy: TableName: !Ref MyTable ... MyTable: Type: AWS::Serverless::SimpleTable
  • 45. SAM Policy Templates MyFunction: Type: AWS::Serverless::Function Properties: ... Policies: # Give just CRUD permissions to one table - DynamoDBCrudPolicy: TableName: !Ref MyTable ... MyTable: Type: AWS::Serverless::SimpleTable 36 Predefined policies All found here: https://bit.ly/2LM6qml
  • 46. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. IAM + Lambda best practices • Where/when possible try to leverage the pre-created managed policies that exist today • If you are doing “service:*” be REALLY REALLY REALLY sure that’s what you should and need to do • Keep tight lockdown on who/what can invoke functions
  • 47. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Do I need to put my functions in an Amazon VPC? Putting your functions inside of a VPC provides little extra security benefit to your AWS Lambda functions
  • 48. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Do I need to put my functions in an Amazon VPC? Should my Lambda function be in a VPC? Does my function need to access any specific resources in a VPC? Does it also need to access resources or services in the public internet? Don’t put the function in a VPC Put the function in a private subnet Put the function in a subnet with a NAT’d route to the internet Yes Yes No No
  • 49. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. OWASP Top 10 - 2017 • Injection • Broken Authentication • Sensitive Data Exposure • XML External Entities (XXE) • Broken Access Control • Security Misconfiguration • Cross-Site Scripting (XSS) • Insecure Deserialization • Using Components with Known Vulnerabilities • Insufficient Logging & Monitoring
  • 50. I will turn on CloudTrail, Config, and CloudTrail Data Events I will turn on CloudTrail, Config, and CloudTrail Data Events I will turn on CloudTrail, Config, and CloudTrail Data Events I will turn on CloudTrail, Config, and CloudTrail Data Events I will turn on CloudTrail, Config, and CloudTrail Data Events I will turn on CloudTrail, Config, and CloudTrail Data Events I will turn on CloudTrail, Config, and CloudTrail Data Events I will turn on CloudTrail, Config, and CloudTrail Data Events I will turn on CloudTrail, Config, and CloudTrail Data Events I will turn on CloudTrail, Config, and CloudTrail Data Events I will turn on CloudTrail, Config, and CloudTrail Data Events
  • 51. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 52. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 53. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 54. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 55. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
  • 56. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. aws.amazon.com/serverless
  • 57. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Chris Munns munns@amazon.com @chrismunnshttps://www.flickr.com/photos/theredproject/3302110152/
  • 58. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ? https://secure.flickr.com/photos/dullhunk/202872717/