SlideShare a Scribd company logo

Securing SaaS Applications Built on Serverless Microservices - AWS Summit Sydney

Amazon Web Services
Amazon Web Services

In this session, we crack open the IDE to secure a multi-tenant SaaS platform built on a ReactJS web app and NodeJS serverless microservices. We use Amazon API Gateway and Amazon Cognito to simplify the operation and security of the service's API and identity functionality. We enforce tenant isolation and data partitioning with OAuth's JWT tokens. We'll then abstract the security complexity from developers to keep operational burden to a minimum, maximising developer productivity, and maintaining a great developer experience.

1 of 26
S U M M I T SYDNEY
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Securing SaaS applications built on serverless microservices Gerardo A. Estaba Senior Partner Solutions Architect Amazon Web Services
Pixabay / Free-Photos https://creativecommons.or g/publicdomain/zero/1.0/
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Meet DoCaaS Deck of Cards as a Service! Bronze Silver Gold Create ✓ ✓ ✓ Get ✓ ✓ ✓ Game ✓ ✓ ✓ Shuffle ✓ ✓ Cut ✓
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What is serverless? No infrastructure provisioning, no management Automatic scaling Pay for value Highly available and secure
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T EVENT GET RESOURCE PERSISTENCE EVENT API CREATE RESOURCE EVENT GAME RESOURCE EVENT SHUFFLE RESOURCE EVENTCUT RESOURCE EVENT API DECKS RESOURCE EVENT API SCORES RESOURCE PERSISTENCE Users DoCaaS microservices
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T DoCaaS architecture Amazon API Gateway Amazon Simple Storage Service (S3) Users Amazon DynamoDB Amazon CloudFront AWS Lambda Amazon Cognito AWS Certificate Manager Amazon Route53
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Identity User flows ☐ Customisable flows ☐ Registration ☐ Verify email/phone ☐ Secure sign-in ☐ Forgot password ☐ Change password ☐ Sign-out Security requirements ☐ Secure password handling (SRP) ☐ Scalable to 100s of millions of users ☐ MFA and password policies ☐ Encrypt all data server-side ☐ HIPAA, PCI-DSS, ISO, SOC ☐ OAuth 2.0, SAML 2.0, OpenID Connect ☐ Built-in, customisable web UI Amazon Cognito User Pools
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T JWT token: jwt.io eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVBO VNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJzd WIiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2O WYzYzM4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoM XF0bnR2ajAxMiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlL CJ0b2tlbl91c2UiOiJpZCIsImF1dGhfdGltZSI6MTQ3O DQ0OTA2MCwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8ta WRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tXC91cy1lY XN0LTFfWE1sVVc5c1V5IiwiY29nbml0bzp1c2VybmFtZ SI6InRlc3QxMjMiLCJleHAiOjE0Nzg0NTI2NjAsImdpd mVuX25hbWUiOiJUZXN0IiwiaWF0IjoxNDc4NDQ5MDYwL CJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFpbCI6InRyY W5qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9 K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8ym jH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMHtj dfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ18_ yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs4Cuk moYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ { "kid":"9errtDKltq8YwaJy2GZtObykRDEA9SB4iDT6vWmTeQE=", "alg":"RS256” } Header { "sub":"6f557368-a884-484e-b662-9fc69f3c3802", "aud":"6lkfs70rovkubirh1qtntvj012", "email_verified":true, "token_use":"id", "auth_time":1478449060, "iss":"https://cognito-idp.ap-southeast- 2.amazonaws.com/ ap-southeast-2_XMlUW9sUy", "exp":1478452660, "given_name”:"Test", ”custom:plan":”silver", "iat":1478449060, "family_name":"Test", "email":”test@example.com" } Payload Signature HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), {secret}); Amazon Cognito custom attribute
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Current access control: CORS headers: { 'Access-Control-Max-Age': '900’, 'Access-Control-Allow-Headers': 'Content-Type,X-Amz- Date,Authorization,X-Api-Key,X-Amz-Security-Token’, 'Access-Control-Allow-Origin': '*', // NOT Secure 'Access-Control-Allow-Credentials': 'true', 'Access-Control-Allow-Methods': 'POST,OPTIONS', 'Vary': 'Origin' } AWS Lambda API OPTIONS METHOD PROXY Amazon API Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Solution access control: CORS ResponseParameters: method.response.header.Access-Control-Allow-Headers: "'Content-Type,X- Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'" method.response.header.Access-Control-Allow-Methods: "'POST,OPTIONS’” method.response.header.Access-Control-Allow-Origin: https://docaas.net API OPTIONS METHOD MOCK Amazon API Gateway
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Current access control: API Gateway authoriser Amazon Cognito EVENT GET RESOURCE EVENT API CREATE RESOURCE EVENT GAME RESOURCE EVENT SHUFFLE RESOURCE EVENT CUT RESOURCE Amazon API Gateway Users Binary Check
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T DoCaaS service offerings Bronze Silver Gold Create ✓ ✓ ✓ Get ✓ ✓ ✓ Game ✓ ✓ ✓ Shuffle ✓ ✓ Cut ✓ Amazon Cognito custom attribute
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Access control: lambda authoriser Amazon API Gateway AWS Lambda Authoriser function Client Request with tokens Policy evaluated Policy cached Allowed Denied Tokens + Context "plan": ”...” "sub": ”...” "accessKeyId": ”...” "secretAccessKey": ”...” "sessionToken": ”...” "identityId": ”...” Back end Bronze Silver Gold Create ✓ ✓ ✓ Get ✓ ✓ ✓ Game ✓ ✓ ✓ Shuffle ✓ ✓ Cut ✓
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Serverless Application Model (SAM) AWS CloudFormation extension optimised for serverless Serverless resource types: functions, APIs, and tables and any resource AWS CloudFormation supports Supports parameters, mappings, outputs, global variables, intrinsic functions, and some ImportValues github.com/awslabs/serverless-application-model
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Demo 1: access control summary 1. Cognito: secure flows (SRP, OAuth 2.0, OIDC) 2. has native CORS integration 3. Lambda authoriser: granular access control (OAuth/SAML)
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Independent datastores Decks Scores id cards […] … … id score […] … … <deckid> <deckid>
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Independent datastores Decks Scores id cards […] … … id score […] … … <userid>- <userid>-<deckid> <deckid>
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Data partitioning with IAM policy Effect: Allow Action: - dynamodb:PutItem - dynamodb:DeleteItem - dynamodb:GetItem - dynamodb:Query - dynamodb:UpdateItem Resource: - arn:aws:dynamodb:*:*:table/decks-master - arn:aws:dynamodb:*:*:table/scores-master Condition: ForAllValues:StringLike: dynamodb:LeadingKeys: "${cognito-identity.amazonaws.com:sub}-*" <userid>-<deckid> Amazon DynamoDB
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Demo 2: data partitioning summary 1. Data Partitioning: composite key + conditional policy 2. = less code + less process = speed 3. Abstracting security complexity from devs = SPEED
Pixabay / Free-Photos https://creativecommons.or g/publicdomain/zero/1.0/
Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Gerardo A. Estaba linkedin.com/in/estaba github.com/ge8/docaas-summit

