SlideShare una empresa de Scribd logo

Securing Serverless Architecture

Amazon Web Services
Amazon Web Services

AWS’ serverless architecture components such as S3, SQS, SNS, CloudWatch Logs, DynamoDB, Kinesis and Lambda can be tightly constrained in their operation, however it is still possible to use some of them to propagate payloads which may be used to exploit vulnerabilities in some consuming endpoints or user- generated code. This session explores techniques for enhancing the security of these services, from assessing and tightening permissions in IAM to integrating tools and mechanisms for inline and out-of-band payload analysis which are more typically applied to traditional server-based architectures. Presented by: Dave Walker, Security Solutions Architecture, Amazon Web Services Customer Guest: Wouter Neyndorff, CTO, inSided

Tecnología
1 de 66
Descargar para leer sin conexión
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dave Walker, Specialist SolutionsArchitect, Security and Compliance Nieuwegein 24/05/16 Securing Serverless Architectures
With Thanks To:
Agenda • Serverless Architectures: What they Are • “Caveat Emptor”? • Constraining Access and Permissions • Wrapping AWS Lambda Functions • Amazon API Gateway and AWS Service API Endpoints • Generalising Across Serverless Functions • Conclusions
Serverless Architectures: What They Are
Serverless Architectures: What they Are • “The shiny new thing” • …thoughAmazon S3 has been around for 10 years, now • “Object stores, object transmission and aggregation pipelines, object format tranformers, standalone code execution systems” • Abstract (and sometimes, Container) Services • AWS looks after the underlying OS, High Availability, Scaling, often Application, transparently • Often event-driven (Lambda triggers etc) • “Customers only need to worry about their functionality”
Serverless Services
For Example… Internet Website Activity Indicator Chat Service Activity Messages Search Service Dynamo Streams Elasticsearch Service Web Hosting Twilio Slack Chat API Gateway IoT Backend Logic
“Caveat Emptor”?
“Everything Starts with a Threat Model” • STRIDE, DREAD, others • Identify: • Actors • Vectors • “Bad stuff that could happen, when bad people get creative” • Probabilities and consequences of bad stuff happening • Apply technical and procedural mitigations • …all the way up the OSI stack, from Network to Application
Attack Vectors • Application-level and API-level attacks • “If it takes input, it likely has an in-band attack vector” • “If it has a control point, it likely has an out-of-band attack vector” • “Even if it doesn’t itself have a useful compromise, it might be a useful propagation vector” • A successful attack = disruption or corruption of service output, or reduction in responsiveness to future service calls, or being a conduit of “bad content” to vulnerable consumers of the service. • Consider the OWASP Top 10 and other application-level attacks…
Control Points and Out-of-bandAttacks • (Almost) everything in our list has an API Endpoint. • API Endpoints are exposed to the Internet over https, using TLS 1.2 and unidirectional trust via s2n • API Endpoints are scaled, rate-managed and connection- monitored • API Endpoint calls need Sigv4 • SHA256 HMAC with Secret Access Key (240-bit entropic) over REST request • REST calls are checked for formation correctness • Looking pretty well-covered…
In-band Attacks • There are more variables here – consider access methods and content sizes:
Constraining Access and Permissions
IAM is your First Port of Call • Quickest and highly effective way to reduce risk of serverless “misbehaviour” at sub-data level • All API access should be Role-based • Roles can be given to EC2 Instances and Lambda functions • Roles use ephemeral STS tokens rather than static keys • Reduces consequences of static key mishandling, no motivation to hard-wire into code • Cross-account access gets close to Mandatory Access Control • See video of presentation from UK Security Roadshow (Coming Soon)
IAM is your First Port of Call • API calls can be constrained in IAM by Source IP address • Get the AWS range from https://ip- ranges.amazonaws.com/ip-ranges.json • We could use this to ensure that only our wrapper functions can call our main Lambda functions or the real API endpoints • Recent development: verify when permissions were last used • See https://blogs.aws.amazon.com/security/post/Tx280RX2WH6 WUD7/Remove-Unnecessary-Permissions-in-Your-IAM- Policies-by-Using-Service-Last-Access
Wrapping Lambda Functions
Let’s start with Lambda… • Why? • It’s a great test case, as: • It can take input from (almost) anywhere • It can do (almost) anything with that input, given appropriate permissions • It can output (almost) anything to (almost) anywhere • Customers have control over what happens between input and output • Risk: “you can write insecure code in any language (including Node.js, Java, Python and anything you can call from them…)”
Let’s start with Lambda… • Already good info on developing Lambda functions - https://aws.amazon.com/blogs/compute/continuous- integration-deployment-for-aws-lambda-functions-with- jenkins-and-grunt-part-1/ , https://aws.amazon.com/blogs/compute/continuous- integration-deployment-for-aws-lambda-functions-with- jenkins-and-grunt-part-2/ • Lambda functions run in an IAM role • Consider cross-account function calls (see https://aws.amazon.com/blogs/compute/easy-authorization- of-aws-lambda-functions/ ) • Now let’s add a front-end wrapper / filter and back-end / side API checker…
Wrapping Lambda Functions bucket AWS Lambda AWS Lambda AWS Lambda Amazon API Gateway API endpoint
Wrapping Lambda Functions bucket AWS Lambda AWS Lambda AWS Lambda Amazon API Gateway “Back end” “Front end” Our original functionTrigger event source API endpoint
Wrapping Lambda Functions bucket AWS Lambda AWS Lambda AWS Lambda Amazon API Gateway 1. Event triggers wrapper API endpoint
Wrapping Lambda Functions bucket AWS Lambda AWS Lambda AWS Lambda Amazon API Gateway 1. Event triggers wrapper 2. Wrapper passes trigger data to analyser API endpoint
Wrapping Lambda Functions bucket AWS Lambda AWS Lambda AWS Lambda Amazon API Gateway 3. Analyser reads data 1. Event triggers wrapper 2. Wrapper passes trigger data to analyser API endpoint
Wrapping Lambda Functions bucket AWS Lambda AWS Lambda AWS Lambda Amazon API Gateway 3. Analyser reads data 1. Event triggers wrapper 2. Wrapper passes trigger data to analyser 4. Wrapper invokes Function API endpoint
Wrapping Lambda Functions bucket AWS Lambda AWS Lambda AWS Lambda Amazon API Gateway 5. Function readsdata and processes as normal 3. Analyser reads data 1. Event triggers wrapper 2. Wrapper passes trigger data to analyser 4. Wrapper invokes Function API endpoint
Wrapping Lambda Functions • First function, configured to trigger on the Lambda event, is a front-end wrapper • Passes copy of trigger event input and context to analysis engine (hello, Alert Logic J ) • Optionally, waits for “content OK” response from analysis engine (in-band checking)to determine whether main Lambda function should be invoked • …or calls main Lambda function immediately, if performance is more critical (out-of-band checking) • Has the same IAM Read / Get permissions in its role as the main Lambda function, plus what’s needed to send trigger info and invoke the main Lambda function
