SlideShare ist ein Scribd-Unternehmen logo

Lambda Function Security

Amazon Web Services
Amazon Web Services

Defense in depth: when perimeter security is not enough

1 von 19
Downloaden Sie, um offline zu lesen
© 2019, Amazon Web Services, Inc. or its Affiliates. Samuel Waymouth, Solution Architect Lambda Function Security Defense in depth: when perimeter security is not enough
© 2019, Amazon Web Services, Inc. or its Affiliates. Table of contents • Threat Model and evolution of risk • Managing risk and evolving Security Controls • Review of AWS Partner products
© 2019, Amazon Web Services, Inc. or its Affiliates. Has the sun set on perimeter security?
© 2019, Amazon Web Services, Inc. or its Affiliates. R.I.P. Perimeter Security, 8000 BC to 2007 “The businesses that use this increased connectivity and operational features appreciate that their growth can only be sustained by assuring that they provide secure transactions. The corporate boundary as a secure perimeter cannot provide this, because new communications technologies bypass that perimeter.” The Open Group Jericho Forum (2007). Jericho Forum Business Rationale for De-Perimeterization Version 2.0, https://publications.opengroup.org/w127
© 2019, Amazon Web Services, Inc. or its Affiliates. The way it used to be…
© 2019, Amazon Web Services, Inc. or its Affiliates. Serverless
© 2019, Amazon Web Services, Inc. or its Affiliates. It’s like that, and that’s the way it is…
© 2019, Amazon Web Services, Inc. or its Affiliates. Risks haven’t gone away, they’ve evolved • Traditional controls need to evolve too • Threat surface is larger, not smaller • Focus on the developer, pipeline and 3rd party code
© 2019, Amazon Web Services, Inc. or its Affiliates. Introducing Naïve App
© 2019, Amazon Web Services, Inc. or its Affiliates. Naïve App Administration WriteToDynamoDB ReadFromDynamoDB InvokeBadAPI index.html Static Content
© 2019, Amazon Web Services, Inc. or its Affiliates. OS Attack: Run a malicious command Malicious Command INPUT: env | grep AWS CODE: result = subprocess.check_output(cmd , stderr=subprocess.STDOUT, shell=True) OUTPUT: AWSSECRETKEY… AWSACCESSKEY… Malicious Command
© 2019, Amazon Web Services, Inc. or its Affiliates. Injection Attack: Inject a malicious payload Malicious Command INPUT: <script>alert(1) ;</script> CODE: response=table.put_item(Item ={"uuid":myuuid,"firstname": firstname,"surname":surname, "email":email}) OUTPUT: “Email”:” <script>alert(1 );</script> Malicious Payload
© 2019, Amazon Web Services, Inc. or its Affiliates. Network Attack: Call an untrusted API Malicious Command INPUT: https://someurl CODE: apiresponse=requests.post(url) OUTPUT: <script>alert(1 );</script> Malicious Payload Internet
© 2019, Amazon Web Services, Inc. or its Affiliates. New Security Controls for New Risks
© 2019, Amazon Web Services, Inc. or its Affiliates. AWS Partners can help you…
© 2019, Amazon Web Services, Inc. or its Affiliates. 3 Key Takeaways • Threats and risks have evolved, controls need to evolve too • New Security focus on who is delivering code, where it came from and how they deploy it • In a Serverless Architecture the Identify & Access Management policies are your perimeter
© 2019, Amazon Web Services, Inc. or its Affiliates.© 2019, Amazon Web Services, Inc. or its Affiliates. Q&A
© 2019, Amazon Web Services, Inc. or its Affiliates.© 2019, Amazon Web Services, Inc. or its Affiliates. Thank you!
© 2019, Amazon Web Services, Inc. or its Affiliates. Useful Links • AWS, 2020. IAM Policy Tutorials, https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorials.html • AWS, 2020. IAM Best Practices, https://docs.aws.amazon.com/IAM/latest/UserGuide/best- practices.html • AWS, 2020. Introduction to AWS Identity and Access Management, https://www.aws.training/Details/Video?id=16448 • AWS, 2019. Deep Dive into IAM Access Analyzer, https://youtu.be/i5apYXya2m0 • AWS, 2019. Access Management in 4D, https://youtu.be/BFrWnKZ0DQ8 • AWS, 2020. Unit Testing IAM Policies Across Multiple Accounts, https://aws.amazon.com/blogs/devops/unit-testing-iam-policies-across-multiple-accounts/ • PaloAlto Networks, 2020. PaloAlto Prisma Cloud, https://docs.paloaltonetworks.com/prisma/prisma-cloud.html • PureSec, 2018. The Ten Most Critical Security Risks in Serverless Architectures, https://www.puresec.io/hubfs/SAS-Top10-2018/PureSec%20- %20SAS%20Top%2010%20-%202018.pdf • PureSec, 2019. Serverless Plugin for PureSec cli, https://github.com/puresec/serverless- puresec-cli

