The document discusses securing serverless applications. It provides an overview of AWS Identity and Access Management (IAM), AWS Lambda, Amazon API Gateway, and Amazon Cognito. It then covers securing serverless microservices by discussing securing AWS Lambda functions using IAM roles and resource policies. It also covers securing Amazon API Gateway by discussing authorization types including Cognito, IAM, and custom authorizers. The document concludes by discussing auditing serverless applications using CloudWatch logs, CloudTrail, and AWS Config.
2. Agenda
• What is Serverless?
• Overview of AWS IAM, AWS Lambda, Amazon API
Gateway and Amazon Cognito
• Securing Serverless microservices
• Auditing and logging
• Summary
3. No servers to provision
or manage
Scales with usage
Never pay for idle Availability and fault
tolerance built in
Serverless means…
5. Microservices
AWS Lambda + Amazon API Gateway is the
easiest way to create microservices
• Event handlers one function per event type
• Serverless backends one function per API / path
• Data processing one function per data type
6. Let’s Start With AWS IAM
Fundamental security service within AWS
Securely control individual, group, and machine access to
your AWS resources
Principles of least privilege, separation of duties
Grant permissions for users outside of AWS (federated
users).
Grant cross-account permissions
AWS IAM
7. AWS IAM Example Policy
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket”
}
}AWS IAM
8. AWS IAM Principals
A principal is the entity that is allowed or
denied access to a resource.
• Users
• Services
• Roles
Indicated by an Amazon Resource Name
(ARN)
• arn:aws:iam::account-id:role/role-name
AWS IAM
9. AWS IAM Policies
IAM policies are attached directly to the
Principal (either Inline Policies or Managed
Policies)
permissions
bucket with
objects
role
10. AWS Resource-based Policies
You can attach a set of permissions (inline policy) to a
resource, such as an Amazon S3 bucket or Amazon
SNS topic.
Resource-based policies have to include information
about who is allowed to access the resource, known
as the Principal.
permissions
bucket with
objects
role
12. AWS Lambda Programming Model
Bring your own code
• Node.js, Java, Python, C#,
Go
• Bring your own libraries
(even native ones)
Simple resource model
• Select power rating from
128 MB to 1.5 GB
• CPU and network allocated
proportionately
• Pay only for what compute
you consume
Programming model
• AWS SDK built in (Python
and Node.js)
• Lambda is the “webserver”
• Use processes, threads,
/tmp, sockets normally
Stateless
• Persist data using Amazon
DynamoDB, S3, or
ElastiCache
• No affinity to infrastructure
(can’t “log in to the box”)
14. Introduction to Amazon API Gateway
Create a unified
API frontend for
multiple micro-
services
Authenticate and
authorize
requests to a
backend
DDoS protection
and throttling for
your backend
Throttle, meter,
and monetize API
usage by 3rd
party developers
15. Amazon API Gateway: Serverless APIs
Internet
Mobile
apps
Websites
Partner
Services
AWS Lambda
functionsAPI
Gateway
response
cache Endpoints on
Amazon EC2
Any publicly
accessible
endpoint
Amazon
CloudWatch
Amazon
CloudFront
API
Gateway
YOUR VPC
AWS
Lambda
functions
Amazon
EC2
endpoints
Amazon
CloudTrail
17. Identity is mission critical for your applications
Security
Revenue
Generation
Application
Backbone
Know your users
Monitor engagement
with your application
Store and manage
user data
Personalize your
users’ experiences
Protect sensitive data
Secure business-
critical processes
User Identity
18. Developing Auth Infrastructure is Difficult
• Need to develop a reliable user directory to manage identities
• Handling user data and passwords and protecting privacy
• Prioritizing scalability of your infrastructure upfront
• Implementing token-based authentication
• Support for multiple social identity providers
• Federation with corporate directories for B2E applications
1
2
3
5
6
4
19. Amazon Cognito Identity
Facebook
Corporate
OIDC
Sign in with
Your User Pools
You can easily and securely add sign-up
and sign-in functionality to your mobile and
web apps with a fully-managed service that
scales to support 100s of millions of users.
Federated Identities
Your users can sign in with third-party
identity providers, such as Facebook and
SAML providers, and you can control
access to AWS resources from your app.
SAML
Sign in
Username
Password
Submit
24. Lambda execution models
Synchronous (push) Asynchronous (event) Stream-based
Amazon
API Gateway
AWS Lambda
function
Amazon
DynamoDBAmazon
SNS
/order
AWS Lambda
function
Amazon
S3
reqs
Amazon
Kinesis
changes
AWS Lambda
service
function
25. The push model and resource policies
Function (resource) policy
• Permissions you grant to your Lambda
function determine which service or
event source can invoke your function
• Resource policies make it easy to
grant cross-account permissions to
invoke your Lambda function
26.