Recommended

Initiate Edinburgh 2019 - Moving to DevOps the Amazon Way
Initiate Edinburgh 2019 - Moving to DevOps the Amazon WayInitiate Edinburgh 2019 - Moving to DevOps the Amazon Way
Initiate Edinburgh 2019 - Moving to DevOps the Amazon Way
Amazon Web Services
 
Breaking language barriers with AI
Breaking language barriers with AIBreaking language barriers with AI
Breaking language barriers with AI
Amazon Web Services
 
Initiate Edinburgh 2019 - Top Cloud Security Myths Dispelled
Initiate Edinburgh 2019 - Top Cloud Security Myths DispelledInitiate Edinburgh 2019 - Top Cloud Security Myths Dispelled
Initiate Edinburgh 2019 - Top Cloud Security Myths Dispelled
Amazon Web Services
 
Building Data Lakes for Analytics on AWS - ADB201 - Anaheim AWS Summit
Building Data Lakes for Analytics on AWS - ADB201 - Anaheim AWS SummitBuilding Data Lakes for Analytics on AWS - ADB201 - Anaheim AWS Summit
Building Data Lakes for Analytics on AWS - ADB201 - Anaheim AWS Summit
Amazon Web Services
 
AI/ML Week: Strengthen Cybersecurity
AI/ML Week: Strengthen CybersecurityAI/ML Week: Strengthen Cybersecurity
AI/ML Week: Strengthen Cybersecurity
Amazon Web Services
 
Get hands-on with AWS DeepRacer and compete in the AWS DeepRacer League - AIM...
Get hands-on with AWS DeepRacer and compete in the AWS DeepRacer League - AIM...Get hands-on with AWS DeepRacer and compete in the AWS DeepRacer League - AIM...
Get hands-on with AWS DeepRacer and compete in the AWS DeepRacer League - AIM...
Amazon Web Services
 
Initiate Edinburgh 2019 - Migrating Data to the Cloud
Initiate Edinburgh 2019 - Migrating Data to the CloudInitiate Edinburgh 2019 - Migrating Data to the Cloud
Initiate Edinburgh 2019 - Migrating Data to the Cloud
Amazon Web Services
 