Wrapping Lambda Functions • Analysis Engine • Needs IAM permissions to be able to read from the trigger source • Needs to be configurable to respond to the calling Lambda function after checks are complete (in-band checking, IPS- style) and / or raise alerts – eg via SNS – if “badness” is found (out-of-band checking, IDS-style) • In discussion with Alert Logic (co-inventors), but concept and invocation mechanisms are non-exclusive
Wrapping Lambda Functions • Second function, invoked by the first, is our main Lambda function • Modify the permission conditions in the IAM role so that this function can only be called from IP addresses in the AMAZON range in the same Region • ie our wrapping Lambda function • Consider passing and verifying a shared secret • With the front-end wrapped, now let’s look at the back…
API Gateway and API Endpoints
API Gateway and API Endpoints bucket AWS Lambda AWS Lambda AWS Lambda Amazon API Gateway “Back end” API endpoint
API Gateway and API Endpoints • Consider API Gateway as a protective front-end onto the main AWS API Endpoints • Can rate-limit calling frequency • Can have back-end Lambda functions on each of REST GET, PUT, POST, PATCH, DELETE, HEAD, OPTIONS to check call content • Supports Sigv4 – and generates logs • So, we have a back-end wrapper function J • …But we need to make API Gateway the target(s) for calls to API Endpoints, in our main Lambda function… • Easy!
Endpoint mappings in boto and Java SDK: { "autoscaling": { "ap-northeast-1": "autoscaling.ap-northeast-1.amazonaws.com", "ap-northeast-2": "autoscaling.ap-northeast-2.amazonaws.com", "ap-southeast-1": "autoscaling.ap-southeast-1.amazonaws.com", "ap-southeast-2": "autoscaling.ap-southeast-2.amazonaws.com", "cn-north-1": "autoscaling.cn-north-1.amazonaws.com.cn", "eu-central-1": "autoscaling.eu-central-1.amazonaws.com", "eu-west-1": "autoscaling.eu-west-1.amazonaws.com", "sa-east-1": "autoscaling.sa-east-1.amazonaws.com", "us-east-1": "autoscaling.us-east-1.amazonaws.com", "us-gov-west-1": "autoscaling.us-gov-west-1.amazonaws.com", "us-west-1": "autoscaling.us-west-1.amazonaws.com", "us-west-2": "autoscaling.us-west-2.amazonaws.com" }, • boto/boto/endpoints.json and aws-java-sdk- core/src/main/resources/com/amazonaws/partitions/end points.json
Wrapping Lambda Functions • Hack the in-environment SDK for your own main Lambda function! • 2-stage function needed, in the execution context: • 1. Verify that the endpoints as defined in the SDK are your own API Gateway endpoints; set them if not • 2. Invoke the actual “doing stuff” function
Generalising Across Serverless Functions
Filtering API Calls AWS Lambda Amazon API Gateway API endpoint
Filtering Kinesis (and some other) Streams AWS Lambda Amazon ElastiCache Amazon Kinesis Amazon Kinesis Amazon DynamoDB
Services with Lambda Trigger Support • Config • CloudWatch • S3 • DynamoDB • Kinesis • SNS • SES • Cognito • CloudFormation
Conclusions
Threats and Mitigations • IAM is your first port of call, for limiting API calls and their scope • Cross-account access can also be useful here • API Endpoints are well-protected, but API Gateways can add hooks for further protection at Layer 7 to any service • …though they’re most applicable to serverless ones • Lambda functions can provide useful tap / inspection / filter hook points for queues and pipelines • Lambda functions can themselves be used as wrap and filter hook points on the input to Lambda functions
Further Food for Thought…? • Using Serverless Capabilities to Add Security Functionality to More Traditional Services • Config Rules already does this • GitHub repo at https://github.com/awslabs/aws-config-rules • CI / CD: Add a final post-deploy Lambda step onto CodePipeline, and API Gateway as a front-end to pentest infrastructure, to automatically call a pentest down onto the newly-deployed components • Let’s discuss…
Extra: “Serverless” Management of Arbitrary Secrets instances instance
Extra: “Serverless” Management of Arbitrary Secrets instances instance instance
Extra: “Serverless” Management of Arbitrary Secrets instances instance long-termsecurity credential instance
Extra: “Serverless” Management of Arbitrary Secrets instances instance AWS KMS long-termsecurity credential data encryption key instance
Extra: “Serverless” Management of Arbitrary Secrets instances instance AWS KMS data encryption key long-termsecurity credential data encryption key instance
Extra: “Serverless” Management of Arbitrary Secrets instances instance AWS KMS data encryption key long-termsecurity credential bucket data encryption key instance
Extra: “Serverless” Management of Arbitrary Secrets instances instance AWS KMS data encryption key long-termsecurity credential bucket data encryption key instance VPC Private Endpoint
Extra: “Serverless” Management of Arbitrary Secrets instances instance AWS KMS data encryption key role long-termsecurity credential bucket data encryption key instance role VPC Private Endpoint
Extra: “Serverless” Management of Arbitrary Secrets instances instance AWS KMS data encryption key role long-termsecurity credential bucket data encryption key instance role ARN of encrypted https key in S3 bucket ARN of data encryption key in KMS Instance UserData VPC Private Endpoint
Extra: “Serverless” Management of Arbitrary Secrets instances instance AWS KMS data encryption key role long-termsecurity credential bucket data encryption key instance role ARN of encrypted https key in S3 bucket ARN of data encryption key in KMS Instance UserData VPC Private Endpoint
Industry Best Practices for Securing AWS Resources CIS Amazon Web Services Foundations Architecture agnostic set of security configuration best practices provides set-by-step implementation and assessment procedures
Helpful Resources Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/ Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/ Compliance Centre Website: https://aws.amazon.com/compliance Security Centre: https://aws.amazon.com/security Security Blog: https://blogs.aws.amazon.com/security/ AWSAudit Training: awsaudittraining@amazon.com
inSided Social Business Platform Growth & Security AWS Summit Nieuwegein 2016 Maik Broxterman IT Architect
inSided believes that brands need online communities to help them stay relevant
Customers
Example
Our mission 1000 enterprise brands use an inSided community in 2025
How to facilitate this exponential growth? people money product development customer relations No primary focus on infrastructure
AWS architecture components EC2 EC2 Autoscaling ELB Route 53 Lambda Elasticsearch SNS Cloudtrail Cloudwatch logs KMS Cloudwatch Config SQS SES SimpleDB Elasticache RDS S3 Glacier Cloudfront EBS
Challenge #1: Scalability Traditional hardware vs AWS elasticity and autoscaling
Challenge #1: Scalability Moved to AWS
Benefits Past Currently Future tickets tested (via spot instances) 0 20/day 100’s/day deploys ad hoc 10/day 100’s/day scaling out days minutes instantly
Challenge 2: Security Easy manual security Customizable security Default security Shared security model
Q&A
www.insided.com @insidedmedia
Securing Serverless Architecture