Empfohlen

AWS雲端自動化合規檢核與資安警訊通報管理
AWS雲端自動化合規檢核與資安警訊通報管理AWS雲端自動化合規檢核與資安警訊通報管理
AWS雲端自動化合規檢核與資安警訊通報管理Amazon Web Services
 
Cloud ibrido nella PA
Cloud ibrido nella PACloud ibrido nella PA
Cloud ibrido nella PAAmazon Web Services
 
Public Cloud Security Blueprint
Public Cloud Security BlueprintPublic Cloud Security Blueprint
Public Cloud Security BlueprintAmazon Web Services
 
Protect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksProtect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksAmazon Web Services
 
AWS Espressif Amazon FreeRTOS
AWS Espressif Amazon FreeRTOSAWS Espressif Amazon FreeRTOS
AWS Espressif Amazon FreeRTOSAmazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubAmazon Web Services
 
Enterprise workloads on AWS
Enterprise workloads on AWSEnterprise workloads on AWS
Enterprise workloads on AWSAmazon Web Services
 
Best Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackBest Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackAmazon Web Services
 

Empfohlen

AWS雲端自動化合規檢核與資安警訊通報管理
AWS雲端自動化合規檢核與資安警訊通報管理AWS雲端自動化合規檢核與資安警訊通報管理
AWS雲端自動化合規檢核與資安警訊通報管理Amazon Web Services
 
Cloud ibrido nella PA
Cloud ibrido nella PACloud ibrido nella PA
Cloud ibrido nella PAAmazon Web Services
 
Public Cloud Security Blueprint
Public Cloud Security BlueprintPublic Cloud Security Blueprint
Public Cloud Security BlueprintAmazon Web Services
 
Protect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksProtect your applications from DDoS/BOT & Advanced Attacks
Protect your applications from DDoS/BOT & Advanced AttacksAmazon Web Services
 
AWS Espressif Amazon FreeRTOS
AWS Espressif Amazon FreeRTOSAWS Espressif Amazon FreeRTOS
AWS Espressif Amazon FreeRTOSAmazon Web Services
 
AWS Security Hub
AWS Security HubAWS Security Hub
AWS Security HubAmazon Web Services
 
Enterprise workloads on AWS
Enterprise workloads on AWSEnterprise workloads on AWS
Enterprise workloads on AWSAmazon Web Services
 
Best Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackBest Practices to Mitigate from the Emerging Vectors of Network Attack
Best Practices to Mitigate from the Emerging Vectors of Network AttackAmazon Web Services
 
Improve Efficiency by Migrating Messaging to Amazon MQ - AWS Online Tech Talks
Improve Efficiency by Migrating Messaging to Amazon MQ - AWS Online Tech TalksImprove Efficiency by Migrating Messaging to Amazon MQ - AWS Online Tech Talks
Improve Efficiency by Migrating Messaging to Amazon MQ - AWS Online Tech TalksAmazon Web Services
 
Starting your Cloud Transformation Journey - Tel Aviv Summit 2018
Starting your Cloud Transformation Journey - Tel Aviv Summit 2018Starting your Cloud Transformation Journey - Tel Aviv Summit 2018
Starting your Cloud Transformation Journey - Tel Aviv Summit 2018Boaz Ziniman
 
