SlideShare a Scribd company logo

Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)

Jeremy Daly
Jeremy Daly

Jeremy Daly, CTO of AlertMe.news, gave a presentation on serverless security best practices and mitigation strategies. He discussed the serverless security model and risks like event injection and over-privileged IAM roles. Daly also covered techniques to secure serverless applications like limiting IAM permissions, monitoring for errors, and deleting unused resources.

Technology
1 of 34
Download to read offline
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless Security: Best practices and mitigation strategies Jeremy Daly Chief Technology Officer AlertMe.news D E V 1 2
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda The Serverless Security Model Serverless Risks & Common Attack Vectors Event Injection IAM Roles & Permissions Understanding Serverless Scalability Best Practice & Mitigation Techniques
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. About Me • CTO at AlertMe.news • Consult with companies building in the cloud • 20+ year veteran of technology startups • Started working with AWS in 2009 • Blogger, open-source contributor, speaker • Publish the Off-by-none serverless newsletter • Host of the Serverless Chats podcast
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared Responsibility Model
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared Responsibility Model for Serverless AWS Responsible for security “of” the cloud REGIONS AVAILABILITY ZONES EDGE LOCATIONS COMPUTE STORAGE DATABASE NETWORK OPERATING SYSTEM + VIRTUAL MACHINES + CONTAINERS APPLICATION OWNER Responsible for security “in” the cloud APPLICATIONS (FUNCTIONS) IDENTITY & ACCESS MANAGEMENT CLOUD SERVICES CONFIGURATION CLIENT-SIDE DATA IN CLOUD DATA IN TRANSIT
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda Runtime Environment • Control Plane • Provides function management APIs (CreateFunction, UpdateFunctionCode) • Manages integrations with all AWS services • Data Plane • Controls the Invoke API that runs Lambda functions • Allocates execution environments to functions • Chooses an existing execution environment that has already been set up for that function • Runs the function code in that environment
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Execution Environments & MicroVMs • Dedicated execution environment is used for the lifetime of the function and then destroyed • Each execution environment hosts one concurrent invocation, but is reused in place across multiple serial invocations of the same function • Execution environments run on hardware virtualized virtual machines (microVMs) • MicroVMs are dedicated to an AWS account, but can be reused by execution environments across functions within an account • Execution environments are never shared across functions, and microVMs are never shared across AWS accounts
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Comparison of EC2 and Firecracker models for Lambda
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IaaS CLOUD PROVIDER RESPONSIBILITY • Physical infrastructure, access restrictions to physical perimeter and hardware • Secure configuration of infrastructure devices and systems CUSTOMER RESPONSIBILITY • Regularly testing the security of all systems/processes (OS, services) • Identification & authentication of access to systems (OS, services) • Patching and fixing flaws in OS • Hardening OS and services • Protecting all systems against malware and backdoors • Patching and fixing flaws in runtime environment and related software packages • Exploit prevention & memory protection • Network segmentation • Tracking & monitoring all network resources and access • Installation & maintenance of network firewalls • Network-layer DoS protection • Authentication of users • Authorization controls when accessing application & data • Log and maintain audit trails of all access to application & data • Deploy an application layer firewall for event-data inspection • Detect & fix vulnerabilities in 3rd party dependencies • Use least-privileged IAM roles & permissions • Enforce legitimate application behavior • Data leak prevention • Scan code & configurations statically during development • Maintain serverless/cloud asset inventory • Remove obsolete/unused cloud services & functions • Continuously monitor errors & security incidents Serverless CLOUD PROVIDER RESPONSIBILITY • Physical infrastructure, access restrictions to physical perimeter and hardware • Secure configuration of infrastructure devices and systems • Regularly testing the security of all systems/processes (OS, services) • Identification & authentication of access to systems (OS, services) • Patching and fixing flaws in OS • Hardening OS and services • Protecting all systems against malware and backdoors • Patching and fixing flaws in runtime environment and related software packages • Exploit prevention & memory protection • Network segmentation • Tracking & monitoring all network resources and access • Installation & maintenance of network firewalls • Network-layer DoS protection CUSTOMER RESPONSIBILITY • Authentication of users • Authorization controls when accessing application & data • Log and maintain audit trails of all access to application & data • Deploy an application layer firewall for event-data inspection • Detect & fix vulnerabilities in 3rd party dependencies • Use least-privileged IAM roles & permissions • Enforce legitimate application behavior • Data leak prevention • Scan code & configurations statically during development • Maintain serverless/cloud asset inventory • Remove obsolete/unused cloud services & functions • Continuously monitor errors & security incidents Credit: Ory Segal (@orysegal)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IaaS vs Serverless Security Responsibilities Credit: Ory Segal (@orysegal)