20190723 AWS Black Belt Online Seminar AWS CloudHSM
20190723 AWS Black Belt Online Seminar AWS CloudHSM 20190723 AWS Black Belt Online Seminar AWS CloudHSM
20190723 AWS Black Belt Online Seminar AWS CloudHSM
Amazon Web Services Japan
 

Recommended

Initiate Edinburgh 2019 - Moving to DevOps the Amazon Way
Initiate Edinburgh 2019 - Moving to DevOps the Amazon WayInitiate Edinburgh 2019 - Moving to DevOps the Amazon Way
Initiate Edinburgh 2019 - Moving to DevOps the Amazon Way
Amazon Web Services
 
Breaking language barriers with AI
Breaking language barriers with AIBreaking language barriers with AI
Breaking language barriers with AI
Amazon Web Services
 
Initiate Edinburgh 2019 - Top Cloud Security Myths Dispelled
Initiate Edinburgh 2019 - Top Cloud Security Myths DispelledInitiate Edinburgh 2019 - Top Cloud Security Myths Dispelled
Initiate Edinburgh 2019 - Top Cloud Security Myths Dispelled
Amazon Web Services
 
Building Data Lakes for Analytics on AWS - ADB201 - Anaheim AWS Summit
Building Data Lakes for Analytics on AWS - ADB201 - Anaheim AWS SummitBuilding Data Lakes for Analytics on AWS - ADB201 - Anaheim AWS Summit
Building Data Lakes for Analytics on AWS - ADB201 - Anaheim AWS Summit
Amazon Web Services
 
AI/ML Week: Strengthen Cybersecurity
AI/ML Week: Strengthen CybersecurityAI/ML Week: Strengthen Cybersecurity
AI/ML Week: Strengthen Cybersecurity
Amazon Web Services
 
Get hands-on with AWS DeepRacer and compete in the AWS DeepRacer League - AIM...
Get hands-on with AWS DeepRacer and compete in the AWS DeepRacer League - AIM...Get hands-on with AWS DeepRacer and compete in the AWS DeepRacer League - AIM...
Get hands-on with AWS DeepRacer and compete in the AWS DeepRacer League - AIM...
Amazon Web Services
 
Initiate Edinburgh 2019 - Migrating Data to the Cloud
Initiate Edinburgh 2019 - Migrating Data to the CloudInitiate Edinburgh 2019 - Migrating Data to the Cloud
Initiate Edinburgh 2019 - Migrating Data to the Cloud
Amazon Web Services
 
20190723 AWS Black Belt Online Seminar AWS CloudHSM
20190723 AWS Black Belt Online Seminar AWS CloudHSM 20190723 AWS Black Belt Online Seminar AWS CloudHSM
20190723 AWS Black Belt Online Seminar AWS CloudHSM
Amazon Web Services Japan
 
AWS re:Invent Comes to London 2019 - Management Tools
AWS re:Invent Comes to London 2019 - Management ToolsAWS re:Invent Comes to London 2019 - Management Tools
AWS re:Invent Comes to London 2019 - Management Tools
Amazon Web Services
 
Sviluppa, addestra e distribuisci modelli di machine learning.pdf
Sviluppa, addestra e distribuisci modelli di machine learning.pdfSviluppa, addestra e distribuisci modelli di machine learning.pdf
Sviluppa, addestra e distribuisci modelli di machine learning.pdf
Amazon Web Services
 
Migrate and Modernize Your Database
Migrate and Modernize Your DatabaseMigrate and Modernize Your Database
Migrate and Modernize Your Database
Amazon Web Services
 
AWS AI and Machine Learning Journey
AWS AI and Machine Learning JourneyAWS AI and Machine Learning Journey
AWS AI and Machine Learning Journey
Amazon Web Services
 
Initiate Edinburgh 2019 - The Culture of Innovation at Amazon
Initiate Edinburgh 2019 - The Culture of Innovation at AmazonInitiate Edinburgh 2019 - The Culture of Innovation at Amazon
Initiate Edinburgh 2019 - The Culture of Innovation at Amazon
Amazon Web Services
 
Initiate Edinburgh 2019 - Governance & Compliance in your VPC
Initiate Edinburgh 2019 - Governance & Compliance in your VPCInitiate Edinburgh 2019 - Governance & Compliance in your VPC
Initiate Edinburgh 2019 - Governance & Compliance in your VPC
Amazon Web Services
 
