Securing Serverless Microservices

© 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Antonio Duma, AWS Solutions Architect
23/10/2018
Sicurezza nelle Applicazioni
Serverless

Agenda
• What is Serverless?
• Overview of AWS IAM, AWS Lambda, Amazon API
Gateway and Amazon Cognito
• Securing Serverless microservices
• Auditing and logging
• Summary

No servers to provision
or manage
Scales with usage
Never pay for idle Availability and fault
tolerance built in
Serverless means…

Microservices
AWS Lambda + Amazon API Gateway is the
easiest way to create microservices
• Event handlers one function per event type
• Serverless backends one function per API / path
• Data processing one function per data type

Let’s Start With AWS IAM
Fundamental security service within AWS
Securely control individual, group, and machine access to
your AWS resources
Principles of least privilege, separation of duties
Grant permissions for users outside of AWS (federated
users).
Grant cross-account permissions
AWS IAM

AWS IAM Example Policy
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket”
}
}AWS IAM

AWS IAM Principals
A principal is the entity that is allowed or
denied access to a resource.
• Users
• Services
• Roles
Indicated by an Amazon Resource Name
(ARN)
• arn:aws:iam::account-id:role/role-name
AWS IAM

AWS IAM Policies
IAM policies are attached directly to the
Principal (either Inline Policies or Managed
Policies)
permissions
bucket with
objects
role

AWS Resource-based Policies
You can attach a set of permissions (inline policy) to a
resource, such as an Amazon S3 bucket or Amazon
SNS topic.
Resource-based policies have to include information
about who is allowed to access the resource, known
as the Principal.
permissions
bucket with
objects
role

Serverless Microservice
Internet
Mobile
apps
Websites
Partner
Services
AWS
Lambda

AWS Lambda Programming Model
Bring your own code
• Node.js, Java, Python, C#,
Go
• Bring your own libraries
(even native ones)
Simple resource model
• Select power rating from
128 MB to 1.5 GB
• CPU and network allocated
proportionately
• Pay only for what compute
you consume
Programming model
• AWS SDK built in (Python
and Node.js)
• Lambda is the “webserver”
• Use processes, threads,
/tmp, sockets normally
Stateless
• Persist data using Amazon
DynamoDB, S3, or
ElastiCache
• No affinity to infrastructure
(can’t “log in to the box”)

Internet
Mobile
apps
Websites
Partner
Services
AWS
Lambda
API
Gateway
Amazon
DynamoDB
Amazon
S3

Introduction to Amazon API Gateway
Create a unified
API frontend for
multiple micro-
services
Authenticate and
authorize
requests to a
backend
DDoS protection
and throttling for
your backend
Throttle, meter,
and monetize API
usage by 3rd
party developers

Amazon API Gateway: Serverless APIs
Internet
Mobile
apps
Websites
Partner
Services
AWS Lambda
functionsAPI
Gateway
response
cache Endpoints on
Amazon EC2
Any publicly
accessible
endpoint
Amazon
CloudWatch
Amazon
CloudFront
API
Gateway
YOUR VPC
AWS
Lambda
functions
Amazon
EC2
endpoints
Amazon
CloudTrail

Internet
Mobile
apps
Websites
Partner
Services
AWS
Lambda
API
Gateway
Amazon
DynamoDB

Identity is mission critical for your applications
Security
Revenue
Generation
Application
Backbone
 Know your users
 Monitor engagement
with your application
 Store and manage
user data
 Personalize your
users’ experiences
 Protect sensitive data
 Secure business-
critical processes
User Identity

Developing Auth Infrastructure is Difficult
• Need to develop a reliable user directory to manage identities
• Handling user data and passwords and protecting privacy
• Prioritizing scalability of your infrastructure upfront
• Implementing token-based authentication
• Support for multiple social identity providers
• Federation with corporate directories for B2E applications
1
2
3
5
6
4

Amazon Cognito Identity
Facebook
Corporate
OIDC
Sign in with
Your User Pools
You can easily and securely add sign-up
and sign-in functionality to your mobile and
web apps with a fully-managed service that
scales to support 100s of millions of users.
Federated Identities
Your users can sign in with third-party
identity providers, such as Facebook and
SAML providers, and you can control
access to AWS resources from your app.
SAML
Sign in
Username
Password
Submit

Comprehensive Support for Identity Use Cases

Internet
Mobile
apps
Websites
Partner
Services
AWS
Lambda
API
Gateway
Amazon
DynamoDB
Amazon
Cognito

Securing Serverless
microservices

Lambda execution models
Synchronous (push) Asynchronous (event) Stream-based
Amazon
API Gateway
AWS Lambda
function
Amazon
DynamoDBAmazon
SNS
/order
AWS Lambda
function
Amazon
S3
reqs
Amazon
Kinesis
changes
AWS Lambda
service
function