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. The 12 Most Critical Risks for ServerlessApplications • SAS-1: Function event-data injection • SAS-2: Broken authentication • SAS-3: Insecure serverless deployment configuration • SAS-4: Over-privileged function permissions and roles • SAS-5: Inadequate function monitoring and logging • SAS-6: Insecure third-party dependencies • SAS-7: Insecure application secrets storage • SAS-8: Denial of service & financial resource exhaustion • SAS-9: Serverless business logic manipulation • SAS-10: Improper exception handling and verbose error messages • SAS-11: Obsolete functions, cloud resources and event triggers • SAS-12: Cross-execution data persistency By the Cloud Security Alliance (CSA) and PureSec
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Standard Serverless Workflow LAMBDA CODE REPOSITORY EVENT SOURCES … CLOUD RESOURCES Code Deploy Event Trigger Interactions Output
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. ServerlessAttack Surfaces EVENT SOURCES LAMBDA CLOUD RESOURCES CODE REPOSITORY Event Injection Unauthorized Deployment Data Tampering Dependency Poisoning
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Possible Repercussions • Compromise Data • Abuse Business Logic • Bypass Authentication • Leak Secrets • Denial of Service (DoS) • Remote Code Execution
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Traditional Security Solutions with Serverless • WAFs (web application firewalls) • RASPs (runtime application self-protection) • EPPs (endpoint protection platforms) • WSGs (web security gateways) • IPS (intrusion prevention systems) • NG-FW (next-generation firewalls) Your app security is based on GOOD CODING and STRICT CONFIGURATION ❌ ❌ ❌ ❌ ✅* ❌
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. 47+ supported event sources that can trigger Lambda • Amazon S3 • Amazon DynamoDB • Amazon Kinesis Data Streams • Amazon Simple Notification Service (SNS) • Amazon Simple Email Service • Amazon CloudWatch Logs • Amazon CloudWatch Events (as a proxy to 25+ other services) • Scheduled Events • AWS Config • Amazon Alexa • Amazon Lex • Amazon API Gateway • AWS IoT Button • Amazon CloudFront • Amazon Kinesis Data Firehose • Amazon Simple Queue Service (SQS) *Many different event formats*
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. CloudWatch Logs and Kinesis Data Streams Events { "awslogs": { "data": "H4sIAAAAAAAAAHWPwQqCQBCGX0Xm7EFtK+smZBEUgXoLCdMhFtKV3akI8d0bLYmibvPPN3wz00CJxmQnTO41whw WQRIctmEcB6sQbFC3CjW3XW8kxpOpP+OC22d1Wml1qZkQGtoMsScxaczKN3plG8zlaHIta5KqWsozoTYw3/djzwh pLwivWFGHGpAFe7DL68JlBUk+l7KSN7tCOEJ4M3/qOI49vMHj+zCKdlFqLaU2ZHV2a4Ct/an0/ivdX8oYc1UVX86 0fQDQiMdxRQEAAA==" } } This data has to be decoded, unzipped, and then inspected to make sure it’s safe to use.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. An S3 Example { "Records": [ { "eventSource": "aws:s3", "eventName": "ObjectCreated:Put", "s3": { "bucket": { ... }, "object": { "key": "1%22%29%3B%28delete+*+from+uploads", "size": 4 } } } ] } "1%22%29%3B%28delete+*+from+uploads”,
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Trust No One 👽 let filename = decodeURIComponent(s3.object.key.replace(/+/g,'%20')) connection.query( 'INSERT INTO uploads (`file`) VALUES ("' + filename + '")', (error, results) => {} ) INSERT INTO uploads (`file`) VALUES ("1");(delete * from uploads) Even if you’ve never done this, one of your developers will!!! $♂
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. “Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.” Jerome Saltzer Communications of the ACM
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Least-Privileged IAM Roles • Functions should only be allowed to do what they need to do • AWS IAM model is extremely powerful, but easy to get wrong • Human factor (laziness, ignorance) • “Over-privileged” issues are likely the most common mistake in serverless applications BatchGetItem BatchWriteItem CreateTable DeleteItem DeleteTable DescribeLimits DescribeReservedCapacity DescribeReservedCapacityOfferings PurchaseReservedCapacityOfferings DescribeStream DescribeTable GetItem GetRecords GetShardIterator ListStreams ListTables ListTagsOfResource Query Scan TagResource UntagResource UpdateItem UpdateTable PutItem
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Limiting IAM Permissions • Use a “role-per-function” model • Use SAM managed policies • Serverless Framework: use custom roles per function or the “serverless-iam-roles-per- function” plugin Minimize the blast radius of vulnerable functions
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Scaling ServerlessApplications • Serverless apps are more resilient to traffic spikes and can scale to support very high bandwidth • Synchronous vs. Asynchronous invocations • Invocation type is pre-determined for each service type • Examples of DoS (or Denial of Wallet): • Synchronous: flood with API Gateway requests • Asynchronous: flood with S3 files • Poll-based / Stream-based: send malformed batch of events to the stream • Poll-based / Not stream-based: queue message retention can be up to 4 days for SQS
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Best Practices & Mitigation Techniques • Use API Gateway ‘quota’ and ‘throttling’ capabilities • Consider using API response caching • Use SQS as a broker • Set up Dead Letter Queues (DLQs) • Design for retry • Define reserved capacity limit per function • Set timeouts to avoid “hangs” on unexpected input
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Best Practices & Mitigation Techniques (continued) • Use API Gateway Lambda Authorizers • Protect your keys, usernames and passwords • Monitor your concurrent executions, throttling metrics, errors and timeouts • Set up billing alerts • Delete old functions, triggers, and resources
Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Jeremy Daly @jeremy_daly jeremydaly.com
© 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.

