This document provides an overview of serverless architectures and how to build a serverless web application. It discusses how serverless applications remove the need for servers by leveraging event-driven compute services like AWS Lambda. The document then breaks down the anatomy of a typical web application and shows how each component maps to a serverless equivalent like API Gateway, Lambda, DynamoDB, S3. It also covers securing the application using AWS IAM, Cognito for authentication and authorization. The presentation includes a demo of a serverless blogging application and discusses other security and authorization options.
5. Benefits of Serverless?
Provisioning
and Utilization
Operations
and Management
Scaling Availability and
Fault Tolerance
Which leads to….
Low Cost Simple Low Latency Scalable Reliable
6. Platform of Serverless Products
Storage DatabaseCompute
Messaging and QueuesGateways
User Management
Internet of Things
Machine LearningStreaming Analytics
20. API Gateway – Stage Variables
Key/Value pairs used for configuration
Used for different stages of API
Specify a Lambda function name
Pass to backend
21. Lambda
Serverless, event-driven compute
Code is: NodeJS, Python, JVM based
Specify memory allocated
Determine what invokes the functions
API Gateway, S3, DynamoDB, Kinesis, SNS, SES, Cognito,
Cloudwatch Logs, Cloudwatch Events, CloudFormation,
Config, Scheduled Events
22. Lambda – Versioning and Aliases
Versioning
ARN for each one (immutable)
Versions of functions for Dev, Staging, Prod
Aliases
Point to a version
Have an ARN also
Event sources point to Alias ARNs
23. Lambda – Dynamic Configuration
One option:
Pull Configs from DDB
Write values to global vars
Code uses global vars
Lambda
Function
Amazon
DynamoDB
24. DynamoDB - refresher
NoSQL database
Keys: Hash Key and (optional) Range Key
Tips:
Plan your keys
Think about your queries
32. Authentication Options with Cognito
Federated Identity Providers
• Amazon
• Facebook
• Google
Custom Developed Authentication System
Cognito Identity User Pools (Preview)
33. Unauthenticated vs Authenticated roles
Ability to define both in Cognito
Start out unauthenticated switch to authenticated!
browsing a blogging site then log in to post or comment
34. Example IAM Policy for API Gateway
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts",
"arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts/*",
"arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts/*/comments",
"arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts/*/comments/*",
"arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/POST/users",
"arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/POST/login"
]
}
]
}
40. Authentication Options
Cognito:
• Federated Identity Providers (Amazon, Facebook, Google)
• Cognito Identity User Pools
Federated Web Identities
• Interact directly with STS and 3rd party identity providers
41. Authorization Options with API Gateway
API Gateway
Lambda Auth
function
Client
Request w/ a
bearer token
Policy is cached
Policy is
evaluated
AWS Lambda
functions
Endpoints on
Amazon EC2
Context + Token
Principal + Policy
403 Denied
Allowed
Any other publicly
accessible endpoint
42. Some Tidbits
Authorization failures to API Gateway get returned as a
CORS error
Lambda Functions as stage variable values = manual
permissions configuration
43. Architect to be Serverless
Fully Managed
No provisioning
Zero administration
High availability
Developer Productivity
Focus on the code that
matters
Innovate rapidly
Reduce time to market
Continuous Scaling
Automatically
Scale up and scale down