The push model and resource policies
Function (resource) policy
• Permissions you grant to your Lambda
function determine which service or
event source can invoke your function
• Resource policies make it easy to
grant cross-account permissions to
invoke your Lambda function

The pull model and IAM roles
IAM execution role
• Permissions you grant to this role
determine what your AWS Lambda
function can do at run-time
• If event source is Amazon DynamoDB
or Amazon Kinesis, then add read
permissions in IAM role

Lambda function security – best practices
Use IAM Role per function and don’t be too
permissive – leverage principle of least privilege
Application Security Best practices still apply
(mandatory code review, static analysis, etc.)
Encrypt environment variables and sensitive data
via KMS and Lambda’s encryption helpers
Leverage AWS Secrets Manager for secrets
management

AWS Secrets Manager
Lifecycle management for secrets such as database
credentials and API keys.
Rotate Secrets
Safely
Pay as you goManage access
with fine-grained
policies
Secure and
audit secrets
centrally

Lambda vulnerabilities and security scan
Automate security analysis as part of your CI/CD
pipeline
Input validation/sanitization, SQLi, etc. still apply in
Serverless architectures
Continuously scan for vulnerabilities in
dependencies used; can be a step in your CI/CD
pipeline

API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Custom Identity Providers
AWS IAM authorization
Lambda Authorizers
User Pools Authorizers

Trottling
Cache
Logging
Monitoring
Auth
Mobile app
AmazonAPI
Gateway
Amazon Cognito
User Pools
Amazon
DynamoDB
Lambda
function

Trottling
Cache
Logging
Monitoring
Auth
Mobile app
AmazonAPI
Gateway
Amazon Cognito
User Pools
Amazon
DynamoDB
Lambda
function
• Identity
• Access
• Refresh

Trottling
Cache
Logging
Monitoring
Auth
Mobile app
Amazon
DynamoDB
Lambda
function
AmazonAPI
Gateway
Amazon Cognito
User Pools

Trottling
Cache
Logging
Monitoring
Auth
Mobile app
4. Validate
Identity token
Amazon
DynamoDB
Lambda
function
AmazonAPI
Gateway
Amazon Cognito
User Pools

Trottling
Cache
Logging
Monitoring
Auth
Mobile app
5. Invoke API Call
Amazon
DynamoDB
Lambda
function
AmazonAPI
Gateway
Amazon Cognito
User Pools

Trottling
Cache
Logging
Monitoring
Auth
Mobile app
6. Access
AWS Resources
Amazon
DynamoDB
Lambda
function
AmazonAPI
Gateway
Amazon Cognito
User Pools

IAM-based authorization
Trottling
Cache
Logging
Monitoring
Auth
Mobile app
Amazon
DynamoDB
Lambda
function
AmazonAPI
Gateway
Amazon Cognito
Amazon Cognito
User Pools
AWS Identity &
Access Management

Trottling
Cache
Logging
Monitoring
Auth
Mobile app
Amazon Cognito
User Pools
Amazon
DynamoDB
Lambda
function
AmazonAPI
Gateway
Amazon Cognito
AWS Identity &
Access Management

Trottling
Cache
Logging
Monitoring
Auth
Mobile app
Amazon
DynamoDB
Lambda
function
AmazonAPI
Gateway
Amazon Cognito
User Pools
Amazon Cognito
AWS Identity &
Access Management

Trottling
Cache
Logging
Monitoring
Auth
Mobile app
3. Request AWS credentials
Amazon
DynamoDB
Lambda
function
AmazonAPI
Gateway
Amazon Cognito
User Pools
Amazon Cognito
AWS Identity &
Access Management

Trottling
Cache
Monitoring
Auth
Mobile app
4. Validate Id token
Amazon
DynamoDB
Lambda
function
AmazonAPI
Gateway
Amazon Cognito
User Pools
Amazon Cognito
AWS Identity &
Access Management

Trottling
Cache
Logging
Monitoring
Auth
Mobile app
5. Temp AWS credentials
Amazon
DynamoDB
Lambda
function
AmazonAPI
Gateway
Amazon Cognito
User Pools
Amazon Cognito
AWS Identity &
Access Management

Trottling
Cache
Logging
Monitoring
Mobile app
Amazon
DynamoDB
Lambda
function
AmazonAPI
Gateway
Amazon Cognito
User Pools
Amazon Cognito
AWS Identity &
Access Management

Trottling
Cache
Logging
Monitoring
Mobile app
8. Invoke Lambda
Lambda
function
AmazonAPI
Gateway
Amazon Cognito
User Pools
Amazon Cognito
AWS Identity &
Access Management
Amazon
DynamoDB

IAM Policy Detail
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": ”Allow",
"Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*"
},
{
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*/POST/locations/*"
}
]
}

Custom Authorizer
Lambda function
Auth
Mobile app
Lambda
function
AmazonAPI
Gateway
AWS Identity &
Access Management
Lambda Authorizers
Amazon
DynamoDB