Recommended

Serverless Microservice Patterns for AWS
Serverless Microservice Patterns for AWSServerless Microservice Patterns for AWS
Serverless Microservice Patterns for AWSJeremy Daly
 
Building Resilient Serverless Systems with Non-Serverless Components
Building Resilient Serverless Systems with Non-Serverless ComponentsBuilding Resilient Serverless Systems with Non-Serverless Components
Building Resilient Serverless Systems with Non-Serverless ComponentsJeremy Daly
 
Building resilient serverless systems with non-serverless components - Server...
Building resilient serverless systems with non-serverless components - Server...Building resilient serverless systems with non-serverless components - Server...
Building resilient serverless systems with non-serverless components - Server...Jeremy Daly
 
Building resilient serverless systems with non serverless components
Building resilient serverless systems with non serverless componentsBuilding resilient serverless systems with non serverless components
Building resilient serverless systems with non serverless componentsJeremy Daly
 
Building Event-Driven Applications with Serverless and AWS - AWS Summit New York
Building Event-Driven Applications with Serverless and AWS - AWS Summit New YorkBuilding Event-Driven Applications with Serverless and AWS - AWS Summit New York
Building Event-Driven Applications with Serverless and AWS - AWS Summit New YorkJeremy Daly
 
How to fail with serverless
How to fail with serverlessHow to fail with serverless
How to fail with serverlessJeremy Daly
 
Getting Started with Serverless Architectures
Getting Started with Serverless ArchitecturesGetting Started with Serverless Architectures
Getting Started with Serverless ArchitecturesAmazon Web Services
 
Serverless Computing: build and run applications without thinking about servers
Serverless Computing: build and run applications without thinking about serversServerless Computing: build and run applications without thinking about servers
Serverless Computing: build and run applications without thinking about serversAmazon Web Services
 

Recommended

Serverless Microservice Patterns for AWS
Serverless Microservice Patterns for AWSServerless Microservice Patterns for AWS
Serverless Microservice Patterns for AWSJeremy Daly
 
Building Resilient Serverless Systems with Non-Serverless Components
Building Resilient Serverless Systems with Non-Serverless ComponentsBuilding Resilient Serverless Systems with Non-Serverless Components
Building Resilient Serverless Systems with Non-Serverless ComponentsJeremy Daly
 
Building resilient serverless systems with non-serverless components - Server...
Building resilient serverless systems with non-serverless components - Server...Building resilient serverless systems with non-serverless components - Server...
Building resilient serverless systems with non-serverless components - Server...Jeremy Daly
 
Building resilient serverless systems with non serverless components
Building resilient serverless systems with non serverless componentsBuilding resilient serverless systems with non serverless components
Building resilient serverless systems with non serverless componentsJeremy Daly
 
Building Event-Driven Applications with Serverless and AWS - AWS Summit New York
Building Event-Driven Applications with Serverless and AWS - AWS Summit New YorkBuilding Event-Driven Applications with Serverless and AWS - AWS Summit New York
Building Event-Driven Applications with Serverless and AWS - AWS Summit New YorkJeremy Daly
 
How to fail with serverless
How to fail with serverlessHow to fail with serverless
How to fail with serverlessJeremy Daly
 
Getting Started with Serverless Architectures
Getting Started with Serverless ArchitecturesGetting Started with Serverless Architectures
Getting Started with Serverless ArchitecturesAmazon Web Services
 
Serverless Computing: build and run applications without thinking about servers
Serverless Computing: build and run applications without thinking about serversServerless Computing: build and run applications without thinking about servers
Serverless Computing: build and run applications without thinking about serversAmazon Web Services
 
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...Amazon Web Services
 
muCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless ApplicationsmuCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless ApplicationsChris Munns
 
AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...
AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...
AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...Amazon Web Services
 
Building APIs with Amazon API Gateway
Building APIs with Amazon API GatewayBuilding APIs with Amazon API Gateway
Building APIs with Amazon API GatewayAmazon Web Services
 
AWS API Gateway - AJUG August 2018
AWS API Gateway - AJUG August 2018AWS API Gateway - AJUG August 2018
AWS API Gateway - AJUG August 2018Yoel Spotts
 
SEC304 Advanced Techniques for DDoS Mitigation and Web Application Defense
SEC304 Advanced Techniques for DDoS Mitigation and Web Application DefenseSEC304 Advanced Techniques for DDoS Mitigation and Web Application Defense
SEC304 Advanced Techniques for DDoS Mitigation and Web Application DefenseAmazon Web Services
 
Convert Your Code into a Microservice using AWS Lambda
Convert Your Code into a Microservice using AWS LambdaConvert Your Code into a Microservice using AWS Lambda
Convert Your Code into a Microservice using AWS LambdaAmazon Web Services
 
Serverless Web Apps using API Gateway, Lambda and DynamoDB
Serverless Web Apps using API Gateway, Lambda and DynamoDBServerless Web Apps using API Gateway, Lambda and DynamoDB
Serverless Web Apps using API Gateway, Lambda and DynamoDBAmazon Web Services
 
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...Chris Munns
 
Building serverless applications with Amazon S3
Building serverless applications with Amazon S3Building serverless applications with Amazon S3
Building serverless applications with Amazon S3Chris Munns
 
Using AWS Lambda to Build Control Systems for Your AWS Infrastructure
Using AWS Lambda to Build Control Systems for Your AWS InfrastructureUsing AWS Lambda to Build Control Systems for Your AWS Infrastructure
Using AWS Lambda to Build Control Systems for Your AWS InfrastructureAmazon Web Services
 
Serverless Architecture Patterns
Serverless Architecture PatternsServerless Architecture Patterns
Serverless Architecture PatternsAmazon Web Services
 
Introduction to the Serverless Cloud
Introduction to the Serverless CloudIntroduction to the Serverless Cloud
Introduction to the Serverless CloudAmazon Web Services
 
Building resilient serverless systems with non-serverless components - Cardif...
Building resilient serverless systems with non-serverless components - Cardif...Building resilient serverless systems with non-serverless components - Cardif...
Building resilient serverless systems with non-serverless components - Cardif...Jeremy Daly
 