Recomendados

Automate Migration to AWS with Datapipe
Automate Migration to AWS with DatapipeAutomate Migration to AWS with Datapipe
Automate Migration to AWS with Datapipe
Amazon Web Services
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
Amazon Web Services
 
What's New with AWS Lambda
What's New with AWS LambdaWhat's New with AWS Lambda
What's New with AWS Lambda
Amazon Web Services
 
Best of re:Invent
Best of re:InventBest of re:Invent
Best of re:Invent
Amazon Web Services
 
Operating Your Production API
Operating Your Production APIOperating Your Production API
Operating Your Production API
Amazon Web Services
 
NEW LAUNCH! Intro to Amazon Athena. Easily analyze data in S3, using SQL.
NEW LAUNCH! Intro to Amazon Athena. Easily analyze data in S3, using SQL.NEW LAUNCH! Intro to Amazon Athena. Easily analyze data in S3, using SQL.
NEW LAUNCH! Intro to Amazon Athena. Easily analyze data in S3, using SQL.
Amazon Web Services
 
Introduction to AWS X-Ray
Introduction to AWS X-RayIntroduction to AWS X-Ray
Introduction to AWS X-Ray
Amazon Web Services
 
Operating your Production API
Operating your Production APIOperating your Production API
Operating your Production API
Amazon Web Services
 

Recomendados

Automate Migration to AWS with Datapipe
Automate Migration to AWS with DatapipeAutomate Migration to AWS with Datapipe
Automate Migration to AWS with Datapipe
Amazon Web Services
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
Amazon Web Services
 
What's New with AWS Lambda
What's New with AWS LambdaWhat's New with AWS Lambda
What's New with AWS Lambda
Amazon Web Services
 
Best of re:Invent
Best of re:InventBest of re:Invent
Best of re:Invent
Amazon Web Services
 
Operating Your Production API
Operating Your Production APIOperating Your Production API
Operating Your Production API
Amazon Web Services
 
NEW LAUNCH! Intro to Amazon Athena. Easily analyze data in S3, using SQL.
NEW LAUNCH! Intro to Amazon Athena. Easily analyze data in S3, using SQL.NEW LAUNCH! Intro to Amazon Athena. Easily analyze data in S3, using SQL.
NEW LAUNCH! Intro to Amazon Athena. Easily analyze data in S3, using SQL.
Amazon Web Services
 
Introduction to AWS X-Ray
Introduction to AWS X-RayIntroduction to AWS X-Ray
Introduction to AWS X-Ray
Amazon Web Services
 
Operating your Production API
Operating your Production APIOperating your Production API
Operating your Production API
Amazon Web Services
 
SRV203 Getting Started with AWS Lambda and the Serverless Cloud
SRV203 Getting Started with AWS Lambda and the Serverless CloudSRV203 Getting Started with AWS Lambda and the Serverless Cloud
SRV203 Getting Started with AWS Lambda and the Serverless Cloud
Amazon Web Services
 
BDA402 Deep Dive: Log Analytics with Amazon Elasticsearch Service
BDA402 Deep Dive: Log Analytics with Amazon Elasticsearch ServiceBDA402 Deep Dive: Log Analytics with Amazon Elasticsearch Service
BDA402 Deep Dive: Log Analytics with Amazon Elasticsearch Service
Amazon Web Services
 
The Best of re:invent 2016
The Best of re:invent 2016The Best of re:invent 2016
The Best of re:invent 2016
Amazon Web Services
 
SMC302 Building Serverless Web Applications
SMC302 Building Serverless Web ApplicationsSMC302 Building Serverless Web Applications
SMC302 Building Serverless Web Applications
Amazon Web Services
 
Introduction to AWS Step Functions
Introduction to AWS Step FunctionsIntroduction to AWS Step Functions
Introduction to AWS Step Functions
Amazon Web Services
 
NEW LAUNCH! Building Distributed Applications with AWS Step Functions
NEW LAUNCH! Building Distributed Applications with AWS Step FunctionsNEW LAUNCH! Building Distributed Applications with AWS Step Functions
NEW LAUNCH! Building Distributed Applications with AWS Step Functions
Amazon Web Services
 
(BDT307) Zero Infrastructure, Real-Time Data Collection, and Analytics
(BDT307) Zero Infrastructure, Real-Time Data Collection, and Analytics(BDT307) Zero Infrastructure, Real-Time Data Collection, and Analytics
(BDT307) Zero Infrastructure, Real-Time Data Collection, and Analytics
Amazon Web Services
 
Securing Serverless Architectures
Securing Serverless ArchitecturesSecuring Serverless Architectures
Securing Serverless Architectures
Amazon Web Services
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
Amazon Web Services
 
SMC305 Building CI/CD Pipelines for Serverless Applications
SMC305 Building CI/CD Pipelines for Serverless ApplicationsSMC305 Building CI/CD Pipelines for Serverless Applications
SMC305 Building CI/CD Pipelines for Serverless Applications
Amazon Web Services
 
AWS re:Invent 2016: Store and collaborate on content securely with Amazon Wor...
AWS re:Invent 2016: Store and collaborate on content securely with Amazon Wor...AWS re:Invent 2016: Store and collaborate on content securely with Amazon Wor...
AWS re:Invent 2016: Store and collaborate on content securely with Amazon Wor...
Amazon Web Services
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
Amazon Web Services
 
Advanced AWS techniques from the trenches of the Enterprise – Sourced Group
Advanced AWS techniques from the trenches of the Enterprise – Sourced GroupAdvanced AWS techniques from the trenches of the Enterprise – Sourced Group
Advanced AWS techniques from the trenches of the Enterprise – Sourced Group
Amazon Web Services
 
AWS Lambda and Serverless Cloud
AWS Lambda and Serverless CloudAWS Lambda and Serverless Cloud
AWS Lambda and Serverless Cloud
Amazon Web Services
 
AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)
AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)
AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)
Amazon Web Services
 
Migrating your .NET Applications to the AWS Serverless Platform
Migrating your .NET Applications to the AWS Serverless PlatformMigrating your .NET Applications to the AWS Serverless Platform
Migrating your .NET Applications to the AWS Serverless Platform
Amazon Web Services
 