Increase the value of video using ML and AWS media services - SVC301 - Santa ...
Increase the value of video using ML and AWS media services - SVC301 - Santa ...Increase the value of video using ML and AWS media services - SVC301 - Santa ...
Increase the value of video using ML and AWS media services - SVC301 - Santa ...
Amazon Web Services
 
AIML Week: Modernize Citizen Services
AIML Week: Modernize Citizen ServicesAIML Week: Modernize Citizen Services
AIML Week: Modernize Citizen Services
Amazon Web Services
 
Open Data on AWS
Open Data on AWSOpen Data on AWS
Open Data on AWS
Amazon Web Services
 
Introduction to the Well-Architected Framework and Tool - SVC212 - Santa Clar...
Introduction to the Well-Architected Framework and Tool - SVC212 - Santa Clar...Introduction to the Well-Architected Framework and Tool - SVC212 - Santa Clar...
Introduction to the Well-Architected Framework and Tool - SVC212 - Santa Clar...
Amazon Web Services
 
Best Friends Animal Society Saves Animal (and Data) with N2WS and AWS - SVC21...
Best Friends Animal Society Saves Animal (and Data) with N2WS and AWS - SVC21...Best Friends Animal Society Saves Animal (and Data) with N2WS and AWS - SVC21...
Best Friends Animal Society Saves Animal (and Data) with N2WS and AWS - SVC21...
Amazon Web Services
 
AWS最新區塊鏈服務與應用
AWS最新區塊鏈服務與應用AWS最新區塊鏈服務與應用
AWS最新區塊鏈服務與應用
Amazon Web Services
 
AI/ML Week: Innovate Digital Content Management
AI/ML Week: Innovate Digital Content ManagementAI/ML Week: Innovate Digital Content Management
AI/ML Week: Innovate Digital Content Management
Amazon Web Services
 
AWS re:Invent Comes to London 2019 - Database, Analytics, AI &ML
AWS re:Invent Comes to London 2019 - Database, Analytics, AI &MLAWS re:Invent Comes to London 2019 - Database, Analytics, AI &ML
AWS re:Invent Comes to London 2019 - Database, Analytics, AI &ML
Amazon Web Services
 
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWSSecurity & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
Amazon Web Services
 
AWS Initiate Day Mexico City | Sesión Plenaria
AWS Initiate Day Mexico City | Sesión PlenariaAWS Initiate Day Mexico City | Sesión Plenaria
AWS Initiate Day Mexico City | Sesión Plenaria
Amazon Web Services LATAM
 
Favorire l'innovazione passando da applicazioni monolitiche ad architetture m...
Favorire l'innovazione passando da applicazioni monolitiche ad architetture m...Favorire l'innovazione passando da applicazioni monolitiche ad architetture m...
Favorire l'innovazione passando da applicazioni monolitiche ad architetture m...
Amazon Web Services
 
AWS IoT services: Extract value for industrial applications - SVC202 - Mexico...
AWS IoT services: Extract value for industrial applications - SVC202 - Mexico...AWS IoT services: Extract value for industrial applications - SVC202 - Mexico...
AWS IoT services: Extract value for industrial applications - SVC202 - Mexico...
Amazon Web Services
 
SKL208 - Turbocharge your Business with AI and Machine Learning - Tel Aviv Su...
SKL208 - Turbocharge your Business with AI and Machine Learning - Tel Aviv Su...SKL208 - Turbocharge your Business with AI and Machine Learning - Tel Aviv Su...
SKL208 - Turbocharge your Business with AI and Machine Learning - Tel Aviv Su...
Boaz Ziniman
 
Accelerate_Digital_Transformation_through_AI-powered_Cloud_Analytics_Moderniz...
Accelerate_Digital_Transformation_through_AI-powered_Cloud_Analytics_Moderniz...Accelerate_Digital_Transformation_through_AI-powered_Cloud_Analytics_Moderniz...
Accelerate_Digital_Transformation_through_AI-powered_Cloud_Analytics_Moderniz...
Amazon Web Services
 
AWS Security Deep Dive
AWS Security Deep DiveAWS Security Deep Dive
AWS Security Deep Dive
Amazon Web Services
 
AWS Security Deep Dive
AWS Security Deep DiveAWS Security Deep Dive
AWS Security Deep Dive
Amazon Web Services
 

More Related Content

What's hot

Migrate and Modernize Your Database
Migrate and Modernize Your DatabaseMigrate and Modernize Your Database
Migrate and Modernize Your Database
Amazon Web Services
 
AWS AI and Machine Learning Journey
AWS AI and Machine Learning JourneyAWS AI and Machine Learning Journey
AWS AI and Machine Learning Journey
Amazon Web Services
 