Build a Server-less Event-driven Backend with AWS Lambda and Amazon API Gateway
Build a Server-less Event-driven Backend with AWS Lambda and Amazon API GatewayBuild a Server-less Event-driven Backend with AWS Lambda and Amazon API Gateway
Build a Server-less Event-driven Backend with AWS Lambda and Amazon API GatewayDanilo Poccia
 
Building resilient serverless systems with non-serverless components (Belfast)
Building resilient serverless systems with non-serverless components (Belfast)Building resilient serverless systems with non-serverless components (Belfast)
Building resilient serverless systems with non-serverless components (Belfast)Jeremy Daly
 
BDA310 An Introduction to the AI services at AWS
BDA310 An Introduction to the AI services at AWSBDA310 An Introduction to the AI services at AWS
BDA310 An Introduction to the AI services at AWSAmazon Web Services
 
Stephen Liedig: Building Serverless Backends with AWS Lambda and API Gateway
Stephen Liedig: Building Serverless Backends with AWS Lambda and API GatewayStephen Liedig: Building Serverless Backends with AWS Lambda and API Gateway
Stephen Liedig: Building Serverless Backends with AWS Lambda and API GatewaySteve Androulakis
 
Building Scalable Services with Amazon API Gateway - Technical 201
Building Scalable Services with Amazon API Gateway - Technical 201Building Scalable Services with Amazon API Gateway - Technical 201
Building Scalable Services with Amazon API Gateway - Technical 201Amazon Web Services
 
Microservices Architecture for Web Applications using AWS Lambda and more
Microservices Architecture for Web Applications using AWS Lambda and moreMicroservices Architecture for Web Applications using AWS Lambda and more
Microservices Architecture for Web Applications using AWS Lambda and moreMitoc Group
 
AWS Lambda Security Inside & Out
AWS Lambda Security Inside & OutAWS Lambda Security Inside & Out
AWS Lambda Security Inside & OutPureSec
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSAmazon Web Services
 

More Related Content

What's hot

Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...Amazon Web Services
 
muCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless ApplicationsmuCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless ApplicationsChris Munns
 
AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...
AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...
AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...Amazon Web Services
 
Building APIs with Amazon API Gateway
Building APIs with Amazon API GatewayBuilding APIs with Amazon API Gateway
Building APIs with Amazon API GatewayAmazon Web Services
 
AWS API Gateway - AJUG August 2018
AWS API Gateway - AJUG August 2018AWS API Gateway - AJUG August 2018
AWS API Gateway - AJUG August 2018Yoel Spotts
 
SEC304 Advanced Techniques for DDoS Mitigation and Web Application Defense
SEC304 Advanced Techniques for DDoS Mitigation and Web Application DefenseSEC304 Advanced Techniques for DDoS Mitigation and Web Application Defense
SEC304 Advanced Techniques for DDoS Mitigation and Web Application DefenseAmazon Web Services
 
Convert Your Code into a Microservice using AWS Lambda
Convert Your Code into a Microservice using AWS LambdaConvert Your Code into a Microservice using AWS Lambda
Convert Your Code into a Microservice using AWS LambdaAmazon Web Services
 
Serverless Web Apps using API Gateway, Lambda and DynamoDB
Serverless Web Apps using API Gateway, Lambda and DynamoDBServerless Web Apps using API Gateway, Lambda and DynamoDB
Serverless Web Apps using API Gateway, Lambda and DynamoDBAmazon Web Services
 
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...Chris Munns
 
Building serverless applications with Amazon S3
Building serverless applications with Amazon S3Building serverless applications with Amazon S3
Building serverless applications with Amazon S3Chris Munns
 
Using AWS Lambda to Build Control Systems for Your AWS Infrastructure
Using AWS Lambda to Build Control Systems for Your AWS InfrastructureUsing AWS Lambda to Build Control Systems for Your AWS Infrastructure
Using AWS Lambda to Build Control Systems for Your AWS InfrastructureAmazon Web Services
 
Serverless Architecture Patterns
Serverless Architecture PatternsServerless Architecture Patterns
Serverless Architecture PatternsAmazon Web Services
 
Introduction to the Serverless Cloud
Introduction to the Serverless CloudIntroduction to the Serverless Cloud
Introduction to the Serverless CloudAmazon Web Services
 
Building resilient serverless systems with non-serverless components - Cardif...
Building resilient serverless systems with non-serverless components - Cardif...Building resilient serverless systems with non-serverless components - Cardif...
Building resilient serverless systems with non-serverless components - Cardif...Jeremy Daly
 
Build a Server-less Event-driven Backend with AWS Lambda and Amazon API Gateway
Build a Server-less Event-driven Backend with AWS Lambda and Amazon API GatewayBuild a Server-less Event-driven Backend with AWS Lambda and Amazon API Gateway
Build a Server-less Event-driven Backend with AWS Lambda and Amazon API GatewayDanilo Poccia
 
Building resilient serverless systems with non-serverless components (Belfast)
Building resilient serverless systems with non-serverless components (Belfast)Building resilient serverless systems with non-serverless components (Belfast)
Building resilient serverless systems with non-serverless components (Belfast)Jeremy Daly
 
BDA310 An Introduction to the AI services at AWS
BDA310 An Introduction to the AI services at AWSBDA310 An Introduction to the AI services at AWS
BDA310 An Introduction to the AI services at AWSAmazon Web Services
 