AWSome Day MODULE 1 - AWS Foundations
AWSome Day MODULE 1 - AWS FoundationsAWSome Day MODULE 1 - AWS Foundations
AWSome Day MODULE 1 - AWS FoundationsAmazon Web Services
 
Paving the Way for the Future of the Automotive Industry
Paving the Way for the Future of the Automotive Industry Paving the Way for the Future of the Automotive Industry
Paving the Way for the Future of the Automotive IndustryAmazon Web Services
 
State of the Union: Networking
State of the Union: NetworkingState of the Union: Networking
State of the Union: NetworkingAmazon Web Services
 
Enabling digital transformation of your business on AWS - DEM08-S - Mexico Ci...
Enabling digital transformation of your business on AWS - DEM08-S - Mexico Ci...Enabling digital transformation of your business on AWS - DEM08-S - Mexico Ci...
Enabling digital transformation of your business on AWS - DEM08-S - Mexico Ci...Amazon Web Services
 
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018Amazon Web Services
 
Transforming Enterprise IT - Virtual Transformation Day Feb 2019
Transforming Enterprise IT - Virtual Transformation Day Feb 2019Transforming Enterprise IT - Virtual Transformation Day Feb 2019
Transforming Enterprise IT - Virtual Transformation Day Feb 2019Amazon Web Services
 
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Amazon Web Services
 
AWS-Vizalytics-March-2018 2.pdf
AWS-Vizalytics-March-2018 2.pdfAWS-Vizalytics-March-2018 2.pdf
AWS-Vizalytics-March-2018 2.pdfAmazon Web Services
 
AWS Security Deep Dive
AWS Security Deep DiveAWS Security Deep Dive
AWS Security Deep DiveAmazon Web Services
 
Cybersecurity: scenario e strategie.
Cybersecurity: scenario e strategie.Cybersecurity: scenario e strategie.
Cybersecurity: scenario e strategie.Amazon Web Services
 
AWS 資料數據與 IoT
AWS 資料數據與 IoTAWS 資料數據與 IoT
AWS 資料數據與 IoTAmazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
AWSome Day Iceland - Technical Track
AWSome Day Iceland - Technical TrackAWSome Day Iceland - Technical Track
AWSome Day Iceland - Technical TrackAmazon Web Services
 
Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...
Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...
Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...Amazon Web Services
 
Costruire Architetture Ibride con AWS
Costruire Architetture Ibride con AWSCostruire Architetture Ibride con AWS
Costruire Architetture Ibride con AWSAmazon Web Services
 
Migrate & Modernize your legacy Microsoft applications with AWS
Migrate & Modernize your legacy Microsoft applications with AWSMigrate & Modernize your legacy Microsoft applications with AWS
Migrate & Modernize your legacy Microsoft applications with AWSAmazon Web Services
 
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณ
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณAWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณ
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณAmazon Web Services
 
Serverless: costruire applicazioni native per il cloud
Serverless: costruire applicazioni native per il cloudServerless: costruire applicazioni native per il cloud
Serverless: costruire applicazioni native per il cloudAmazon Web Services
 
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...Amazon Web Services
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWSAmazon Web Services
 

Weitere ähnliche Inhalte

Was ist angesagt?

Improve Efficiency by Migrating Messaging to Amazon MQ - AWS Online Tech Talks
Improve Efficiency by Migrating Messaging to Amazon MQ - AWS Online Tech TalksImprove Efficiency by Migrating Messaging to Amazon MQ - AWS Online Tech Talks
Improve Efficiency by Migrating Messaging to Amazon MQ - AWS Online Tech TalksAmazon Web Services
 
Starting your Cloud Transformation Journey - Tel Aviv Summit 2018
Starting your Cloud Transformation Journey - Tel Aviv Summit 2018Starting your Cloud Transformation Journey - Tel Aviv Summit 2018
Starting your Cloud Transformation Journey - Tel Aviv Summit 2018Boaz Ziniman
 