Initiate Edinburgh 2019 - The Culture of Innovation at Amazon
Initiate Edinburgh 2019 - The Culture of Innovation at AmazonInitiate Edinburgh 2019 - The Culture of Innovation at Amazon
Initiate Edinburgh 2019 - The Culture of Innovation at Amazon
Amazon Web Services
 
Increase the value of video using ML and AWS media services - SVC301 - Santa ...
Increase the value of video using ML and AWS media services - SVC301 - Santa ...Increase the value of video using ML and AWS media services - SVC301 - Santa ...
Increase the value of video using ML and AWS media services - SVC301 - Santa ...
Amazon Web Services
 
Introduction to the Well-Architected Framework and Tool - SVC212 - Santa Clar...
Introduction to the Well-Architected Framework and Tool - SVC212 - Santa Clar...Introduction to the Well-Architected Framework and Tool - SVC212 - Santa Clar...
Introduction to the Well-Architected Framework and Tool - SVC212 - Santa Clar...
Amazon Web Services
 
Best Friends Animal Society Saves Animal (and Data) with N2WS and AWS - SVC21...
Best Friends Animal Society Saves Animal (and Data) with N2WS and AWS - SVC21...Best Friends Animal Society Saves Animal (and Data) with N2WS and AWS - SVC21...
Best Friends Animal Society Saves Animal (and Data) with N2WS and AWS - SVC21...
Amazon Web Services
 
AWS最新區塊鏈服務與應用
AWS最新區塊鏈服務與應用AWS最新區塊鏈服務與應用
AWS最新區塊鏈服務與應用
Amazon Web Services
 
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWSSecurity & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
Amazon Web Services
 
Accelerate_Digital_Transformation_through_AI-powered_Cloud_Analytics_Moderniz...
Accelerate_Digital_Transformation_through_AI-powered_Cloud_Analytics_Moderniz...Accelerate_Digital_Transformation_through_AI-powered_Cloud_Analytics_Moderniz...
Accelerate_Digital_Transformation_through_AI-powered_Cloud_Analytics_Moderniz...
Amazon Web Services
 

What's hot (20)

AWS re:Invent Comes to London 2019 - Management Tools
AWS re:Invent Comes to London 2019 - Management ToolsAWS re:Invent Comes to London 2019 - Management Tools
AWS re:Invent Comes to London 2019 - Management Tools
 
Sviluppa, addestra e distribuisci modelli di machine learning.pdf
Sviluppa, addestra e distribuisci modelli di machine learning.pdfSviluppa, addestra e distribuisci modelli di machine learning.pdf
Sviluppa, addestra e distribuisci modelli di machine learning.pdf
 
Migrate and Modernize Your Database
Migrate and Modernize Your DatabaseMigrate and Modernize Your Database
Migrate and Modernize Your Database
 
AWS AI and Machine Learning Journey
AWS AI and Machine Learning JourneyAWS AI and Machine Learning Journey
AWS AI and Machine Learning Journey
 
Initiate Edinburgh 2019 - The Culture of Innovation at Amazon
Initiate Edinburgh 2019 - The Culture of Innovation at AmazonInitiate Edinburgh 2019 - The Culture of Innovation at Amazon
Initiate Edinburgh 2019 - The Culture of Innovation at Amazon
 
Initiate Edinburgh 2019 - Governance & Compliance in your VPC
Initiate Edinburgh 2019 - Governance & Compliance in your VPCInitiate Edinburgh 2019 - Governance & Compliance in your VPC
Initiate Edinburgh 2019 - Governance & Compliance in your VPC
 
Increase the value of video using ML and AWS media services - SVC301 - Santa ...
Increase the value of video using ML and AWS media services - SVC301 - Santa ...Increase the value of video using ML and AWS media services - SVC301 - Santa ...
Increase the value of video using ML and AWS media services - SVC301 - Santa ...
 
AIML Week: Modernize Citizen Services
AIML Week: Modernize Citizen ServicesAIML Week: Modernize Citizen Services
AIML Week: Modernize Citizen Services
 
Open Data on AWS
Open Data on AWSOpen Data on AWS
Open Data on AWS
 
Introduction to the Well-Architected Framework and Tool - SVC212 - Santa Clar...
Introduction to the Well-Architected Framework and Tool - SVC212 - Santa Clar...Introduction to the Well-Architected Framework and Tool - SVC212 - Santa Clar...
Introduction to the Well-Architected Framework and Tool - SVC212 - Santa Clar...
 
Best Friends Animal Society Saves Animal (and Data) with N2WS and AWS - SVC21...
Best Friends Animal Society Saves Animal (and Data) with N2WS and AWS - SVC21...Best Friends Animal Society Saves Animal (and Data) with N2WS and AWS - SVC21...
Best Friends Animal Society Saves Animal (and Data) with N2WS and AWS - SVC21...
 
