securing serverless and container services...securing serverless and container services marc...
TRANSCRIPT
Securing Serverless and Container ServicesMarc SchröterAWS DevOps Engineer @ globaldatanet
Community Day 2019 Sponsors
DevOps Automation
Continuous DeliveryInfrastructure as Code
Cloud Security
Security and Compliance Controls
Container
Managing the full container life cycle
Serverless
Highly scalable and fault-tolerant solutions
What is serverless, and howdoes it impact your approachto security?
What is serverless?
Shift operational responsibilities to AWS
Increasing your agility and innovation
No infrastructure provisioning, no management Automatic scaling
Pay for value Highly available and secure
COMPUTE
INTEGRATION
DATA STORES
AWS Lambda
AWS Fargate
AmazonS3
Amazon Aurora Serverless
AWS DynamoDB
AmazonAPI Gateway
AmazonSQS
AmazonSNS
AmazonStep Functions
Serverless Risks - OWASPA1: InjectionA2: Broken AuthenticationA3: Sensitive Data Exposure A4: XML External Entities (XXE) A5: Broken Access ControlA6: Security MisconfigurationA7: Cross-Site Scripting (XSS) A8: Insecure DeserializationA9: Using Components with Known Vulnerabilities A10: Insufficient Logging and Monitoring
Serverless Risks - CSASAS-1: Function Event Data InjectionSAS-2: Broken AuthenticationSAS-3: Insecure Serverless Deployment ConfigurationSAS-4: Over-Privileged Function Permissions & RolesSAS-5: Inadequate Function Monitoring and LoggingSAS-6: Insecure Third-Party DependenciesSAS-7: Insecure Application Secrets StorageSAS-8: Denial of Service & Financial Resource ExhaustionSAS-9: Serverless Business Logic ManipulationSAS-10: Improper Exception Handling and Verbose Error MessagesSAS-11: Obsolete Functions, Cloud Resources and Event TriggersSAS-12: Cross-Execution Data Persistency
Serverless Risk Categorization
Application Code & App Logic Risks
DeploymentConfigurations Risks
Serverless Platform Risks
Misc.Risks
InjectionBroken AuthenticationSensitive data exposureInsecure deserializationKnown vulnerabilitiesImproper exception handling
Security misconfigurationOverprivileged permissionInsecure secrets storage
Broken access controlInadequate Monitoring
DoSUnused functionsData PersistencyXSS, XXE
A1: Injection
Injection
Injection● Use Web Application Firewall● Validate data based on schemas and data transfer objects● Always use an ORM● Escape special characters● Use least privileges● Consider all event types and entry points into the system● Use a commercial runtime defense solution
A2: Broken Authentication
Broken Authentication● AWS Cognito or Single Sign-On● API Gateway Access control
○ API keys○ Usage plans○ AWS IAM roles and policies○ Amazon Cognito user pools○ Lambda authorizer functions
● Service authentication between internal resources○ SAML, OAuth2, Security Tokens○ Encrypted channels○ Password and key management○ Client certificate○ OTA/2FA
A3: Sensitive Data Exposure
Sensitive Data Exposure● Identify and classify sensitive data● Minimize storage of sensitive data● Protect data at rest and in transit● Use HTTPS only endpoints for APIs● Key management● Encryption of stored data● Secret Management● Environment variables encryption
A5: Broken Access Control
Broken Access ControlFine grained access control
POST
GET
DELETE
customers table
orders table
queue
Amazon API Gateway
Broken Access ControlFollow least-privilege
Broken Access ControlAutomate permission configuration
Broken Access ControlAutomate permission configuration
Broken Access ControlAutomate security testing of IaC
CloudFormation CloudWatch Lambda
Event for stack CREATE/UPDATE
Pull CF Script from S3
S3
Notify on failure
SES
CF Script
Broken Access ControlAnalyze IAM access patterns programmatically
Broken Access ControlAnalyze IAM access patterns programmatically
Broken Access ControlFollow AWS IAM Best Practices
A7: Security Misconfiguration
Security Misconfiguration● Enforce access control● Providers security best practices● Check for functions with unlinked triggers ● Resources that appear in policies but are not linked back to the function● Set timeouts to the minimum required by the function● Use automatic tools that detect security misconfigurations
A7: Known Vulnerabilities
Known Vulnerabilities● Continuously monitor dependencies and their versions ● Only obtain components from official sources ● Continuously monitor sources like CVE and NVD ● Platform based advisories like NodeSecurity, PyUp, OWASP SafeNuGet, etc.● Scan dependencies for known vulnerabilities
○ OWASP Dependency Check○ GitHub Security Alerts○ Gitlab Dependency Scanning○ WhiteSource
Serverless Security Demo
Serverless Security Demo1. Information Gathering2. Function Reverse Engineering3. Digging For Gold Inside Environment Variables4. Exploiting Over-Privileged IAM Roles5. Abusing Insecure Cloud Configurations6. Finding Known Vulnerabilities In Open Source Packages
Security for Amazon Kubernetes Cluster
Encrypt communication● Between web clients and your loadbalancer
○ Use the application loadbalancer (ALB)○ Can be achieved with the ALB-Ingress-Controller○ ALB provides routing and security options for the application layer
● Between your loadbalancer and pod○ Encryptions support of your application or application server○ Run a sidecar on your pod which performs encryption○ Run a complete service mesh like Istio
● Between your pod and your AWS RDS database
Encrypt storage● Databases● Persistent Volume Claims (PVC)
Restrict inbound and outbound traffic● Use network policies ● Network Policy engine (Calico)
More EKS Security Tips● Use a firewall to block known web attacks● Protect yourself from DDos attacks● Secure your AWS account● Use namespaces and secrets● Cyber attack detection● Review your security setup● Scan your container images
○ Aqua Security Microscanner○ CoresOS Clair○ Anchore engine
Container DevSecOps
Developer
AWS Cloud9
1.Pull Request
AWS CodeCommit(Application Repo)
AWS Lambda Function
Amazon CloudWatch Event Rule
7. Adds feedback to Pull Request
6. Triggers Lambda Function
5. CodeBuild Success/Failure triggers Rule
AWS CodePipeline
AWS CodeBuild AWS CodeBuild AWS CodeBuild AWS CodeBuild
DOCKER LINTING PUBLISH IMAGEVULNERABILITY SCANNINGSECRETS SCANNING
Configs
Development
PULL REQUEST
AWS Security Hub Amazon ECR
3. Pushes vulnerabilities to Security Hub
4. Builds and pushes Image to ECR
2. Triggers CodePipeline
Build with services not serversAhhhh and we are hiring
globaldatanet
globaldatanet globaldatanet.com