Stephen Liedig: Building Serverless Backends with AWS Lambda and API Gateway
Stephen Liedig: Building Serverless Backends with AWS Lambda and API GatewayStephen Liedig: Building Serverless Backends with AWS Lambda and API Gateway
Stephen Liedig: Building Serverless Backends with AWS Lambda and API GatewaySteve Androulakis
 
Building Scalable Services with Amazon API Gateway - Technical 201
Building Scalable Services with Amazon API Gateway - Technical 201Building Scalable Services with Amazon API Gateway - Technical 201
Building Scalable Services with Amazon API Gateway - Technical 201Amazon Web Services
 
Microservices Architecture for Web Applications using AWS Lambda and more
Microservices Architecture for Web Applications using AWS Lambda and moreMicroservices Architecture for Web Applications using AWS Lambda and more
Microservices Architecture for Web Applications using AWS Lambda and moreMitoc Group
 

What's hot (20)

Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
Building API-Driven Microservices with Amazon API Gateway - AWS Online Tech T...
 
muCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless ApplicationsmuCon 2017 - 12 Factor Serverless Applications
muCon 2017 - 12 Factor Serverless Applications
 
AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...
AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...
AWS re:Invent 2016: Securing Serverless Architectures, and API Filtering at L...
 
Building APIs with Amazon API Gateway
Building APIs with Amazon API GatewayBuilding APIs with Amazon API Gateway
Building APIs with Amazon API Gateway
 
AWS API Gateway - AJUG August 2018
AWS API Gateway - AJUG August 2018AWS API Gateway - AJUG August 2018
AWS API Gateway - AJUG August 2018
 
SEC304 Advanced Techniques for DDoS Mitigation and Web Application Defense
SEC304 Advanced Techniques for DDoS Mitigation and Web Application DefenseSEC304 Advanced Techniques for DDoS Mitigation and Web Application Defense
SEC304 Advanced Techniques for DDoS Mitigation and Web Application Defense
 
Convert Your Code into a Microservice using AWS Lambda
Convert Your Code into a Microservice using AWS LambdaConvert Your Code into a Microservice using AWS Lambda
Convert Your Code into a Microservice using AWS Lambda
 
Serverless Web Apps using API Gateway, Lambda and DynamoDB
Serverless Web Apps using API Gateway, Lambda and DynamoDBServerless Web Apps using API Gateway, Lambda and DynamoDB
Serverless Web Apps using API Gateway, Lambda and DynamoDB
 
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
Gluecon 2018 - The Best Practices and Hard Lessons Learned of Serverless Appl...
 
Building serverless applications with Amazon S3
Building serverless applications with Amazon S3Building serverless applications with Amazon S3
Building serverless applications with Amazon S3
 
Using AWS Lambda to Build Control Systems for Your AWS Infrastructure
Using AWS Lambda to Build Control Systems for Your AWS InfrastructureUsing AWS Lambda to Build Control Systems for Your AWS Infrastructure
Using AWS Lambda to Build Control Systems for Your AWS Infrastructure
 
Serverless Architecture Patterns
Serverless Architecture PatternsServerless Architecture Patterns
Serverless Architecture Patterns
 
Introduction to the Serverless Cloud
Introduction to the Serverless CloudIntroduction to the Serverless Cloud
Introduction to the Serverless Cloud
 
Building resilient serverless systems with non-serverless components - Cardif...
Building resilient serverless systems with non-serverless components - Cardif...Building resilient serverless systems with non-serverless components - Cardif...
Building resilient serverless systems with non-serverless components - Cardif...
 
Build a Server-less Event-driven Backend with AWS Lambda and Amazon API Gateway
Build a Server-less Event-driven Backend with AWS Lambda and Amazon API GatewayBuild a Server-less Event-driven Backend with AWS Lambda and Amazon API Gateway
Build a Server-less Event-driven Backend with AWS Lambda and Amazon API Gateway
 
Building resilient serverless systems with non-serverless components (Belfast)
Building resilient serverless systems with non-serverless components (Belfast)Building resilient serverless systems with non-serverless components (Belfast)
Building resilient serverless systems with non-serverless components (Belfast)
 
BDA310 An Introduction to the AI services at AWS
BDA310 An Introduction to the AI services at AWSBDA310 An Introduction to the AI services at AWS
BDA310 An Introduction to the AI services at AWS
 
Stephen Liedig: Building Serverless Backends with AWS Lambda and API Gateway
Stephen Liedig: Building Serverless Backends with AWS Lambda and API GatewayStephen Liedig: Building Serverless Backends with AWS Lambda and API Gateway
Stephen Liedig: Building Serverless Backends with AWS Lambda and API Gateway
 
Building Scalable Services with Amazon API Gateway - Technical 201
Building Scalable Services with Amazon API Gateway - Technical 201Building Scalable Services with Amazon API Gateway - Technical 201
Building Scalable Services with Amazon API Gateway - Technical 201
 
Microservices Architecture for Web Applications using AWS Lambda and more
Microservices Architecture for Web Applications using AWS Lambda and moreMicroservices Architecture for Web Applications using AWS Lambda and more
Microservices Architecture for Web Applications using AWS Lambda and more
 

Similar to Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)

AWS Lambda Security Inside & Out
AWS Lambda Security Inside & OutAWS Lambda Security Inside & Out
AWS Lambda Security Inside & OutPureSec
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSAmazon Web Services
 
Introduction to Serverless Computing - OOP Munich
Introduction to Serverless Computing - OOP Munich Introduction to Serverless Computing - OOP Munich
Introduction to Serverless Computing - OOP MunichBoaz Ziniman
 