AWS最新區塊鏈服務與應用
AWS最新區塊鏈服務與應用AWS最新區塊鏈服務與應用
AWS最新區塊鏈服務與應用
 
AI/ML Week: Innovate Digital Content Management
AI/ML Week: Innovate Digital Content ManagementAI/ML Week: Innovate Digital Content Management
AI/ML Week: Innovate Digital Content Management
 
AWS re:Invent Comes to London 2019 - Database, Analytics, AI &ML
AWS re:Invent Comes to London 2019 - Database, Analytics, AI &MLAWS re:Invent Comes to London 2019 - Database, Analytics, AI &ML
AWS re:Invent Comes to London 2019 - Database, Analytics, AI &ML
 
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWSSecurity & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
Security & Identity: the Continuous Mitigation & Diagnostic Journey on AWS
 
AWS Initiate Day Mexico City | Sesión Plenaria
AWS Initiate Day Mexico City | Sesión PlenariaAWS Initiate Day Mexico City | Sesión Plenaria
AWS Initiate Day Mexico City | Sesión Plenaria
 
Favorire l'innovazione passando da applicazioni monolitiche ad architetture m...
Favorire l'innovazione passando da applicazioni monolitiche ad architetture m...Favorire l'innovazione passando da applicazioni monolitiche ad architetture m...
Favorire l'innovazione passando da applicazioni monolitiche ad architetture m...
 
AWS IoT services: Extract value for industrial applications - SVC202 - Mexico...
AWS IoT services: Extract value for industrial applications - SVC202 - Mexico...AWS IoT services: Extract value for industrial applications - SVC202 - Mexico...
AWS IoT services: Extract value for industrial applications - SVC202 - Mexico...
 
SKL208 - Turbocharge your Business with AI and Machine Learning - Tel Aviv Su...
SKL208 - Turbocharge your Business with AI and Machine Learning - Tel Aviv Su...SKL208 - Turbocharge your Business with AI and Machine Learning - Tel Aviv Su...
SKL208 - Turbocharge your Business with AI and Machine Learning - Tel Aviv Su...
 
Accelerate_Digital_Transformation_through_AI-powered_Cloud_Analytics_Moderniz...
Accelerate_Digital_Transformation_through_AI-powered_Cloud_Analytics_Moderniz...Accelerate_Digital_Transformation_through_AI-powered_Cloud_Analytics_Moderniz...
Accelerate_Digital_Transformation_through_AI-powered_Cloud_Analytics_Moderniz...
 

Similar to Securing SaaS Applications Built on Serverless Microservices - AWS Summit Sydney

Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Amazon Web Services
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
Amazon Web Services
 
Threat Detection using artificial intelligence
Threat Detection using artificial intelligenceThreat Detection using artificial intelligence
Threat Detection using artificial intelligence
Amazon Web Services
 
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Amazon Web Services
 
AWS Summit Singapore 2019 | Operating Microservices at Hyperscale
AWS Summit Singapore 2019 | Operating Microservices at HyperscaleAWS Summit Singapore 2019 | Operating Microservices at Hyperscale
AWS Summit Singapore 2019 | Operating Microservices at Hyperscale
AWS Summits
 
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
Amazon Web Services
 

Similar to Securing SaaS Applications Built on Serverless Microservices - AWS Summit Sydney (20)

AWS Security Deep Dive
AWS Security Deep DiveAWS Security Deep Dive
AWS Security Deep Dive
 
AWS Security Deep Dive
AWS Security Deep DiveAWS Security Deep Dive
AWS Security Deep Dive
 
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
In the cloud, the name of the game is securability! - SEP303 - AWS re:Inforce...
 
AWS Summit Stockholm - Fargate: deploy containers, not infrastructure
AWS Summit Stockholm - Fargate: deploy containers, not infrastructureAWS Summit Stockholm - Fargate: deploy containers, not infrastructure
AWS Summit Stockholm - Fargate: deploy containers, not infrastructure
 
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
Optimize Your SaaS Offering with Serverless Microservices (GPSTEC405) - AWS r...
 
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
Securing enterprise-grade serverless applications - SDD401 - AWS re:Inforce 2...
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
 
AWS DevDay Berlin 2019 - Simplify your Web & Mobile apps with cloud-based ser...
AWS DevDay Berlin 2019 - Simplify your Web & Mobile apps with cloud-based ser...AWS DevDay Berlin 2019 - Simplify your Web & Mobile apps with cloud-based ser...
AWS DevDay Berlin 2019 - Simplify your Web & Mobile apps with cloud-based ser...
 
