More Related Content Similar to Securing SaaS Applications Built on Serverless Microservices - AWS Summit Sydney (20) More from Amazon Web Services (20) Securing SaaS Applications Built on Serverless Microservices - AWS Summit Sydney2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Securing SaaS applications built
on serverless microservices
Gerardo A. Estaba
Senior Partner Solutions Architect
Amazon Web Services
4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Meet DoCaaS
Deck of Cards as a Service!
Bronze Silver Gold
Create ✓ ✓ ✓
Get ✓ ✓ ✓
Game ✓ ✓ ✓
Shuffle ✓ ✓
Cut ✓
5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
What is serverless?
No infrastructure provisioning,
no management
Automatic scaling
Pay for value Highly available and secure
6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
EVENT
GET
RESOURCE
PERSISTENCE
EVENT
API
CREATE
RESOURCE
EVENT
GAME
RESOURCE
EVENT
SHUFFLE
RESOURCE
EVENTCUT
RESOURCE
EVENT
API
DECKS
RESOURCE
EVENT
API
SCORES
RESOURCE
PERSISTENCE
Users
DoCaaS microservices
7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
DoCaaS architecture
Amazon API
Gateway
Amazon Simple
Storage Service (S3)
Users
Amazon DynamoDB
Amazon
CloudFront
AWS Lambda
Amazon Cognito
AWS
Certificate
Manager
Amazon Route53
8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Identity
User flows
☐ Customisable flows
☐ Registration
☐ Verify email/phone
☐ Secure sign-in
☐ Forgot password
☐ Change password
☐ Sign-out
Security requirements
☐ Secure password handling (SRP)
☐ Scalable to 100s of millions of users
☐ MFA and password policies
☐ Encrypt all data server-side
☐ HIPAA, PCI-DSS, ISO, SOC
☐ OAuth 2.0, SAML 2.0, OpenID Connect
☐ Built-in, customisable web UI
Amazon Cognito
User Pools
9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
JWT token: jwt.io
eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVBO
VNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJzd
WIiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2O
WYzYzM4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoM
XF0bnR2ajAxMiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlL
CJ0b2tlbl91c2UiOiJpZCIsImF1dGhfdGltZSI6MTQ3O
DQ0OTA2MCwiaXNzIjoiaHR0cHM6XC9cL2NvZ25pdG8ta
WRwLnVzLWVhc3QtMS5hbWF6b25hd3MuY29tXC91cy1lY
XN0LTFfWE1sVVc5c1V5IiwiY29nbml0bzp1c2VybmFtZ
SI6InRlc3QxMjMiLCJleHAiOjE0Nzg0NTI2NjAsImdpd
mVuX25hbWUiOiJUZXN0IiwiaWF0IjoxNDc4NDQ5MDYwL
CJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFpbCI6InRyY
W5qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t
YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9
K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8ym
jH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMHtj
dfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ18_
yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs4Cuk
moYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P
e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ
{
"kid":"9errtDKltq8YwaJy2GZtObykRDEA9SB4iDT6vWmTeQE=",
"alg":"RS256”
}
Header
{
"sub":"6f557368-a884-484e-b662-9fc69f3c3802",
"aud":"6lkfs70rovkubirh1qtntvj012",
"email_verified":true,
"token_use":"id",
"auth_time":1478449060,
"iss":"https://cognito-idp.ap-southeast-
2.amazonaws.com/ ap-southeast-2_XMlUW9sUy",
"exp":1478452660,
"given_name”:"Test",
”custom:plan":”silver",
"iat":1478449060,
"family_name":"Test",
"email":”test@example.com"
}
Payload
Signature
HMACSHA256(base64UrlEncode(header) + "." +
base64UrlEncode(payload), {secret});
Amazon Cognito
custom attribute
10. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Current access control: CORS
headers: {
'Access-Control-Max-Age': '900’,
'Access-Control-Allow-Headers': 'Content-Type,X-Amz-
Date,Authorization,X-Api-Key,X-Amz-Security-Token’,
'Access-Control-Allow-Origin': '*', // NOT Secure
'Access-Control-Allow-Credentials': 'true',
'Access-Control-Allow-Methods': 'POST,OPTIONS',
'Vary': 'Origin'
}
AWS Lambda
API
OPTIONS
METHOD
PROXY
Amazon API
Gateway
12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Solution access control: CORS
ResponseParameters:
method.response.header.Access-Control-Allow-Headers: "'Content-Type,X-
Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token'"
method.response.header.Access-Control-Allow-Methods: "'POST,OPTIONS’”
method.response.header.Access-Control-Allow-Origin: https://docaas.net
API
OPTIONS
METHOD
MOCK
Amazon API
Gateway
13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Current access control: API Gateway authoriser
Amazon Cognito
EVENT
GET
RESOURCE
EVENT
API
CREATE
RESOURCE
EVENT
GAME
RESOURCE
EVENT
SHUFFLE
RESOURCE
EVENT
CUT
RESOURCE
Amazon
API Gateway
Users
Binary
Check
14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
DoCaaS service offerings
Bronze Silver Gold
Create ✓ ✓ ✓
Get ✓ ✓ ✓
Game ✓ ✓ ✓
Shuffle ✓ ✓
Cut ✓
Amazon Cognito
custom attribute
15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Access control: lambda authoriser
Amazon
API Gateway
AWS
Lambda
Authoriser
function
Client
Request with tokens
Policy evaluated
Policy cached
Allowed
Denied
Tokens + Context
"plan": ”...”
"sub": ”...”
"accessKeyId": ”...”
"secretAccessKey": ”...”
"sessionToken": ”...”
"identityId": ”...”
Back
end
Bronze Silver Gold
Create ✓ ✓ ✓
Get ✓ ✓ ✓
Game ✓ ✓ ✓
Shuffle ✓ ✓
Cut ✓
16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
AWS Serverless Application Model (SAM)
AWS CloudFormation extension optimised for serverless
Serverless resource types: functions, APIs, and tables
and any resource AWS CloudFormation supports
Supports parameters, mappings, outputs, global
variables, intrinsic functions, and some ImportValues
github.com/awslabs/serverless-application-model
17. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Demo 1: access control summary
1. Cognito: secure flows (SRP, OAuth 2.0, OIDC)
2. has native CORS integration
3. Lambda authoriser: granular access control (OAuth/SAML)
19. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Independent datastores
Decks Scores
id cards
[…]
… …
id score
[…]
… …
<deckid> <deckid>
21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Independent datastores
Decks Scores
id cards
[…]
… …
id score
[…]
… …
<userid>- <userid>-<deckid> <deckid>
22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Data partitioning with IAM policy
Effect: Allow
Action:
- dynamodb:PutItem
- dynamodb:DeleteItem
- dynamodb:GetItem
- dynamodb:Query
- dynamodb:UpdateItem
Resource:
- arn:aws:dynamodb:*:*:table/decks-master
- arn:aws:dynamodb:*:*:table/scores-master
Condition:
ForAllValues:StringLike:
dynamodb:LeadingKeys:
"${cognito-identity.amazonaws.com:sub}-*"
<userid>-<deckid>
Amazon DynamoDB
23. S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.S U M M I T
Demo 2: data partitioning summary
1. Data Partitioning: composite key + conditional policy
2. = less code + less process = speed
3. Abstracting security complexity from devs = SPEED
26. Thank you!
S U M M I T © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Gerardo A. Estaba
linkedin.com/in/estaba
github.com/ge8/docaas-summit