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...MongoDB
 
AWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsAWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsCobus Bernard
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 
Securing Serverless Applications and AWS Lambda (SRV314-R1) - AWS re:Invent 2018
Securing Serverless Applications and AWS Lambda (SRV314-R1) - AWS re:Invent 2018Securing Serverless Applications and AWS Lambda (SRV314-R1) - AWS re:Invent 2018
Securing Serverless Applications and AWS Lambda (SRV314-R1) - AWS re:Invent 2018Amazon Web Services
 
利用 Fargate - 無伺服器的容器環境建置高可用的系統
利用 Fargate - 無伺服器的容器環境建置高可用的系統利用 Fargate - 無伺服器的容器環境建置高可用的系統
利用 Fargate - 無伺服器的容器環境建置高可用的系統Amazon Web Services
 
Let Your Business Logic go Serverless | AWS Summit Tel Aviv 2019
Let Your Business Logic go Serverless | AWS Summit Tel Aviv 2019 Let Your Business Logic go Serverless | AWS Summit Tel Aviv 2019
Let Your Business Logic go Serverless | AWS Summit Tel Aviv 2019Amazon Web Services
 
Let Your Business Logic go Serverless | AWS Summit Tel Aviv 2019
Let Your Business Logic go Serverless | AWS Summit Tel Aviv 2019 Let Your Business Logic go Serverless | AWS Summit Tel Aviv 2019
Let Your Business Logic go Serverless | AWS Summit Tel Aviv 2019AWS Summits
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Amazon Web Services
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 Amazon Web Services
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 
Federal Webinar: Application monitoring for on-premises, hybrid, and multi-cl...
Federal Webinar: Application monitoring for on-premises, hybrid, and multi-cl...Federal Webinar: Application monitoring for on-premises, hybrid, and multi-cl...
Federal Webinar: Application monitoring for on-premises, hybrid, and multi-cl...SolarWinds
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionAmazon Web Services
 
Pragmatic container security - DEM11-R - AWS re:Inforce 2019
Pragmatic container security - DEM11-R - AWS re:Inforce 2019 Pragmatic container security - DEM11-R - AWS re:Inforce 2019
Pragmatic container security - DEM11-R - AWS re:Inforce 2019 Amazon Web Services
 
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security BaselineAWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security BaselineAmazon Web Services
 
Modern Applications Development on AWS
Modern Applications Development on AWSModern Applications Development on AWS
Modern Applications Development on AWSBoaz Ziniman
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountAmazon Web Services
 

Similar to Serverless Security: Best practices and mitigation strategies (re:Inforce 2019) (20)

AWS Lambda Security Inside & Out
AWS Lambda Security Inside & OutAWS Lambda Security Inside & Out
AWS Lambda Security Inside & Out
 
Proteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWSProteggere applicazioni e dati nel cloud AWS
Proteggere applicazioni e dati nel cloud AWS
 
Introduction to Serverless Computing - OOP Munich
Introduction to Serverless Computing - OOP Munich Introduction to Serverless Computing - OOP Munich
Introduction to Serverless Computing - OOP Munich
 
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
MongoDB World 2018: Tutorial - How to Build Applications with MongoDB Atlas &...
 
AWS Security by Design
AWS Security by Design AWS Security by Design
AWS Security by Design
 
AWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applicationsAWS DevDay Cologne - CI/CD for modern applications
AWS DevDay Cologne - CI/CD for modern applications
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
Securing Serverless Applications and AWS Lambda (SRV314-R1) - AWS re:Invent 2018
Securing Serverless Applications and AWS Lambda (SRV314-R1) - AWS re:Invent 2018Securing Serverless Applications and AWS Lambda (SRV314-R1) - AWS re:Invent 2018
Securing Serverless Applications and AWS Lambda (SRV314-R1) - AWS re:Invent 2018
 
利用 Fargate - 無伺服器的容器環境建置高可用的系統
利用 Fargate - 無伺服器的容器環境建置高可用的系統利用 Fargate - 無伺服器的容器環境建置高可用的系統
利用 Fargate - 無伺服器的容器環境建置高可用的系統
 
Let Your Business Logic go Serverless | AWS Summit Tel Aviv 2019
Let Your Business Logic go Serverless | AWS Summit Tel Aviv 2019 Let Your Business Logic go Serverless | AWS Summit Tel Aviv 2019
Let Your Business Logic go Serverless | AWS Summit Tel Aviv 2019
 
Let Your Business Logic go Serverless | AWS Summit Tel Aviv 2019
Let Your Business Logic go Serverless | AWS Summit Tel Aviv 2019 Let Your Business Logic go Serverless | AWS Summit Tel Aviv 2019
Let Your Business Logic go Serverless | AWS Summit Tel Aviv 2019
 
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
Security Best Practices for Microsoft Workloads (WIN307) - AWS re:Invent 2018
 
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019 DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
DevSecOps: Integrating security into pipelines - SDD310 - AWS re:Inforce 2019
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
Federal Webinar: Application monitoring for on-premises, hybrid, and multi-cl...
Federal Webinar: Application monitoring for on-premises, hybrid, and multi-cl...Federal Webinar: Application monitoring for on-premises, hybrid, and multi-cl...
Federal Webinar: Application monitoring for on-premises, hybrid, and multi-cl...
 