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019 Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
Security best practices the well-architected way - SDD318 - AWS re:Inforce 2019
 
Simplify front end apps.pdf
Simplify front end apps.pdfSimplify front end apps.pdf
Simplify front end apps.pdf
 
Threat Detection using artificial intelligence
Threat Detection using artificial intelligenceThreat Detection using artificial intelligence
Threat Detection using artificial intelligence
 
Securing Data in Serverless Applications and Messaging Services (API317-R2) -...
Securing Data in Serverless Applications and Messaging Services (API317-R2) -...Securing Data in Serverless Applications and Messaging Services (API317-R2) -...
Securing Data in Serverless Applications and Messaging Services (API317-R2) -...
 
Sicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practiceSicurezza in AWS automazione e best practice
Sicurezza in AWS automazione e best practice
 
Take Mobile and Web Apps to the Next Level with AWS AppSync and AWS Amplify
Take Mobile and Web Apps to the Next Level with AWS AppSync and AWS AmplifyTake Mobile and Web Apps to the Next Level with AWS AppSync and AWS Amplify
Take Mobile and Web Apps to the Next Level with AWS AppSync and AWS Amplify
 
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
Presenting Radar: Validation and remediation of AWS cloud resources - GRC343 ...
 
Architecting security & governance across your AWS environment
Architecting security & governance across your AWS environmentArchitecting security & governance across your AWS environment
Architecting security & governance across your AWS environment
 
Atlassian's Solution for Multi-Region Encryption and Decryption - AWS Summit ...
Atlassian's Solution for Multi-Region Encryption and Decryption - AWS Summit ...Atlassian's Solution for Multi-Region Encryption and Decryption - AWS Summit ...
Atlassian's Solution for Multi-Region Encryption and Decryption - AWS Summit ...
 
AWS Summit Singapore 2019 | Operating Microservices at Hyperscale
AWS Summit Singapore 2019 | Operating Microservices at HyperscaleAWS Summit Singapore 2019 | Operating Microservices at Hyperscale
AWS Summit Singapore 2019 | Operating Microservices at Hyperscale
 
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
Find all the threats: AWS threat detection and mitigation - SEC302 - Santa Cl...
 
Machine learning at the edge for industrial applications - SVC302 - New York ...
Machine learning at the edge for industrial applications - SVC302 - New York ...Machine learning at the edge for industrial applications - SVC302 - New York ...
Machine learning at the edge for industrial applications - SVC302 - New York ...
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Securing SaaS Applications Built on Serverless Microservices - AWS Summit Sydney