AWSome Day MODULE 1 - AWS Foundations
AWSome Day MODULE 1 - AWS FoundationsAWSome Day MODULE 1 - AWS Foundations
AWSome Day MODULE 1 - AWS FoundationsAmazon Web Services
 
Paving the Way for the Future of the Automotive Industry
Paving the Way for the Future of the Automotive Industry Paving the Way for the Future of the Automotive Industry
Paving the Way for the Future of the Automotive IndustryAmazon Web Services
 
Enabling digital transformation of your business on AWS - DEM08-S - Mexico Ci...
Enabling digital transformation of your business on AWS - DEM08-S - Mexico Ci...Enabling digital transformation of your business on AWS - DEM08-S - Mexico Ci...
Enabling digital transformation of your business on AWS - DEM08-S - Mexico Ci...Amazon Web Services
 
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018Amazon Web Services
 
Transforming Enterprise IT - Virtual Transformation Day Feb 2019
Transforming Enterprise IT - Virtual Transformation Day Feb 2019Transforming Enterprise IT - Virtual Transformation Day Feb 2019
Transforming Enterprise IT - Virtual Transformation Day Feb 2019Amazon Web Services
 
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Amazon Web Services
 
Cybersecurity: scenario e strategie.
Cybersecurity: scenario e strategie.Cybersecurity: scenario e strategie.
Cybersecurity: scenario e strategie.Amazon Web Services
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAmazon Web Services
 
AWSome Day Iceland - Technical Track
AWSome Day Iceland - Technical TrackAWSome Day Iceland - Technical Track
AWSome Day Iceland - Technical TrackAmazon Web Services
 
Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...
Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...
Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...Amazon Web Services
 
Costruire Architetture Ibride con AWS
Costruire Architetture Ibride con AWSCostruire Architetture Ibride con AWS
Costruire Architetture Ibride con AWSAmazon Web Services
 
Migrate & Modernize your legacy Microsoft applications with AWS
Migrate & Modernize your legacy Microsoft applications with AWSMigrate & Modernize your legacy Microsoft applications with AWS
Migrate & Modernize your legacy Microsoft applications with AWSAmazon Web Services
 
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณ
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณAWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณ
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณAmazon Web Services
 
Serverless: costruire applicazioni native per il cloud
Serverless: costruire applicazioni native per il cloudServerless: costruire applicazioni native per il cloud
Serverless: costruire applicazioni native per il cloudAmazon Web Services
 

Was ist angesagt? (20)

Improve Efficiency by Migrating Messaging to Amazon MQ - AWS Online Tech Talks
Improve Efficiency by Migrating Messaging to Amazon MQ - AWS Online Tech TalksImprove Efficiency by Migrating Messaging to Amazon MQ - AWS Online Tech Talks
Improve Efficiency by Migrating Messaging to Amazon MQ - AWS Online Tech Talks
 
Starting your Cloud Transformation Journey - Tel Aviv Summit 2018
Starting your Cloud Transformation Journey - Tel Aviv Summit 2018Starting your Cloud Transformation Journey - Tel Aviv Summit 2018
Starting your Cloud Transformation Journey - Tel Aviv Summit 2018
 
AWSome Day MODULE 1 - AWS Foundations
AWSome Day MODULE 1 - AWS FoundationsAWSome Day MODULE 1 - AWS Foundations
AWSome Day MODULE 1 - AWS Foundations
 
Paving the Way for the Future of the Automotive Industry
Paving the Way for the Future of the Automotive Industry Paving the Way for the Future of the Automotive Industry
Paving the Way for the Future of the Automotive Industry
 
State of the Union: Networking
State of the Union: NetworkingState of the Union: Networking
State of the Union: Networking
 
Enabling digital transformation of your business on AWS - DEM08-S - Mexico Ci...
Enabling digital transformation of your business on AWS - DEM08-S - Mexico Ci...Enabling digital transformation of your business on AWS - DEM08-S - Mexico Ci...
Enabling digital transformation of your business on AWS - DEM08-S - Mexico Ci...
 