A Case Study on Insider Threat Detection
A Case Study on Insider Threat DetectionA Case Study on Insider Threat Detection
A Case Study on Insider Threat Detection
 
Pragmatic container security - DEM11-R - AWS re:Inforce 2019
Pragmatic container security - DEM11-R - AWS re:Inforce 2019 Pragmatic container security - DEM11-R - AWS re:Inforce 2019
Pragmatic container security - DEM11-R - AWS re:Inforce 2019
 
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security BaselineAWS Security Week: Infrastructure Security- Your Minimum Security Baseline
AWS Security Week: Infrastructure Security- Your Minimum Security Baseline
 
Modern Applications Development on AWS
Modern Applications Development on AWSModern Applications Development on AWS
Modern Applications Development on AWS
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
 

Recently uploaded

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 

Recently uploaded (20)

"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 

Serverless Security: Best practices and mitigation strategies (re:Inforce 2019)

  • 1.
  • 2. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Serverless Security: Best practices and mitigation strategies Jeremy Daly Chief Technology Officer AlertMe.news D E V 1 2
  • 3. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda The Serverless Security Model Serverless Risks & Common Attack Vectors Event Injection IAM Roles & Permissions Understanding Serverless Scalability Best Practice & Mitigation Techniques
  • 4. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. About Me • CTO at AlertMe.news • Consult with companies building in the cloud • 20+ year veteran of technology startups • Started working with AWS in 2009 • Blogger, open-source contributor, speaker • Publish the Off-by-none serverless newsletter • Host of the Serverless Chats podcast
  • 5. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 6. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared Responsibility Model
  • 7. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Shared Responsibility Model for Serverless AWS Responsible for security “of” the cloud REGIONS AVAILABILITY ZONES EDGE LOCATIONS COMPUTE STORAGE DATABASE NETWORK OPERATING SYSTEM + VIRTUAL MACHINES + CONTAINERS APPLICATION OWNER Responsible for security “in” the cloud APPLICATIONS (FUNCTIONS) IDENTITY & ACCESS MANAGEMENT CLOUD SERVICES CONFIGURATION CLIENT-SIDE DATA IN CLOUD DATA IN TRANSIT
  • 8. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Lambda Runtime Environment • Control Plane • Provides function management APIs (CreateFunction, UpdateFunctionCode) • Manages integrations with all AWS services • Data Plane • Controls the Invoke API that runs Lambda functions • Allocates execution environments to functions • Chooses an existing execution environment that has already been set up for that function • Runs the function code in that environment
  • 9. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Execution Environments & MicroVMs • Dedicated execution environment is used for the lifetime of the function and then destroyed • Each execution environment hosts one concurrent invocation, but is reused in place across multiple serial invocations of the same function • Execution environments run on hardware virtualized virtual machines (microVMs) • MicroVMs are dedicated to an AWS account, but can be reused by execution environments across functions within an account • Execution environments are never shared across functions, and microVMs are never shared across AWS accounts
  • 10. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Comparison of EC2 and Firecracker models for Lambda
  • 11. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IaaS CLOUD PROVIDER RESPONSIBILITY • Physical infrastructure, access restrictions to physical perimeter and hardware • Secure configuration of infrastructure devices and systems CUSTOMER RESPONSIBILITY • Regularly testing the security of all systems/processes (OS, services) • Identification & authentication of access to systems (OS, services) • Patching and fixing flaws in OS • Hardening OS and services • Protecting all systems against malware and backdoors • Patching and fixing flaws in runtime environment and related software packages • Exploit prevention & memory protection • Network segmentation • Tracking & monitoring all network resources and access • Installation & maintenance of network firewalls • Network-layer DoS protection • Authentication of users • Authorization controls when accessing application & data • Log and maintain audit trails of all access to application & data • Deploy an application layer firewall for event-data inspection • Detect & fix vulnerabilities in 3rd party dependencies • Use least-privileged IAM roles & permissions • Enforce legitimate application behavior • Data leak prevention • Scan code & configurations statically during development • Maintain serverless/cloud asset inventory • Remove obsolete/unused cloud services & functions • Continuously monitor errors & security incidents Serverless CLOUD PROVIDER RESPONSIBILITY • Physical infrastructure, access restrictions to physical perimeter and hardware • Secure configuration of infrastructure devices and systems • Regularly testing the security of all systems/processes (OS, services) • Identification & authentication of access to systems (OS, services) • Patching and fixing flaws in OS • Hardening OS and services • Protecting all systems against malware and backdoors • Patching and fixing flaws in runtime environment and related software packages • Exploit prevention & memory protection • Network segmentation • Tracking & monitoring all network resources and access • Installation & maintenance of network firewalls • Network-layer DoS protection CUSTOMER RESPONSIBILITY • Authentication of users • Authorization controls when accessing application & data • Log and maintain audit trails of all access to application & data • Deploy an application layer firewall for event-data inspection • Detect & fix vulnerabilities in 3rd party dependencies • Use least-privileged IAM roles & permissions • Enforce legitimate application behavior • Data leak prevention • Scan code & configurations statically during development • Maintain serverless/cloud asset inventory • Remove obsolete/unused cloud services & functions • Continuously monitor errors & security incidents Credit: Ory Segal (@orysegal)