  • 1. S U M M I T SYDNEY
  • 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Securing SaaS applications built on serverless microservices Gerardo A. Estaba Senior Partner Solutions Architect Amazon Web Services
  • 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Meet DoCaaS Deck of Cards as a Service! Bronze Silver Gold Create ✓ ✓ ✓ Get ✓ ✓ ✓ Game ✓ ✓ ✓ Shuffle ✓ ✓ Cut ✓
  • 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T What is serverless? No infrastructure provisioning, no management Automatic scaling Pay for value Highly available and secure
  • 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T EVENT GET RESOURCE PERSISTENCE EVENT API CREATE RESOURCE EVENT GAME RESOURCE EVENT SHUFFLE RESOURCE EVENTCUT RESOURCE EVENT API DECKS RESOURCE EVENT API SCORES RESOURCE PERSISTENCE Users DoCaaS microservices
  • 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T DoCaaS architecture Amazon API Gateway Amazon Simple Storage Service (S3) Users Amazon DynamoDB Amazon CloudFront AWS Lambda Amazon Cognito AWS Certificate Manager Amazon Route53
  • 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Identity User flows ☐ Customisable flows ☐ Registration ☐ Verify email/phone ☐ Secure sign-in ☐ Forgot password ☐ Change password ☐ Sign-out Security requirements ☐ Secure password handling (SRP) ☐ Scalable to 100s of millions of users ☐ MFA and password policies ☐ Encrypt all data server-side ☐ HIPAA, PCI-DSS, ISO, SOC ☐ OAuth 2.0, SAML 2.0, OpenID Connect ☐ Built-in, customisable web UI Amazon Cognito User Pools
  • 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T JWT token: jwt.io eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVBO VNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJzd WIiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2O WYzYzM4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoM XF0bnR2ajAxMiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlL CJ0b2tlbl91c2UiOiJpZCIsImF1dGhfdGltZSI6MTQ3O DQ0OTA2MCwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8ta WRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tXC91cy1lY XN0LTFfWE1sVVc5c1V5IiwiY29nbml0bzp1c2VybmFtZ SI6InRlc3QxMjMiLCJleHAiOjE0Nzg0NTI2NjAsImdpd mVuX25hbWUiOiJUZXN0IiwiaWF0IjoxNDc4NDQ5MDYwL CJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFpbCI6InRyY W5qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9 K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8ym jH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMHtj dfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ18_ yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs4Cuk moYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ { "kid":"9errtDKltq8YwaJy2GZtObykRDEA9SB4iDT6vWmTeQE=", "alg":"RS256” } Header { "sub":"6f557368-a884-484e-b662-9fc69f3c3802", "aud":"6lkfs70rovkubirh1qtntvj012", "email_verified":true, "token_use":"id", "auth_time":1478449060, "iss":"https://cognito-idp.ap-southeast- 2.amazonaws.com/ ap-southeast-2_XMlUW9sUy", "exp":1478452660, "given_name”:"Test", ”custom:plan":”silver", "iat":1478449060, "family_name":"Test", "email":”test@example.com" } Payload Signature HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), {secret}); Amazon Cognito custom attribute
  • 10. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Current access control: CORS headers: { 'Access-Control-Max-Age': '900’, 'Access-Control-Allow-Headers': 'Content-Type,X-Amz- Date,Authorization,X-Api-Key,X-Amz-Security-Token’, 'Access-Control-Allow-Origin': '*', // NOT Secure 'Access-Control-Allow-Credentials': 'true', 'Access-Control-Allow-Methods': 'POST,OPTIONS', 'Vary': 'Origin' } AWS Lambda API OPTIONS METHOD PROXY Amazon API Gateway
  • 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Solution access control: CORS ResponseParameters: method.response.header.Access-Control-Allow-Headers: "'Content-Type,X- Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'" method.response.header.Access-Control-Allow-Methods: "'POST,OPTIONS’” method.response.header.Access-Control-Allow-Origin: https://docaas.net API OPTIONS METHOD MOCK Amazon API Gateway
  • 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Current access control: API Gateway authoriser Amazon Cognito EVENT GET RESOURCE EVENT API CREATE RESOURCE EVENT GAME RESOURCE EVENT SHUFFLE RESOURCE EVENT CUT RESOURCE Amazon API Gateway Users Binary Check
  • 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T DoCaaS service offerings Bronze Silver Gold Create ✓ ✓ ✓ Get ✓ ✓ ✓ Game ✓ ✓ ✓ Shuffle ✓ ✓ Cut ✓ Amazon Cognito custom attribute
  • 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Access control: lambda authoriser Amazon API Gateway AWS Lambda Authoriser function Client Request with tokens Policy evaluated Policy cached Allowed Denied Tokens + Context "plan": ”...” "sub": ”...” "accessKeyId": ”...” "secretAccessKey": ”...” "sessionToken": ”...” "identityId": ”...” Back end Bronze Silver Gold Create ✓ ✓ ✓ Get ✓ ✓ ✓ Game ✓ ✓ ✓ Shuffle ✓ ✓ Cut ✓
  • 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T AWS Serverless Application Model (SAM) AWS CloudFormation extension optimised for serverless Serverless resource types: functions, APIs, and tables and any resource AWS CloudFormation supports Supports parameters, mappings, outputs, global variables, intrinsic functions, and some ImportValues github.com/awslabs/serverless-application-model
  • 17. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Demo 1: access control summary 1. Cognito: secure flows (SRP, OAuth 2.0, OIDC) 2. has native CORS integration 3. Lambda authoriser: granular access control (OAuth/SAML)
  • 19. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Independent datastores Decks Scores id cards […] … … id score […] … … <deckid> <deckid>
  • 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Independent datastores Decks Scores id cards […] … … id score […] … … <userid>- <userid>-<deckid> <deckid>
  • 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Data partitioning with IAM policy Effect: Allow Action: - dynamodb:PutItem - dynamodb:DeleteItem - dynamodb:GetItem - dynamodb:Query - dynamodb:UpdateItem Resource: - arn:aws:dynamodb:*:*:table/decks-master - arn:aws:dynamodb:*:*:table/scores-master Condition: ForAllValues:StringLike: dynamodb:LeadingKeys: "${cognito-identity.amazonaws.com:sub}-*" <userid>-<deckid> Amazon DynamoDB
  • 23. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T Demo 2: data partitioning summary 1. Data Partitioning: composite key + conditional policy 2. = less code + less process = speed 3. Abstracting security complexity from devs = SPEED
  • 26. Thank you! S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Gerardo A. Estaba linkedin.com/in/estaba github.com/ge8/docaas-summit