Getting Started with AWS Lambda and the Serverless Cloud - AWS Summit Cape T...
Getting Started with AWS Lambda and the Serverless Cloud - AWS Summit Cape T... Getting Started with AWS Lambda and the Serverless Cloud - AWS Summit Cape T...
Getting Started with AWS Lambda and the Serverless Cloud - AWS Summit Cape T...
Amazon Web Services
 
ENT310 Microservices? Dynamic Infrastructure? - Adventures in Keeping Your Ap...
ENT310 Microservices? Dynamic Infrastructure? - Adventures in Keeping Your Ap...ENT310 Microservices? Dynamic Infrastructure? - Adventures in Keeping Your Ap...
ENT310 Microservices? Dynamic Infrastructure? - Adventures in Keeping Your Ap...
Amazon Web Services
 
serverless_architecture_patterns_london_loft.pdf
serverless_architecture_patterns_london_loft.pdfserverless_architecture_patterns_london_loft.pdf
serverless_architecture_patterns_london_loft.pdf
Amazon Web Services
 
Build an App on AWS for Your First 10 Million Users
Build an App on AWS for Your First 10 Million UsersBuild an App on AWS for Your First 10 Million Users
Build an App on AWS for Your First 10 Million Users
Amazon Web Services
 
Serverless architecture
Serverless architectureServerless architecture
Serverless architecture
Amazon Web Services
 
Getting Started with Serverless Architectures
Getting Started with Serverless ArchitecturesGetting Started with Serverless Architectures
Getting Started with Serverless Architectures
Amazon Web Services
 

Más contenido relacionado

La actualidad más candente

SRV203 Getting Started with AWS Lambda and the Serverless Cloud
SRV203 Getting Started with AWS Lambda and the Serverless CloudSRV203 Getting Started with AWS Lambda and the Serverless Cloud
SRV203 Getting Started with AWS Lambda and the Serverless Cloud
Amazon Web Services
 
BDA402 Deep Dive: Log Analytics with Amazon Elasticsearch Service
BDA402 Deep Dive: Log Analytics with Amazon Elasticsearch ServiceBDA402 Deep Dive: Log Analytics with Amazon Elasticsearch Service
BDA402 Deep Dive: Log Analytics with Amazon Elasticsearch Service
Amazon Web Services
 
NEW LAUNCH! Building Distributed Applications with AWS Step Functions
NEW LAUNCH! Building Distributed Applications with AWS Step FunctionsNEW LAUNCH! Building Distributed Applications with AWS Step Functions
NEW LAUNCH! Building Distributed Applications with AWS Step Functions
Amazon Web Services
 
(BDT307) Zero Infrastructure, Real-Time Data Collection, and Analytics
(BDT307) Zero Infrastructure, Real-Time Data Collection, and Analytics(BDT307) Zero Infrastructure, Real-Time Data Collection, and Analytics
(BDT307) Zero Infrastructure, Real-Time Data Collection, and Analytics
Amazon Web Services
 
SMC305 Building CI/CD Pipelines for Serverless Applications
SMC305 Building CI/CD Pipelines for Serverless ApplicationsSMC305 Building CI/CD Pipelines for Serverless Applications
SMC305 Building CI/CD Pipelines for Serverless Applications
Amazon Web Services
 
AWS re:Invent 2016: Store and collaborate on content securely with Amazon Wor...
AWS re:Invent 2016: Store and collaborate on content securely with Amazon Wor...AWS re:Invent 2016: Store and collaborate on content securely with Amazon Wor...
AWS re:Invent 2016: Store and collaborate on content securely with Amazon Wor...
Amazon Web Services
 
Advanced AWS techniques from the trenches of the Enterprise – Sourced Group
Advanced AWS techniques from the trenches of the Enterprise – Sourced GroupAdvanced AWS techniques from the trenches of the Enterprise – Sourced Group
Advanced AWS techniques from the trenches of the Enterprise – Sourced Group
Amazon Web Services
 
AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)
AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)
AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)
Amazon Web Services
 
Getting Started with AWS Lambda and the Serverless Cloud - AWS Summit Cape T...
Getting Started with AWS Lambda and the Serverless Cloud - AWS Summit Cape T... Getting Started with AWS Lambda and the Serverless Cloud - AWS Summit Cape T...
Getting Started with AWS Lambda and the Serverless Cloud - AWS Summit Cape T...
Amazon Web Services
 
ENT310 Microservices? Dynamic Infrastructure? - Adventures in Keeping Your Ap...
ENT310 Microservices? Dynamic Infrastructure? - Adventures in Keeping Your Ap...ENT310 Microservices? Dynamic Infrastructure? - Adventures in Keeping Your Ap...
ENT310 Microservices? Dynamic Infrastructure? - Adventures in Keeping Your Ap...
Amazon Web Services
 

La actualidad más candente (20)

SRV203 Getting Started with AWS Lambda and the Serverless Cloud
SRV203 Getting Started with AWS Lambda and the Serverless CloudSRV203 Getting Started with AWS Lambda and the Serverless Cloud
SRV203 Getting Started with AWS Lambda and the Serverless Cloud
 
BDA402 Deep Dive: Log Analytics with Amazon Elasticsearch Service
BDA402 Deep Dive: Log Analytics with Amazon Elasticsearch ServiceBDA402 Deep Dive: Log Analytics with Amazon Elasticsearch Service
BDA402 Deep Dive: Log Analytics with Amazon Elasticsearch Service
 
The Best of re:invent 2016
The Best of re:invent 2016The Best of re:invent 2016
The Best of re:invent 2016
 
SMC302 Building Serverless Web Applications
SMC302 Building Serverless Web ApplicationsSMC302 Building Serverless Web Applications
SMC302 Building Serverless Web Applications
 
Introduction to AWS Step Functions
Introduction to AWS Step FunctionsIntroduction to AWS Step Functions
Introduction to AWS Step Functions
 
NEW LAUNCH! Building Distributed Applications with AWS Step Functions
NEW LAUNCH! Building Distributed Applications with AWS Step FunctionsNEW LAUNCH! Building Distributed Applications with AWS Step Functions
NEW LAUNCH! Building Distributed Applications with AWS Step Functions
 
(BDT307) Zero Infrastructure, Real-Time Data Collection, and Analytics
(BDT307) Zero Infrastructure, Real-Time Data Collection, and Analytics(BDT307) Zero Infrastructure, Real-Time Data Collection, and Analytics
(BDT307) Zero Infrastructure, Real-Time Data Collection, and Analytics
 
Securing Serverless Architectures
Securing Serverless ArchitecturesSecuring Serverless Architectures
Securing Serverless Architectures
 
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
透過Amazon CloudFront 和AWS WAF來執行安全的內容傳輸
 
SMC305 Building CI/CD Pipelines for Serverless Applications
SMC305 Building CI/CD Pipelines for Serverless ApplicationsSMC305 Building CI/CD Pipelines for Serverless Applications
SMC305 Building CI/CD Pipelines for Serverless Applications
 
AWS re:Invent 2016: Store and collaborate on content securely with Amazon Wor...
AWS re:Invent 2016: Store and collaborate on content securely with Amazon Wor...AWS re:Invent 2016: Store and collaborate on content securely with Amazon Wor...
AWS re:Invent 2016: Store and collaborate on content securely with Amazon Wor...
 