  • 12. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. IaaS vs Serverless Security Responsibilities Credit: Ory Segal (@orysegal)
  • 13. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 14. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. The 12 Most Critical Risks for ServerlessApplications • SAS-1: Function event-data injection • SAS-2: Broken authentication • SAS-3: Insecure serverless deployment configuration • SAS-4: Over-privileged function permissions and roles • SAS-5: Inadequate function monitoring and logging • SAS-6: Insecure third-party dependencies • SAS-7: Insecure application secrets storage • SAS-8: Denial of service & financial resource exhaustion • SAS-9: Serverless business logic manipulation • SAS-10: Improper exception handling and verbose error messages • SAS-11: Obsolete functions, cloud resources and event triggers • SAS-12: Cross-execution data persistency By the Cloud Security Alliance (CSA) and PureSec
  • 15. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Standard Serverless Workflow LAMBDA CODE REPOSITORY EVENT SOURCES … CLOUD RESOURCES Code Deploy Event Trigger Interactions Output
  • 16. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. ServerlessAttack Surfaces EVENT SOURCES LAMBDA CLOUD RESOURCES CODE REPOSITORY Event Injection Unauthorized Deployment Data Tampering Dependency Poisoning
  • 17. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Possible Repercussions • Compromise Data • Abuse Business Logic • Bypass Authentication • Leak Secrets • Denial of Service (DoS) • Remote Code Execution
  • 18. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 19. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Traditional Security Solutions with Serverless • WAFs (web application firewalls) • RASPs (runtime application self-protection) • EPPs (endpoint protection platforms) • WSGs (web security gateways) • IPS (intrusion prevention systems) • NG-FW (next-generation firewalls) Your app security is based on GOOD CODING and STRICT CONFIGURATION ❌ ❌ ❌ ❌ ✅* ❌
  • 20. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. 47+ supported event sources that can trigger Lambda • Amazon S3 • Amazon DynamoDB • Amazon Kinesis Data Streams • Amazon Simple Notification Service (SNS) • Amazon Simple Email Service • Amazon CloudWatch Logs • Amazon CloudWatch Events (as a proxy to 25+ other services) • Scheduled Events • AWS Config • Amazon Alexa • Amazon Lex • Amazon API Gateway • AWS IoT Button • Amazon CloudFront • Amazon Kinesis Data Firehose • Amazon Simple Queue Service (SQS) *Many different event formats*
  • 21. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. CloudWatch Logs and Kinesis Data Streams Events { "awslogs": { "data": "H4sIAAAAAAAAAHWPwQqCQBCGX0Xm7EFtK+smZBEUgXoLCdMhFtKV3akI8d0bLYmibvPPN3wz00CJxmQnTO41whw WQRIctmEcB6sQbFC3CjW3XW8kxpOpP+OC22d1Wml1qZkQGtoMsScxaczKN3plG8zlaHIta5KqWsozoTYw3/djzwh pLwivWFGHGpAFe7DL68JlBUk+l7KSN7tCOEJ4M3/qOI49vMHj+zCKdlFqLaU2ZHV2a4Ct/an0/ivdX8oYc1UVX86 0fQDQiMdxRQEAAA==" } } This data has to be decoded, unzipped, and then inspected to make sure it’s safe to use.
  • 22. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. An S3 Example { "Records": [ { "eventSource": "aws:s3", "eventName": "ObjectCreated:Put", "s3": { "bucket": { ... }, "object": { "key": "1%22%29%3B%28delete+*+from+uploads", "size": 4 } } } ] } "1%22%29%3B%28delete+*+from+uploads”,
  • 23. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Trust No One 👽 let filename = decodeURIComponent(s3.object.key.replace(/+/g,'%20')) connection.query( 'INSERT INTO uploads (`file`) VALUES ("' + filename + '")', (error, results) => {} ) INSERT INTO uploads (`file`) VALUES ("1");(delete * from uploads) Even if you’ve never done this, one of your developers will!!! $♂
  • 24. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 25. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. “Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job.” Jerome Saltzer Communications of the ACM
  • 26. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Least-Privileged IAM Roles • Functions should only be allowed to do what they need to do • AWS IAM model is extremely powerful, but easy to get wrong • Human factor (laziness, ignorance) • “Over-privileged” issues are likely the most common mistake in serverless applications BatchGetItem BatchWriteItem CreateTable DeleteItem DeleteTable DescribeLimits DescribeReservedCapacity DescribeReservedCapacityOfferings PurchaseReservedCapacityOfferings DescribeStream DescribeTable GetItem GetRecords GetShardIterator ListStreams ListTables ListTagsOfResource Query Scan TagResource UntagResource UpdateItem UpdateTable PutItem
  • 27. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Limiting IAM Permissions • Use a “role-per-function” model • Use SAM managed policies • Serverless Framework: use custom roles per function or the “serverless-iam-roles-per- function” plugin Minimize the blast radius of vulnerable functions
  • 28. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 29. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Scaling ServerlessApplications • Serverless apps are more resilient to traffic spikes and can scale to support very high bandwidth • Synchronous vs. Asynchronous invocations • Invocation type is pre-determined for each service type • Examples of DoS (or Denial of Wallet): • Synchronous: flood with API Gateway requests • Asynchronous: flood with S3 files • Poll-based / Stream-based: send malformed batch of events to the stream • Poll-based / Not stream-based: queue message retention can be up to 4 days for SQS
  • 30. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.
  • 31. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Best Practices & Mitigation Techniques • Use API Gateway ‘quota’ and ‘throttling’ capabilities • Consider using API response caching • Use SQS as a broker • Set up Dead Letter Queues (DLQs) • Design for retry • Define reserved capacity limit per function • Set timeouts to avoid “hangs” on unexpected input
  • 32. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Best Practices & Mitigation Techniques (continued) • Use API Gateway Lambda Authorizers • Protect your keys, usernames and passwords • Monitor your concurrent executions, throttling metrics, errors and timeouts • Set up billing alerts • Delete old functions, triggers, and resources
  • 33. Thank you! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Jeremy Daly @jeremy_daly jeremydaly.com
  • 34. © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved.