security best practices for serverless applications - july 2017 aws online tech talks
TRANSCRIPT
![Page 1: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/1.jpg)
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Justin Pirtle, AWS Solutions Architect
07/25/17
Security Best Practices for
Serverless Applications
![Page 2: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/2.jpg)
Agenda
• What is Serverless?
• Overview of AWS Lambda, API Gateway, and Cognito
• Securing Serverless microservices
• Auditing and logging
• Summary
![Page 3: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/3.jpg)
No servers to provision
or manage
Scales with usage
Never pay for idle Availability and fault
tolerance built in
Serverless means…
![Page 4: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/4.jpg)
Serverless is real
![Page 5: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/5.jpg)
Microservices
AWS Lambda + Amazon API Gateway is the
easiest way to create microservices
• Event handlers one function per event type
• Serverless backends one function per API / path
• Data processing one function per data type
![Page 6: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/6.jpg)
Serverless Microservice
Internet
Mobile
apps
Websites
Partner
Services
AWS
Lambda
![Page 7: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/7.jpg)
AWS Lambda Programming Model
Bring your own code
• Node.js, Java, Python, C#
• Bring your own libraries
(even native ones)
Simple resource model
• Select power rating from
128 MB to 1.5 GB
• CPU and network allocated
proportionately
• Pay only for what compute
you consume
Programming model
• AWS SDK built in (Python
and Node.js)
• Lambda is the “webserver”
• Use processes, threads,
/tmp, sockets normally
Stateless
• Persist data using Amazon
DynamoDB, S3, or
ElastiCache
• No affinity to infrastructure
(can’t “log in to the box”)
![Page 8: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/8.jpg)
Serverless Microservice
Internet
Mobile
apps
Websites
Partner
Services
AWS
Lambda
API
GatewayAmazon
DynamoDB
![Page 9: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/9.jpg)
Introduction to Amazon API Gateway
Create a unified
API frontend for
multiple micro-
services
Authenticate and
authorize
requests to a
backend
DDoS protection
and throttling for
your backend
Throttle, meter,
and monetize API
usage by 3rd
party developers
![Page 10: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/10.jpg)
Amazon API Gateway: Serverless APIs
Internet
Mobile
apps
Websites
Partner
Services
AWS Lambda
functions
API
Gateway
response
cache
Endpoints on
Amazon EC2
Any publicly
accessible
endpoint
Amazon
CloudWatch
Amazon
CloudFront
API
Gateway
![Page 11: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/11.jpg)
Serverless Microservice
Internet
Mobile
apps
Websites
Partner
Services
AWS
Lambda
API
GatewayAmazon
DynamoDB
![Page 12: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/12.jpg)
Identity is mission critical for your applications
SecurityRevenue
Generation
Application
Backbone
Know your users
Monitor engagement
with your application
Store and manage
user data
Personalize your
users’ experiences
Protect sensitive data
Secure business-
critical processes
User Identity
![Page 13: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/13.jpg)
Developing Auth Infrastructure is Difficult
• Need to develop a reliable user directory to manage identities
• Handling user data and passwords and protecting privacy
• Prioritizing scalability of your infrastructure upfront
• Implementing token-based authentication
• Support for multiple social identity providers
• Federation with corporate directories for B2E applications
1
2
3
5
6
4
![Page 14: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/14.jpg)
Amazon Cognito Identity
Corporate
OIDC
Sign in with
Your User Pools
You can easily and securely add sign-up
and sign-in functionality to your mobile and
web apps with a fully-managed service that
scales to support 100s of millions of users.
Federated Identities
Your users can sign in with third-party
identity providers, such as Facebook and
SAML providers, and you can control
access to AWS resources from your app.