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
Security, Risk and Compliance of Your Cloud Journey - Tel Aviv Summit 2018
 
Transforming Enterprise IT - Virtual Transformation Day Feb 2019
Transforming Enterprise IT - Virtual Transformation Day Feb 2019Transforming Enterprise IT - Virtual Transformation Day Feb 2019
Transforming Enterprise IT - Virtual Transformation Day Feb 2019
 
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019 Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
Establishing AWS as a trusted partner - GRC325 - AWS re:Inforce 2019
 
AWS-Vizalytics-March-2018 2.pdf
AWS-Vizalytics-March-2018 2.pdfAWS-Vizalytics-March-2018 2.pdf
AWS-Vizalytics-March-2018 2.pdf
 
AWS Security Deep Dive
AWS Security Deep DiveAWS Security Deep Dive
AWS Security Deep Dive
 
Cybersecurity: scenario e strategie.
Cybersecurity: scenario e strategie.Cybersecurity: scenario e strategie.
Cybersecurity: scenario e strategie.
 
AWS 資料數據與 IoT
AWS 資料數據與 IoTAWS 資料數據與 IoT
AWS 資料數據與 IoT
 
AWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best PracticesAWS Multi-Account Architecture and Best Practices
AWS Multi-Account Architecture and Best Practices
 
AWSome Day Iceland - Technical Track
AWSome Day Iceland - Technical TrackAWSome Day Iceland - Technical Track
AWSome Day Iceland - Technical Track
 
Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...
Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...
Leadership Session: Using DevOps, Microservices, and Serverless to Accelerate...
 
Costruire Architetture Ibride con AWS
Costruire Architetture Ibride con AWSCostruire Architetture Ibride con AWS
Costruire Architetture Ibride con AWS
 
Migrate & Modernize your legacy Microsoft applications with AWS
Migrate & Modernize your legacy Microsoft applications with AWSMigrate & Modernize your legacy Microsoft applications with AWS
Migrate & Modernize your legacy Microsoft applications with AWS
 
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณ
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณAWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณ
AWSome Day Online 2020_โมดูล 4: การรักษาความปลอดภัยแอปพลิเคชันบนระบบคลาวด์ของคุณ
 
Serverless: costruire applicazioni native per il cloud
Serverless: costruire applicazioni native per il cloudServerless: costruire applicazioni native per il cloud
Serverless: costruire applicazioni native per il cloud
 

Ähnlich wie Lambda Function Security

Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...Amazon Web Services
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWSAmazon Web Services
 
Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019 Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019 Amazon Web Services
 
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...Amazon Web Services
 
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Amazon Web Services
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitAmazon Web Services
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Amazon Web Services
 
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...Amazon Web Services
 
How Millennium Management achieves provable security with AWS Zelkova - FSV30...
How Millennium Management achieves provable security with AWS Zelkova - FSV30...How Millennium Management achieves provable security with AWS Zelkova - FSV30...
How Millennium Management achieves provable security with AWS Zelkova - FSV30...Amazon Web Services
 
Learn how AWS customers are implementing robust security posture for their A...
Learn how AWS customers are implementing robust security posture for their A... Learn how AWS customers are implementing robust security posture for their A...
Learn how AWS customers are implementing robust security posture for their A...Amazon Web Services
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Amazon Web Services
 
Elevate your security with the cloud
Elevate your security with the cloudElevate your security with the cloud
Elevate your security with the cloudAmazon Web Services
 
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019 DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019 Amazon Web Services
 
Websites go Serverless - AWS Summit Berlin
Websites go Serverless - AWS Summit BerlinWebsites go Serverless - AWS Summit Berlin
Websites go Serverless - AWS Summit BerlinBoaz Ziniman
 
How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...Amazon Web Services
 
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...Amazon Web Services
 
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019 Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019 Amazon Web Services
 
"Integrate your front end apps with serverless backend in the cloud", Sebasti...
"Integrate your front end apps with serverless backend in the cloud", Sebasti..."Integrate your front end apps with serverless backend in the cloud", Sebasti...
"Integrate your front end apps with serverless backend in the cloud", Sebasti...Provectus
 
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Amazon Web Services
 

Ähnlich wie Lambda Function Security (20)

Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
Infrastructure, security, and operations as code - DEM05-S - Mexico City AWS ...
 