Custom Authorizer
Lambda function
Mobile app
Lambda
function
AmazonAPI
Gateway
AWS Identity &
Access Management
Lambda Authorizers
Amazon
DynamoDB

Auth
Mobile app
Lambda
function
AmazonAPI
Gateway
Lambda Authorizers
4. Check
policy
cache
AWS Identity &
Access Management
Custom Authorizer
Lambda function
Amazon
DynamoDB

Auth
Mobile app
Lambda
function
AmazonAPI
Gateway
Lambda Authorizers
5.Validatetoken
AWS Identity &
Access Management
Custom Authorizer
Lambda function
Amazon
DynamoDB

Custom Authorizer
Lambda function
Auth
Mobile app
Lambda
function
AmazonAPI
Gateway
Lambda Authorizers
6. Generate and return
user IAM policy
AWS Identity &
Access Management
Amazon
DynamoDB

Custom Authorizer
Lambda function
Auth
Mobile app
Lambda
function
AmazonAPI
Gateway
Lambda Authorizers
AWS Identity &
Access Management
Amazon
DynamoDB

Custom Authorizer
Lambda function
Auth
Mobile app
Lambda
function
AmazonAPI
Gateway
Lambda Authorizers
8. Invoke Lambda
AWS Identity &
Access Management
Amazon
DynamoDB

Lambda Authorizer
var testPolicy = new AuthPolicy(”userIdentifier", "XXXXXXXXXXXX", apiOptions);
testPolicy.allowMethod(AuthPolicy.HttpVerb.POST, "/locations/*");
testPolicy.allowMethod(AuthPolicy.HttpVerb.DELETE, "/locations/*");
callback(null, testPolicy.getPolicy());
Sample Code

Throttle
Usage Plans: Throttle specific consumers
Internet
Mobile
apps
Websites
Partner
Services
AWS Lambda
functions
API
Gateway
response
cache
Endpoints on
Amazon EC2
Any publicly
accessible
endpoint
Amazon
CloudWatch
Amazon
CloudFront
API
Gateway

Usage Plans: Quotas and Throttling
• Prevents one customer from consuming all your
backend system’s capacity
• Let’s you decide how to allocate capacity among your
API consumers. Sample plan:
• Professional plan users: 10 TPS, up to 100 calls / day
• Premium plan users: 100 TPS, up to 1000 calls / day
• Enterprise plan users: 500 TPS, no limit on calls / day

Set daily
quota
Usage Plans: Enforce per-consumer quotas
Internet
Mobile
apps
Websites
Partner
Services
AWS Lambda
functions
API
Gateway
response
cache
Endpoints on
Amazon EC2
Any publicly
accessible
endpoint
Amazon
CloudWatch
Amazon
CloudFront
API
Gateway

Example Serverless
Architecture

Amazon API
Gateway AWS
Lambda
Amazon
DynamoDB
Amazon
S3
Amazon
CloudFront
• Bucket Policies
• ACLs
• Geo-Restriction
• Private Content
• DDOS
AuthZ
Serverless app security
• Throttling
• Caching
• Usage Plans
Browser
• Invocation
Policies
• Execution Roles
• Secure
Parameters
• IAM Fine-
grained Access
Control

Audit and log your Serverless
application

Cloudwatch – Log streaming and metrics
Leverage built-in metrics and alarm on aggregates
(throttling)
Create Custom Metrics via Metric Filter out of logs
Captures Lambda invocation details, and all
logging statement output
Stream and centralize logs from multiple accounts
to Amazon ElasticSearch for near real-time
analysis
built-in custom
Amazon Cloudwatch

AWS CloudTrail
Records AWS API calls for your account

What can you answer using a CloudTrail event?
 Who made the API call?
 What was the API call?
 When was the API call made?
 Where was the API call made from and made to?
 Which resources were acted upon in the API call?
Supported services:
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html

AWS Config
• Get inventory of AWS resources
• Discover new and deleted resources
• Record configuration changes continuously
• Get notified when configurations change

Summary
• What is Serverless?
• Overview of AWS IAM, AWS Lambda, Amazon API
Gateway and Amazon Cognito
• Securing Serverless microservices
• Auditing and logging
• Summary

Additional Resources
- Serverless on AWS
- Serverless Computing on AWS
- re:Invent Talks and Webinars
- Serverless Auth: Identity Management
- Add User Sign-in, Management, and Security with Cognito
- Deep Dive on AWS Lambda
- Reference Projects
- Serverless Auth Reference App
- Cognito Angular 2 Quickstart
- Cognito API Gateway Auth Reference

Securing Serverless Microservices

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie Securing Serverless Microservices

Ähnlich wie Securing Serverless Microservices (20)

Mehr von Amazon Web Services

Mehr von Amazon Web Services (20)

Securing Serverless Microservices