27.
28. The pull model and IAM roles
IAM execution role
• Permissions you grant to this role
determine what your AWS Lambda
function can do at run-time
• If event source is Amazon DynamoDB
or Amazon Kinesis, then add read
permissions in IAM role
29.
30. Lambda function security – best practices
Use IAM Role per function and don’t be too
permissive – leverage principle of least privilege
Application Security Best practices still apply
(mandatory code review, static analysis, etc.)
Encrypt environment variables and sensitive data
via KMS and Lambda’s encryption helpers
Leverage AWS Secrets Manager for secrets
management
31.
32.
33.
34. AWS Secrets Manager
Lifecycle management for secrets such as database
credentials and API keys.
Rotate Secrets
Safely
Pay as you goManage access
with fine-grained
policies
Secure and
audit secrets
centrally
35.
36.
37.
38. Lambda vulnerabilities and security scan
Automate security analysis as part of your CI/CD
pipeline
Input validation/sanitization, SQLi, etc. still apply in
Serverless architectures
Continuously scan for vulnerabilities in
dependencies used; can be a step in your CI/CD
pipeline
40. API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Lambda Authorizers
User Pools Authorizers
41. API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Lambda Authorizers
User Pools Authorizers
49. API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Lambda Authorizers
User Pools Authorizers
60. API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Lambda Authorizers
User Pools Authorizers
67. Custom Authorizer
Lambda function
Auth
Mobile app
Lambda
function
AmazonAPI
Gateway
Lambda Authorizers
6. Generate and return
user IAM policy
AWS Identity &
Access Management
Amazon
DynamoDB
70. Lambda Authorizer
var testPolicy = new AuthPolicy(”userIdentifier", "XXXXXXXXXXXX", apiOptions);
testPolicy.allowMethod(AuthPolicy.HttpVerb.POST, "/locations/*");
testPolicy.allowMethod(AuthPolicy.HttpVerb.DELETE, "/locations/*");
callback(null, testPolicy.getPolicy());
Sample Code
71. API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Lambda Authorizers
User Pools Authorizers
72. Throttle
Usage Plans: Throttle specific consumers
Internet
Mobile
apps
Websites
Partner
Services
AWS Lambda
functions
API
Gateway
response
cache
Endpoints on
Amazon EC2
Any publicly
accessible
endpoint
Amazon
CloudWatch
Amazon
CloudFront
API
Gateway
73. Usage Plans: Quotas and Throttling
• Prevents one customer from consuming all your
backend system’s capacity
• Let’s you decide how to allocate capacity among your
API consumers. Sample plan:
• Professional plan users: 10 TPS, up to 100 calls / day
• Premium plan users: 100 TPS, up to 1000 calls / day
• Enterprise plan users: 500 TPS, no limit on calls / day
74. Set daily
quota
Usage Plans: Enforce per-consumer quotas
Internet
Mobile
apps
Websites
Partner
Services
AWS Lambda
functions
API
Gateway
response
cache
Endpoints on
Amazon EC2
Any publicly
accessible
endpoint
Amazon
CloudWatch
Amazon
CloudFront
API
Gateway
78. Cloudwatch – Log streaming and metrics
Leverage built-in metrics and alarm on aggregates
(throttling)
Create Custom Metrics via Metric Filter out of logs
Captures Lambda invocation details, and all
logging statement output
Stream and centralize logs from multiple accounts
to Amazon ElasticSearch for near real-time
analysis
built-in custom
Amazon Cloudwatch
80. What can you answer using a CloudTrail event?
Who made the API call?
What was the API call?
When was the API call made?
Where was the API call made from and made to?
Which resources were acted upon in the API call?
Supported services:
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html
81. AWS Config
• Get inventory of AWS resources
• Discover new and deleted resources
• Record configuration changes continuously
• Get notified when configurations change
82. Summary
• What is Serverless?
• Overview of AWS IAM, AWS Lambda, Amazon API
Gateway and Amazon Cognito
• Securing Serverless microservices
• Auditing and logging
• Summary
83. Additional Resources
- Serverless on AWS
- Serverless Computing on AWS
- re:Invent Talks and Webinars
- Serverless Auth: Identity Management
- Add User Sign-in, Management, and Security with Cognito
- Deep Dive on AWS Lambda
- Reference Projects
- Serverless Auth Reference App
- Cognito Angular 2 Quickstart
- Cognito API Gateway Auth Reference