Scaling threat detection and response on AWS
Scaling threat detection and response on AWSScaling threat detection and response on AWS
Scaling threat detection and response on AWS
 
Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019 Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
Hands-on with AWS Security Hub - FND213-R - AWS re:Inforce 2019
 
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
How GoDaddy protects ecommerce and domains with AWS KMS and encryption - SDD4...
 
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...Delivering infrastructure, security, and operations as code with AWS - DEM10-...
Delivering infrastructure, security, and operations as code with AWS - DEM10-...
 
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS SummitCarry security with you to the cloud - DEM14-SR - New York AWS Summit
Carry security with you to the cloud - DEM14-SR - New York AWS Summit
 
AWS Security Deep Dive
AWS Security Deep DiveAWS Security Deep Dive
AWS Security Deep Dive
 
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
Safeguard the Integrity of Your Code for Fast and Secure Deployments - SVC206...
 
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
Delivering infrastructure, security, and operations as code - DEM06 - Santa C...
 
How Millennium Management achieves provable security with AWS Zelkova - FSV30...
How Millennium Management achieves provable security with AWS Zelkova - FSV30...How Millennium Management achieves provable security with AWS Zelkova - FSV30...
How Millennium Management achieves provable security with AWS Zelkova - FSV30...
 
Learn how AWS customers are implementing robust security posture for their A...
Learn how AWS customers are implementing robust security posture for their A... Learn how AWS customers are implementing robust security posture for their A...
Learn how AWS customers are implementing robust security posture for their A...
 
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
Ensure the integrity of your code for fast and secure deployments - SDD319 - ...
 
Elevate your security with the cloud
Elevate your security with the cloudElevate your security with the cloud
Elevate your security with the cloud
 
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019 DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
DDoS attack detection at scale - SDD408 - AWS re:Inforce 2019
 
Websites go Serverless - AWS Summit Berlin
Websites go Serverless - AWS Summit BerlinWebsites go Serverless - AWS Summit Berlin
Websites go Serverless - AWS Summit Berlin
 
How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...How to act on your security and compliance alerts with AWS Security Hub - FND...
How to act on your security and compliance alerts with AWS Security Hub - FND...
 
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...Safeguarding the integrity of your code for fast, secure deployments - SVC301...
Safeguarding the integrity of your code for fast, secure deployments - SVC301...
 
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019 Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
Your first compliance-as-code - GRC305-R - AWS re:Inforce 2019
 
"Integrate your front end apps with serverless backend in the cloud", Sebasti...
"Integrate your front end apps with serverless backend in the cloud", Sebasti..."Integrate your front end apps with serverless backend in the cloud", Sebasti...
"Integrate your front end apps with serverless backend in the cloud", Sebasti...
 
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
Leadership session - Governance, risk, and compliance - GRC326-L - AWS re:Inf...
 

Mehr von Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateAmazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSAmazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsAmazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareAmazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSAmazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAmazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareAmazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWSAmazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckAmazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceAmazon Web Services
 

Mehr von Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Lambda Function Security