DevOps on AWS
DevOps on AWSDevOps on AWS
DevOps on AWS
 
Advanced AWS techniques from the trenches of the Enterprise – Sourced Group
Advanced AWS techniques from the trenches of the Enterprise – Sourced GroupAdvanced AWS techniques from the trenches of the Enterprise – Sourced Group
Advanced AWS techniques from the trenches of the Enterprise – Sourced Group
 
AWS Lambda and Serverless Cloud
AWS Lambda and Serverless CloudAWS Lambda and Serverless Cloud
AWS Lambda and Serverless Cloud
 
AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)
AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)
AWS re:Invent 2016: Getting Started with Serverless Architectures (CMP211)
 
Migrating your .NET Applications to the AWS Serverless Platform
Migrating your .NET Applications to the AWS Serverless PlatformMigrating your .NET Applications to the AWS Serverless Platform
Migrating your .NET Applications to the AWS Serverless Platform
 
Getting Started with AWS Lambda and the Serverless Cloud - AWS Summit Cape T...
Getting Started with AWS Lambda and the Serverless Cloud - AWS Summit Cape T... Getting Started with AWS Lambda and the Serverless Cloud - AWS Summit Cape T...
Getting Started with AWS Lambda and the Serverless Cloud - AWS Summit Cape T...
 
ENT310 Microservices? Dynamic Infrastructure? - Adventures in Keeping Your Ap...
ENT310 Microservices? Dynamic Infrastructure? - Adventures in Keeping Your Ap...ENT310 Microservices? Dynamic Infrastructure? - Adventures in Keeping Your Ap...
ENT310 Microservices? Dynamic Infrastructure? - Adventures in Keeping Your Ap...
 
serverless_architecture_patterns_london_loft.pdf
serverless_architecture_patterns_london_loft.pdfserverless_architecture_patterns_london_loft.pdf
serverless_architecture_patterns_london_loft.pdf
 
Build an App on AWS for Your First 10 Million Users
Build an App on AWS for Your First 10 Million UsersBuild an App on AWS for Your First 10 Million Users
Build an App on AWS for Your First 10 Million Users
 

Destacado

Getting Started with Serverless Architectures
Getting Started with Serverless ArchitecturesGetting Started with Serverless Architectures
Getting Started with Serverless Architectures
Amazon Web Services
 
AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...
AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...
AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...
Amazon Web Services
 
ตารางการอบรมเชิงปฏิบัติการการเพิ่มประสิทธิภาพการสอนวิทยาศาสตร์โดยใช้ Social ...
ตารางการอบรมเชิงปฏิบัติการการเพิ่มประสิทธิภาพการสอนวิทยาศาสตร์โดยใช้ Social ...ตารางการอบรมเชิงปฏิบัติการการเพิ่มประสิทธิภาพการสอนวิทยาศาสตร์โดยใช้ Social ...
ตารางการอบรมเชิงปฏิบัติการการเพิ่มประสิทธิภาพการสอนวิทยาศาสตร์โดยใช้ Social ...
supapnuanchan
 
Delivering Happiness - Whole Foods Market Tribal Gathering - 2.26.11
Delivering Happiness - Whole Foods Market Tribal Gathering - 2.26.11Delivering Happiness - Whole Foods Market Tribal Gathering - 2.26.11
Delivering Happiness - Whole Foods Market Tribal Gathering - 2.26.11
Delivering Happiness
 
Presentation for App Developers
Presentation for App DevelopersPresentation for App Developers
Presentation for App Developers
Mahesh Amarasiri
 
Company Profile 2016
Company Profile 2016Company Profile 2016
Company Profile 2016
Jane Qi
 

Destacado (20)

Serverless architecture
Serverless architectureServerless architecture
Serverless architecture
 
Getting Started with Serverless Architectures
Getting Started with Serverless ArchitecturesGetting Started with Serverless Architectures
Getting Started with Serverless Architectures
 
Customer Story: Property Partner
Customer Story: Property PartnerCustomer Story: Property Partner
Customer Story: Property Partner
 
AWS Mobile with Lambda and SNS
AWS Mobile with Lambda and SNSAWS Mobile with Lambda and SNS
AWS Mobile with Lambda and SNS
 
Getting Started with Serverless Architectures
Getting Started with Serverless ArchitecturesGetting Started with Serverless Architectures
Getting Started with Serverless Architectures
 
AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...
AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...
AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...
 
ตารางการอบรมเชิงปฏิบัติการการเพิ่มประสิทธิภาพการสอนวิทยาศาสตร์โดยใช้ Social ...
ตารางการอบรมเชิงปฏิบัติการการเพิ่มประสิทธิภาพการสอนวิทยาศาสตร์โดยใช้ Social ...ตารางการอบรมเชิงปฏิบัติการการเพิ่มประสิทธิภาพการสอนวิทยาศาสตร์โดยใช้ Social ...
ตารางการอบรมเชิงปฏิบัติการการเพิ่มประสิทธิภาพการสอนวิทยาศาสตร์โดยใช้ Social ...
 
Check Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast AgentCheck Point SandBlast and SandBlast Agent
Check Point SandBlast and SandBlast Agent
 
Getting Started with Serverless Architectures
Getting Started with Serverless ArchitecturesGetting Started with Serverless Architectures
Getting Started with Serverless Architectures
 
Customer Story: Derivitec
Customer Story: DerivitecCustomer Story: Derivitec
Customer Story: Derivitec
 
Capitulo 2 networking
Capitulo 2 networkingCapitulo 2 networking
Capitulo 2 networking
 
Content Marketing Groene Tomaat insights
Content Marketing Groene Tomaat insightsContent Marketing Groene Tomaat insights
Content Marketing Groene Tomaat insights
 
Delivering Happiness - Whole Foods Market Tribal Gathering - 2.26.11
Delivering Happiness - Whole Foods Market Tribal Gathering - 2.26.11Delivering Happiness - Whole Foods Market Tribal Gathering - 2.26.11
Delivering Happiness - Whole Foods Market Tribal Gathering - 2.26.11
 
Page 56
Page 56Page 56
Page 56
 
Presentation for App Developers
Presentation for App DevelopersPresentation for App Developers
Presentation for App Developers
 
Company Profile 2016
Company Profile 2016Company Profile 2016
Company Profile 2016
 
Luxury Men's Market - Where should you be?
Luxury Men's Market - Where should you be?Luxury Men's Market - Where should you be?
Luxury Men's Market - Where should you be?
 