SAML
Sign in
Username
Password
Submit
![Page 15: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/15.jpg)
Comprehensive Support for Identity Use Cases
![Page 16: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/16.jpg)
Serverless Microservice
Internet
Mobile
apps
Websites
Partner
Services
AWS
Lambda
API
GatewayAmazon
DynamoDB
Amazon
Cognito
![Page 17: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/17.jpg)
Securing Serverless
microservices
![Page 18: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/18.jpg)
Securing AWS Lambda
![Page 19: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/19.jpg)
Lambda execution models
Synchronous (push) Asynchronous (event) Stream-based
Amazon
API Gateway
AWS Lambda
function
Amazon
DynamoDBAmazon
SNS
/order
AWS Lambda
function
Amazon
S3
reqs
Amazon
Kinesis
changes
AWS Lambda
service
function
![Page 20: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/20.jpg)
The push model and resource policies
Function (resource) policy
• Permissions you grant to your Lambda
function determine which service or
event source can invoke your function
• Resource policies make it easy to
grant cross-account permissions to
invoke your Lambda function
![Page 21: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/21.jpg)
![Page 22: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/22.jpg)
![Page 23: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/23.jpg)
The pull model and IAM roles
IAM execution role
• Permissions you grant to this role
determine what your AWS Lambda
function can do at run-time
• If event source is Amazon DynamoDB
or Amazon Kinesis, then add read
permissions in IAM role
![Page 24: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/24.jpg)
![Page 25: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/25.jpg)
Lambda function security – best practices
Application Security Best practices still apply
(mandatory code review, static analysis, etc.)
Use IAM Role per function and don’t be too
permissive – leverage principle of least privilege
Encrypt environment variables and sensitive data
via KMS and Lambda’s encryption helpers
Leverage EC2 SSM Parameter Store for secrets
and configuration management at scale
![Page 26: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/26.jpg)
![Page 27: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/27.jpg)
![Page 28: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/28.jpg)
![Page 29: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/29.jpg)
![Page 30: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/30.jpg)
![Page 31: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/31.jpg)
Lambda vulnerabilities and security scan
Automate security analysis as part of your CI/CD
pipeline
Input validation/sanitization, SQLi, etc. still apply in
Serverless architectures
Continuously scan for vulnerabilities in
dependencies used; can be a step in your CI/CD
pipeline
![Page 32: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/32.jpg)
Securing API Gateway
![Page 33: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/33.jpg)
API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Custom Authorizers
User Pools Authorizers
![Page 34: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/34.jpg)
API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Custom Authorizers
User Pools Authorizers
![Page 35: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/35.jpg)
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
AmazonAPIGateway
User Pools Authorizers
Amazon Cognito
User Pools
Amazon
DynamoDB
Lambdafunction
![Page 36: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/36.jpg)
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
User Pools Authorizers
AmazonAPIGateway
Amazon Cognito
User Pools
Amazon
DynamoDB
Lambdafunction
![Page 37: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/37.jpg)
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
User Pools Authorizers
AmazonAPIGateway
Amazon Cognito
User Pools
Amazon
DynamoDB
Lambdafunction
• Identity
• Access
• Refresh
![Page 38: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/38.jpg)
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
User Pools Authorizers
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
Amazon Cognito
User Pools
![Page 39: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/39.jpg)
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
User Pools Authorizers
4. Validate
Identity token
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
Amazon Cognito
User Pools
![Page 40: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/40.jpg)
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
User Pools Authorizers
5. Invoke API Call
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
Amazon Cognito
User Pools
![Page 41: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/41.jpg)
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
User Pools Authorizers
6. Access
AWS ResourcesAmazon
DynamoDB
Lambdafunction
AmazonAPIGateway
Amazon Cognito
User Pools