  • 1. © 2019, Amazon Web Services, Inc. or its Affiliates. Samuel Waymouth, Solution Architect Lambda Function Security Defense in depth: when perimeter security is not enough
  • 2. © 2019, Amazon Web Services, Inc. or its Affiliates. Table of contents • Threat Model and evolution of risk • Managing risk and evolving Security Controls • Review of AWS Partner products
  • 3. © 2019, Amazon Web Services, Inc. or its Affiliates. Has the sun set on perimeter security?
  • 4. © 2019, Amazon Web Services, Inc. or its Affiliates. R.I.P. Perimeter Security, 8000 BC to 2007 “The businesses that use this increased connectivity and operational features appreciate that their growth can only be sustained by assuring that they provide secure transactions. The corporate boundary as a secure perimeter cannot provide this, because new communications technologies bypass that perimeter.” The Open Group Jericho Forum (2007). Jericho Forum Business Rationale for De-Perimeterization Version 2.0, https://publications.opengroup.org/w127
  • 5. © 2019, Amazon Web Services, Inc. or its Affiliates. The way it used to be…
  • 6. © 2019, Amazon Web Services, Inc. or its Affiliates. Serverless
  • 7. © 2019, Amazon Web Services, Inc. or its Affiliates. It’s like that, and that’s the way it is…
  • 8. © 2019, Amazon Web Services, Inc. or its Affiliates. Risks haven’t gone away, they’ve evolved • Traditional controls need to evolve too • Threat surface is larger, not smaller • Focus on the developer, pipeline and 3rd party code
  • 9. © 2019, Amazon Web Services, Inc. or its Affiliates. Introducing Naïve App
  • 10. © 2019, Amazon Web Services, Inc. or its Affiliates. Naïve App Administration WriteToDynamoDB ReadFromDynamoDB InvokeBadAPI index.html Static Content
  • 11. © 2019, Amazon Web Services, Inc. or its Affiliates. OS Attack: Run a malicious command Malicious Command INPUT: env | grep AWS CODE: result = subprocess.check_output(cmd , stderr=subprocess.STDOUT, shell=True) OUTPUT: AWSSECRETKEY… AWSACCESSKEY… Malicious Command
  • 12. © 2019, Amazon Web Services, Inc. or its Affiliates. Injection Attack: Inject a malicious payload Malicious Command INPUT: <script>alert(1) ;</script> CODE: response=table.put_item(Item ={"uuid":myuuid,"firstname": firstname,"surname":surname, "email":email}) OUTPUT: “Email”:” <script>alert(1 );</script> Malicious Payload
  • 13. © 2019, Amazon Web Services, Inc. or its Affiliates. Network Attack: Call an untrusted API Malicious Command INPUT: https://someurl CODE: apiresponse=requests.post(url) OUTPUT: <script>alert(1 );</script> Malicious Payload Internet
  • 14. © 2019, Amazon Web Services, Inc. or its Affiliates. New Security Controls for New Risks
  • 15. © 2019, Amazon Web Services, Inc. or its Affiliates. AWS Partners can help you…
  • 16. © 2019, Amazon Web Services, Inc. or its Affiliates. 3 Key Takeaways • Threats and risks have evolved, controls need to evolve too • New Security focus on who is delivering code, where it came from and how they deploy it • In a Serverless Architecture the Identify & Access Management policies are your perimeter
  • 17. © 2019, Amazon Web Services, Inc. or its Affiliates.© 2019, Amazon Web Services, Inc. or its Affiliates. Q&A
  • 18. © 2019, Amazon Web Services, Inc. or its Affiliates.© 2019, Amazon Web Services, Inc. or its Affiliates. Thank you!
  • 19. © 2019, Amazon Web Services, Inc. or its Affiliates. Useful Links • AWS, 2020. IAM Policy Tutorials, https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorials.html • AWS, 2020. IAM Best Practices, https://docs.aws.amazon.com/IAM/latest/UserGuide/best- practices.html • AWS, 2020. Introduction to AWS Identity and Access Management, https://www.aws.training/Details/Video?id=16448 • AWS, 2019. Deep Dive into IAM Access Analyzer, https://youtu.be/i5apYXya2m0 • AWS, 2019. Access Management in 4D, https://youtu.be/BFrWnKZ0DQ8 • AWS, 2020. Unit Testing IAM Policies Across Multiple Accounts, https://aws.amazon.com/blogs/devops/unit-testing-iam-policies-across-multiple-accounts/ • PaloAlto Networks, 2020. PaloAlto Prisma Cloud, https://docs.paloaltonetworks.com/prisma/prisma-cloud.html • PureSec, 2018. The Ten Most Critical Security Risks in Serverless Architectures, https://www.puresec.io/hubfs/SAS-Top10-2018/PureSec%20- %20SAS%20Top%2010%20-%202018.pdf • PureSec, 2019. Serverless Plugin for PureSec cli, https://github.com/puresec/serverless- puresec-cli