Demandas de ray velasquez juarez
Demandas de ray velasquez juarezDemandas de ray velasquez juarez
Demandas de ray velasquez juarez
 
Market Research, An Introduction
Market Research, An IntroductionMarket Research, An Introduction
Market Research, An Introduction
 
Learn from the Best: LinkedIn's Most Socially Engaged Recruitment Firms
Learn from the Best: LinkedIn's Most Socially Engaged Recruitment FirmsLearn from the Best: LinkedIn's Most Socially Engaged Recruitment Firms
Learn from the Best: LinkedIn's Most Socially Engaged Recruitment Firms
 

Similar a Securing Serverless Architecture

Securing Serverless Architectures - Pop-up Loft TLV 2017
Securing Serverless Architectures - Pop-up Loft TLV 2017Securing Serverless Architectures - Pop-up Loft TLV 2017
Securing Serverless Architectures - Pop-up Loft TLV 2017
Amazon Web Services
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
Amazon Web Services
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
Amazon Web Services
 
Deploying computer vision model as api using aws lambda and api gateway
Deploying computer vision model as api using aws lambda and api gatewayDeploying computer vision model as api using aws lambda and api gateway
Deploying computer vision model as api using aws lambda and api gateway
Shirish Gupta
 
Managing the Continuous Delivery of Code to AWS Lambda
Managing the Continuous Delivery of Code to AWS LambdaManaging the Continuous Delivery of Code to AWS Lambda
Managing the Continuous Delivery of Code to AWS Lambda
Amazon Web Services
 
Deep Dive on AWS Lambda - January 2017 AWS Online Tech Talks
Deep Dive on AWS Lambda - January 2017 AWS Online Tech TalksDeep Dive on AWS Lambda - January 2017 AWS Online Tech Talks
Deep Dive on AWS Lambda - January 2017 AWS Online Tech Talks
Amazon Web Services
 
What's New in AWS Serverless and Containers
What's New in AWS Serverless and ContainersWhat's New in AWS Serverless and Containers
What's New in AWS Serverless and Containers
Amazon Web Services
 

Similar a Securing Serverless Architecture (20)

Securing Serverless Architectures - AWS Serverless Web Day
Securing Serverless Architectures - AWS Serverless Web DaySecuring Serverless Architectures - AWS Serverless Web Day
Securing Serverless Architectures - AWS Serverless Web Day
 
Securing Serverless Architectures - Pop-up Loft TLV 2017
Securing Serverless Architectures - Pop-up Loft TLV 2017Securing Serverless Architectures - Pop-up Loft TLV 2017
Securing Serverless Architectures - Pop-up Loft TLV 2017
 
Webinar: Serverless Architectures with AWS Lambda and MongoDB Atlas
Webinar: Serverless Architectures with AWS Lambda and MongoDB AtlasWebinar: Serverless Architectures with AWS Lambda and MongoDB Atlas
Webinar: Serverless Architectures with AWS Lambda and MongoDB Atlas
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
 
Meetup callback
Meetup callbackMeetup callback
Meetup callback
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
 
Deploying computer vision model as api using aws lambda and api gateway
Deploying computer vision model as api using aws lambda and api gatewayDeploying computer vision model as api using aws lambda and api gateway
Deploying computer vision model as api using aws lambda and api gateway
 
Getting Started with AWS Lambda & Serverless Cloud
Getting Started with AWS Lambda & Serverless CloudGetting Started with AWS Lambda & Serverless Cloud
Getting Started with AWS Lambda & Serverless Cloud
 
GOTO Stockholm - AWS Lambda - Logic in the cloud without a back-end
GOTO Stockholm - AWS Lambda - Logic in the cloud without a back-endGOTO Stockholm - AWS Lambda - Logic in the cloud without a back-end
GOTO Stockholm - AWS Lambda - Logic in the cloud without a back-end
 
AWS October Webinar Series - AWS Lambda Best Practices: Python, Scheduled Job...
AWS October Webinar Series - AWS Lambda Best Practices: Python, Scheduled Job...AWS October Webinar Series - AWS Lambda Best Practices: Python, Scheduled Job...
AWS October Webinar Series - AWS Lambda Best Practices: Python, Scheduled Job...
 
Managing the Continuous Delivery of Code to AWS Lambda
Managing the Continuous Delivery of Code to AWS LambdaManaging the Continuous Delivery of Code to AWS Lambda
Managing the Continuous Delivery of Code to AWS Lambda
 
Deep Dive on AWS Lambda - January 2017 AWS Online Tech Talks
Deep Dive on AWS Lambda - January 2017 AWS Online Tech TalksDeep Dive on AWS Lambda - January 2017 AWS Online Tech Talks
Deep Dive on AWS Lambda - January 2017 AWS Online Tech Talks
 
Aws Lambda Cart Microservice Server Less
Aws Lambda Cart Microservice Server LessAws Lambda Cart Microservice Server Less
Aws Lambda Cart Microservice Server Less
 
Serverless Web Apps using API Gateway, Lambda and DynamoDB
Serverless Web Apps using API Gateway, Lambda and DynamoDBServerless Web Apps using API Gateway, Lambda and DynamoDB
Serverless Web Apps using API Gateway, Lambda and DynamoDB
 
What's New in AWS Serverless and Containers
What's New in AWS Serverless and ContainersWhat's New in AWS Serverless and Containers
What's New in AWS Serverless and Containers
 
What's New with AWS Lambda
What's New with AWS LambdaWhat's New with AWS Lambda
What's New with AWS Lambda
 
Journey Towards Scaling Your Application to 10 million users
Journey Towards Scaling Your Application to 10 million usersJourney Towards Scaling Your Application to 10 million users
Journey Towards Scaling Your Application to 10 million users
 
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
 
Building Serverless Web Applications
Building Serverless Web Applications Building Serverless Web Applications
Building Serverless Web Applications
 
Serverless in production (O'Reilly Software Architecture)
Serverless in production (O'Reilly Software Architecture)Serverless in production (O'Reilly Software Architecture)
Serverless in production (O'Reilly Software Architecture)
 

Más de Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 

Más de Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Último

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Último (20)

Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

Securing Serverless Architecture

  • 1. © 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Dave Walker, Specialist SolutionsArchitect, Security and Compliance Nieuwegein 24/05/16 Securing Serverless Architectures
  • 3. Agenda • Serverless Architectures: What they Are • “Caveat Emptor”? • Constraining Access and Permissions • Wrapping AWS Lambda Functions • Amazon API Gateway and AWS Service API Endpoints • Generalising Across Serverless Functions • Conclusions
  • 5. Serverless Architectures: What they Are • “The shiny new thing” • …thoughAmazon S3 has been around for 10 years, now • “Object stores, object transmission and aggregation pipelines, object format tranformers, standalone code execution systems” • Abstract (and sometimes, Container) Services • AWS looks after the underlying OS, High Availability, Scaling, often Application, transparently • Often event-driven (Lambda triggers etc) • “Customers only need to worry about their functionality”
  • 7. For Example… Internet Website Activity Indicator Chat Service Activity Messages Search Service Dynamo Streams Elasticsearch Service Web Hosting Twilio Slack Chat API Gateway IoT Backend Logic
  • 9. “Everything Starts with a Threat Model” • STRIDE, DREAD, others • Identify: • Actors • Vectors • “Bad stuff that could happen, when bad people get creative” • Probabilities and consequences of bad stuff happening • Apply technical and procedural mitigations • …all the way up the OSI stack, from Network to Application
  • 10. Attack Vectors • Application-level and API-level attacks • “If it takes input, it likely has an in-band attack vector” • “If it has a control point, it likely has an out-of-band attack vector” • “Even if it doesn’t itself have a useful compromise, it might be a useful propagation vector” • A successful attack = disruption or corruption of service output, or reduction in responsiveness to future service calls, or being a conduit of “bad content” to vulnerable consumers of the service. • Consider the OWASP Top 10 and other application-level attacks…
  • 11. Control Points and Out-of-bandAttacks • (Almost) everything in our list has an API Endpoint. • API Endpoints are exposed to the Internet over https, using TLS 1.2 and unidirectional trust via s2n • API Endpoints are scaled, rate-managed and connection- monitored • API Endpoint calls need Sigv4 • SHA256 HMAC with Secret Access Key (240-bit entropic) over REST request • REST calls are checked for formation correctness • Looking pretty well-covered…
  • 12. In-band Attacks • There are more variables here – consider access methods and content sizes:
  • 14. IAM is your First Port of Call • Quickest and highly effective way to reduce risk of serverless “misbehaviour” at sub-data level • All API access should be Role-based • Roles can be given to EC2 Instances and Lambda functions • Roles use ephemeral STS tokens rather than static keys • Reduces consequences of static key mishandling, no motivation to hard-wire into code • Cross-account access gets close to Mandatory Access Control • See video of presentation from UK Security Roadshow (Coming Soon)
  • 15. IAM is your First Port of Call • API calls can be constrained in IAM by Source IP address • Get the AWS range from https://ip- ranges.amazonaws.com/ip-ranges.json • We could use this to ensure that only our wrapper functions can call our main Lambda functions or the real API endpoints • Recent development: verify when permissions were last used • See https://blogs.aws.amazon.com/security/post/Tx280RX2WH6 WUD7/Remove-Unnecessary-Permissions-in-Your-IAM- Policies-by-Using-Service-Last-Access
  • 17. Let’s start with Lambda… • Why? • It’s a great test case, as: • It can take input from (almost) anywhere • It can do (almost) anything with that input, given appropriate permissions • It can output (almost) anything to (almost) anywhere • Customers have control over what happens between input and output • Risk: “you can write insecure code in any language (including Node.js, Java, Python and anything you can call from them…)”
  • 18. Let’s start with Lambda… • Already good info on developing Lambda functions - https://aws.amazon.com/blogs/compute/continuous- integration-deployment-for-aws-lambda-functions-with- jenkins-and-grunt-part-1/ , https://aws.amazon.com/blogs/compute/continuous- integration-deployment-for-aws-lambda-functions-with- jenkins-and-grunt-part-2/ • Lambda functions run in an IAM role • Consider cross-account function calls (see https://aws.amazon.com/blogs/compute/easy-authorization- of-aws-lambda-functions/ ) • Now let’s add a front-end wrapper / filter and back-end / side API checker…
  • 20. Wrapping Lambda Functions bucket AWS Lambda AWS Lambda AWS Lambda Amazon API Gateway “Back end” “Front end” Our original functionTrigger event source API endpoint
  • 22. Wrapping Lambda Functions bucket AWS Lambda AWS Lambda AWS Lambda Amazon API Gateway 1. Event triggers wrapper 2. Wrapper passes trigger data to analyser API endpoint
  • 23. Wrapping Lambda Functions bucket AWS Lambda AWS Lambda AWS Lambda Amazon API Gateway 3. Analyser reads data 1. Event triggers wrapper 2. Wrapper passes trigger data to analyser API endpoint
  • 24. Wrapping Lambda Functions bucket AWS Lambda AWS Lambda AWS Lambda Amazon API Gateway 3. Analyser reads data 1. Event triggers wrapper 2. Wrapper passes trigger data to analyser 4. Wrapper invokes Function API endpoint
  • 25. Wrapping Lambda Functions bucket AWS Lambda AWS Lambda AWS Lambda Amazon API Gateway 5. Function readsdata and processes as normal 3. Analyser reads data 1. Event triggers wrapper 2. Wrapper passes trigger data to analyser 4. Wrapper invokes Function API endpoint
  • 26. Wrapping Lambda Functions • First function, configured to trigger on the Lambda event, is a front-end wrapper • Passes copy of trigger event input and context to analysis engine (hello, Alert Logic J ) • Optionally, waits for “content OK” response from analysis engine (in-band checking)to determine whether main Lambda function should be invoked • …or calls main Lambda function immediately, if performance is more critical (out-of-band checking) • Has the same IAM Read / Get permissions in its role as the main Lambda function, plus what’s needed to send trigger info and invoke the main Lambda function
  • 27. Wrapping Lambda Functions • Analysis Engine • Needs IAM permissions to be able to read from the trigger source • Needs to be configurable to respond to the calling Lambda function after checks are complete (in-band checking, IPS- style) and / or raise alerts – eg via SNS – if “badness” is found (out-of-band checking, IDS-style) • In discussion with Alert Logic (co-inventors), but concept and invocation mechanisms are non-exclusive
  • 28. Wrapping Lambda Functions • Second function, invoked by the first, is our main Lambda function • Modify the permission conditions in the IAM role so that this function can only be called from IP addresses in the AMAZON range in the same Region • ie our wrapping Lambda function • Consider passing and verifying a shared secret • With the front-end wrapped, now let’s look at the back…
  • 29. API Gateway and API Endpoints
  • 30. API Gateway and API Endpoints bucket AWS Lambda AWS Lambda AWS Lambda Amazon API Gateway “Back end” API endpoint
  • 31. API Gateway and API Endpoints • Consider API Gateway as a protective front-end onto the main AWS API Endpoints • Can rate-limit calling frequency • Can have back-end Lambda functions on each of REST GET, PUT, POST, PATCH, DELETE, HEAD, OPTIONS to check call content • Supports Sigv4 – and generates logs • So, we have a back-end wrapper function J • …But we need to make API Gateway the target(s) for calls to API Endpoints, in our main Lambda function… • Easy!
  • 32. Endpoint mappings in boto and Java SDK: { "autoscaling": { "ap-northeast-1": "autoscaling.ap-northeast-1.amazonaws.com", "ap-northeast-2": "autoscaling.ap-northeast-2.amazonaws.com", "ap-southeast-1": "autoscaling.ap-southeast-1.amazonaws.com", "ap-southeast-2": "autoscaling.ap-southeast-2.amazonaws.com", "cn-north-1": "autoscaling.cn-north-1.amazonaws.com.cn", "eu-central-1": "autoscaling.eu-central-1.amazonaws.com", "eu-west-1": "autoscaling.eu-west-1.amazonaws.com", "sa-east-1": "autoscaling.sa-east-1.amazonaws.com", "us-east-1": "autoscaling.us-east-1.amazonaws.com", "us-gov-west-1": "autoscaling.us-gov-west-1.amazonaws.com", "us-west-1": "autoscaling.us-west-1.amazonaws.com", "us-west-2": "autoscaling.us-west-2.amazonaws.com" }, • boto/boto/endpoints.json and aws-java-sdk- core/src/main/resources/com/amazonaws/partitions/end points.json
  • 33. Wrapping Lambda Functions • Hack the in-environment SDK for your own main Lambda function! • 2-stage function needed, in the execution context: • 1. Verify that the endpoints as defined in the SDK are your own API Gateway endpoints; set them if not • 2. Invoke the actual “doing stuff” function
  • 35. Filtering API Calls AWS Lambda Amazon API Gateway API endpoint
  • 36. Filtering Kinesis (and some other) Streams AWS Lambda Amazon ElastiCache Amazon Kinesis Amazon Kinesis Amazon DynamoDB
  • 37. Services with Lambda Trigger Support • Config • CloudWatch • S3 • DynamoDB • Kinesis • SNS • SES • Cognito • CloudFormation
  • 39. Threats and Mitigations • IAM is your first port of call, for limiting API calls and their scope • Cross-account access can also be useful here • API Endpoints are well-protected, but API Gateways can add hooks for further protection at Layer 7 to any service • …though they’re most applicable to serverless ones • Lambda functions can provide useful tap / inspection / filter hook points for queues and pipelines • Lambda functions can themselves be used as wrap and filter hook points on the input to Lambda functions
  • 40. Further Food for Thought…? • Using Serverless Capabilities to Add Security Functionality to More Traditional Services • Config Rules already does this • GitHub repo at https://github.com/awslabs/aws-config-rules • CI / CD: Add a final post-deploy Lambda step onto CodePipeline, and API Gateway as a front-end to pentest infrastructure, to automatically call a pentest down onto the newly-deployed components • Let’s discuss…
  • 41. Extra: “Serverless” Management of Arbitrary Secrets instances instance
  • 42. Extra: “Serverless” Management of Arbitrary Secrets instances instance instance
  • 43. Extra: “Serverless” Management of Arbitrary Secrets instances instance long-termsecurity credential instance
  • 44. Extra: “Serverless” Management of Arbitrary Secrets instances instance AWS KMS long-termsecurity credential data encryption key instance
  • 45. Extra: “Serverless” Management of Arbitrary Secrets instances instance AWS KMS data encryption key long-termsecurity credential data encryption key instance
  • 46. Extra: “Serverless” Management of Arbitrary Secrets instances instance AWS KMS data encryption key long-termsecurity credential bucket data encryption key instance
  • 47. Extra: “Serverless” Management of Arbitrary Secrets instances instance AWS KMS data encryption key long-termsecurity credential bucket data encryption key instance VPC Private Endpoint
  • 48. Extra: “Serverless” Management of Arbitrary Secrets instances instance AWS KMS data encryption key role long-termsecurity credential bucket data encryption key instance role VPC Private Endpoint
  • 49. Extra: “Serverless” Management of Arbitrary Secrets instances instance AWS KMS data encryption key role long-termsecurity credential bucket data encryption key instance role ARN of encrypted https key in S3 bucket ARN of data encryption key in KMS Instance UserData VPC Private Endpoint
  • 50. Extra: “Serverless” Management of Arbitrary Secrets instances instance AWS KMS data encryption key role long-termsecurity credential bucket data encryption key instance role ARN of encrypted https key in S3 bucket ARN of data encryption key in KMS Instance UserData VPC Private Endpoint
  • 51. Industry Best Practices for Securing AWS Resources CIS Amazon Web Services Foundations Architecture agnostic set of security configuration best practices provides set-by-step implementation and assessment procedures
  • 52. Helpful Resources Compliance Enablers: https://aws.amazon.com/compliance/compliance-enablers/ Risk & Compliance Whitepaper: https://aws.amazon.com/whitepapers/overview-of-risk-and-compliance/ Compliance Centre Website: https://aws.amazon.com/compliance Security Centre: https://aws.amazon.com/security Security Blog: https://blogs.aws.amazon.com/security/ AWSAudit Training: awsaudittraining@amazon.com
  • 53. inSided Social Business Platform Growth & Security AWS Summit Nieuwegein 2016 Maik Broxterman IT Architect
  • 54. inSided believes that brands need online communities to help them stay relevant
  • 57. Our mission 1000 enterprise brands use an inSided community in 2025
  • 58. How to facilitate this exponential growth? people money product development customer relations No primary focus on infrastructure
  • 59. AWS architecture components EC2 EC2 Autoscaling ELB Route 53 Lambda Elasticsearch SNS Cloudtrail Cloudwatch logs KMS Cloudwatch Config SQS SES SimpleDB Elasticache RDS S3 Glacier Cloudfront EBS
  • 60. Challenge #1: Scalability Traditional hardware vs AWS elasticity and autoscaling
  • 62. Benefits Past Currently Future tickets tested (via spot instances) 0 20/day 100’s/day deploys ad hoc 10/day 100’s/day scaling out days minutes instantly
  • 63. Challenge 2: Security Easy manual security Customizable security Default security Shared security model
  • 64. Q&A