![Page 42: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/42.jpg)
API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Custom Authorizers
User Pools Authorizers
![Page 43: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/43.jpg)
IAM-based authorization
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
Amazon Cognito
Federated Identities
Amazon Cognito
User Pools
AWS Identity &
Access Management
![Page 44: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/44.jpg)
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
Amazon Cognito
User Pools
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
IAM-based authorization
Amazon Cognito
Federated Identities
AWS Identity &
Access Management
![Page 45: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/45.jpg)
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
IAM-based authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
AWS Identity &
Access Management
![Page 46: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/46.jpg)
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
3. Request AWS credentials
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
IAM-based authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
AWS Identity &
Access Management
![Page 47: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/47.jpg)
Tro
ttlin
g
Ca
ch
e
Mo
nit
ori
ng
Auth
Mobile app
4. Validate Id token
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
IAM-based authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
AWS Identity &
Access Management
![Page 48: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/48.jpg)
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
5. Temp AWS credentials
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
IAM-based authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
AWS Identity &
Access Management
![Page 49: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/49.jpg)
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Mobile app
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
IAM-based authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
AWS Identity &
Access Management
![Page 50: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/50.jpg)
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Mobile app
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
IAM-based authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
AWS Identity &
Access Management
![Page 51: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/51.jpg)
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Mobile app
8. Invoke Lambda
Lambdafunction
AmazonAPIGateway
IAM-based authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
AWS Identity &
Access Management
Amazon
DynamoDB
![Page 52: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/52.jpg)
IAM Policy Detail
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": ”Allow",
"Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*"
},
{
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*/POST/locations/*"
}
]
}
![Page 53: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/53.jpg)
API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Custom Authorizers
User Pools Authorizers
![Page 54: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/54.jpg)
Custom Authorizer
Lambda function
Auth
Mobile app
Lambdafunction
AmazonAPIGateway
Amazon
DynamoDB
AWS Identity &
Access Management
Custom Authorizers
![Page 55: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/55.jpg)
Custom Authorizer
Lambda function
Mobile app
Lambdafunction
AmazonAPIGateway
Amazon
DynamoDB
AWS Identity &
Access Management
Custom Authorizers
![Page 56: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/56.jpg)
Custom Authorizer
Lambda function
Auth
Mobile app
Lambdafunction
AmazonAPIGateway
Amazon
DynamoDB
AWS Identity &
Access Management
Custom Authorizers
![Page 57: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/57.jpg)
Custom Authorizer
Lambda function
Auth
Mobile app
Lambdafunction
AmazonAPIGateway
Amazon
DynamoDB
AWS Identity &
Access Management
Custom Authorizers
![Page 58: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/58.jpg)
Auth
Mobile app
Lambdafunction
AmazonAPIGateway
Custom Authorizers
Amazon
DynamoDB
4. Check
policy
cache
AWS Identity &
Access Management
Custom Authorizer
Lambda function
![Page 59: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/59.jpg)
Auth
Mobile app
Lambdafunction
AmazonAPIGateway
Custom Authorizers
Amazon
DynamoDB
5. V
alid
ate
to
ken
AWS Identity &
Access Management
Custom Authorizer
Lambda function
![Page 60: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/60.jpg)
Custom Authorizer
Lambda function
Auth
Mobile app
Lambdafunction
AmazonAPIGateway
Custom Authorizers
Amazon
DynamoDB
6. G
en
era
te a
nd
retu
rn
use
r IAM
po
licy AWS Identity &
Access Management
![Page 61: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/61.jpg)
Custom Authorizer
Lambda function
Auth
Mobile app
Lambdafunction
AmazonAPIGateway
Custom Authorizers
Amazon
DynamoDB
AWS Identity &
Access Management
![Page 62: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/62.jpg)
Custom Authorizer
Lambda function
Auth
Mobile app
Lambdafunction
AmazonAPIGateway
Custom Authorizers
Amazon
DynamoDB
8. Invoke Lambda
AWS Identity &
Access Management
![Page 63: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/63.jpg)
Custom Authorizer Lambda
var testPolicy = new AuthPolicy(”userIdentifier", "XXXXXXXXXXXX", apiOptions);
testPolicy.allowMethod(AuthPolicy.HttpVerb.POST, "/locations/*");
testPolicy.allowMethod(AuthPolicy.HttpVerb.DELETE, "/locations/*");
callback(null, testPolicy.getPolicy());
Sample Code
![Page 64: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/64.jpg)
API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Custom Authorizers
User Pools Authorizers
![Page 65: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/65.jpg)
Throttle
Usage Plans: Throttle specific consumers
Internet
Mobile
apps
Websites
Partner
Services
AWS Lambda
functions
API
Gateway
response
cache
Endpoints on
Amazon EC2
Any publicly
accessible
endpoint
Amazon
CloudWatch
Amazon
CloudFront
API
Gateway
![Page 66: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/66.jpg)
Usage Plans: Quotas and Throttling
• Prevents one customer from consuming all your
backend system’s capacity
• Let’s you decide how to allocate capacity among your
API consumers. Sample plan:
• Professional plan users: 10 TPS, up to 100 calls / day
• Premium plan users: 100 TPS, up to 1000 calls / day
• Enterprise plan users: 500 TPS, no limit on calls / day
![Page 67: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/67.jpg)
Set daily
quota
Usage Plans: Enforce per-consumer quotas
Internet
Mobile
apps
Websites
Partner
Services
AWS Lambda
functions
API
Gateway
response
cache
Endpoints on
Amazon EC2
Any publicly
accessible
endpoint
Amazon
CloudWatch
Amazon
CloudFront
API
Gateway
![Page 68: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/68.jpg)
Example Serverless
Architecture
![Page 69: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/69.jpg)
Amazon API
GatewayAWS
Lambda
Amazon
DynamoDB
Amazon
S3Amazon
CloudFront
• Bucket Policies
• ACLs
• Geo-Restriction
• Private Content
• DDOS
AuthZ
Serverless app security
• Throttling
• Caching
• Usage Plans
Browser
• Invocation
Policies
• Execution Roles
• Secure
Parameters
• IAM Fine-
grained Access
Control
![Page 70: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/70.jpg)
Audit and log your Serverless
application
![Page 71: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/71.jpg)
Cloudwatch – Log streaming and metrics
Leverage built-in metrics and alarm on aggregates
(throttling)
Create Custom Metrics via Metric Filter out of logs
Captures Lambda invocation details, and all
logging statement output
Stream and centralize logs from multiple accounts
to Amazon ElasticSearch for near real-time
analysis
built-in custom
Amazon Cloudwatch
![Page 72: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/72.jpg)
Different log categories
AWS infrastructure logs
AWS CloudTrail
Amazon VPC Flow
Logs
AWS service logs
AWS Lambda
Amazon API Gateway
Amazon S3
Amazon CloudFront
Amazon Kinesis
…
![Page 73: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/73.jpg)
Different log categories
AWS infrastructure logs
AWS CloudTrail
Amazon VPC Flow
Logs
AWS service logs
AWS Lambda
Amazon API Gateway
Amazon S3
Amazon CloudFront
Amazon Kinesis
…
Security-related events
![Page 74: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/74.jpg)
AWS CloudTrailRecords AWS API calls for your account
![Page 75: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/75.jpg)
What can you answer using a CloudTrail event?
Who made the API call?
What was the API call?
When was the API call made?
Where was the API call made from and made to?
Which resources were acted upon in the API call?
Supported services:
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html
![Page 76: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/76.jpg)
AWS Config
• Get inventory of AWS resources
• Discover new and deleted resources
• Record configuration changes continuously
• Get notified when configurations change
![Page 77: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/77.jpg)
Summary
• What is Serverless?
• Overview of AWS Lambda, API Gateway, and Cognito
• Securing Serverless microservices
• Auditing and logging
• Summary
![Page 78: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/78.jpg)
Additional Resources
- Serverless on AWS
- Serverless Computing on AWS
- re:Invent Talks and Webinars
- Serverless Auth: Identity Management
- Add User Sign-in, Management, and Security with Cognito
- Deep Dive on AWS Lambda
- Reference Projects
- Serverless Auth Reference App
- Cognito Angular 2 Quickstart
- Cognito API Gateway Auth Reference
![Page 79: Security Best Practices for Serverless Applications - July 2017 AWS Online Tech Talks](https://reader031.vdocuments.site/reader031/viewer/2022031518/5a6478fc7f8b9a40568b4653/html5/thumbnails/79.jpg)
Thank you!