Weitere ähnliche Inhalte Ähnlich wie Practical Guidance for Increasing your Serverless Application's Security (20) Kürzlich hochgeladen (20) Practical Guidance for Increasing your Serverless Application's Security1. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Chris Munns – Senior Developer Advocate – AWS Serverless
Practical Guidance for
Increasing your Serverless
Application’s Security
2. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
About me:
Chris Munns - munns@amazon.com, @chrismunns
• Lead Developer Advocate - Serverless
• New Yorker
• Previously:
• AWS Business Development Manager – DevOps, July ’15 - Feb ‘17
• AWS Solutions Architect Nov, 2011- Dec 2014
• Formerly on operations teams @Etsy and @Meetup
• Little time at a hedge fund, Xerox and a few other startups
• Rochester Institute of Technology: Applied Networking and Systems
Administration ’05
• Internet infrastructure geek
3. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
https://secure.flickr.com/photos/mgifford/4525333972
Why are we
here today?
4. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What should this talk be about?
Me: “Should I have a talk about
how I think people focused on
building self managed
containerized “serverless”
platforms are missing the big
picture and its not the future”
Jefe: “No, talk about security”
Ajay Nair
Lead Product Manager –
AWS Lambda
@ajaynairthinks
Aka “jefe” to me
<Humor Slide />
5. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
What should this talk be about?
Me: “Can I do talk where I tear
apart the FUD currently in the
space showing up by people with
an odd counter productive
personal agendas?”
Product Marketing: “No, please
not that, no. Do something happy
on security.”
<Humor Slide />
Ambiguous representation
of AWS product marketing
folks sitting up front looking
concerned at me
6. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
But then...
The very wonderful Tim Wagner
(“el jefe jefe”)
and equally wonderful
Mark Nunnikhoven
delivered like 40% of my content yesterday
in their own talks...
<Humor Slide />
7. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Serverless Dance Routine?
8. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Serverless Dance Routine?
9. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
https://secure.flickr.com/photos/mgifford/4525333972
Why are we
here today?
10. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Photo by Klára Koszeghyova on Unsplash
Old school security
practices would
have you focused
on putting your
Lambda function
here and hoping no
one had cannons.
11. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Photo by Paul Csogi on Unsplash
But we all
know our
Lambda
functions
live here
12. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Today’s focus:
13. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda function
Your function
code
Language
runtime
Execution
Environment
Compute
substrate
14. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda function
Your function
code
Language
runtime
Execution
Environment
Compute
substrate
Places where
you can
impact
security
15. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda function
Your function
code
Language
runtime
Execution
Environment
Compute
substrate
Places where
you can
impact
security
16. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda function
Handler() function
Function to be executed
upon invocation
Event object
Data sent during
Lambda Function
Invocation
Context object
Methods available to
interact with runtime
information (request ID,
log group, etc.)
public String handleRequest(Book book, Context context) {
saveBook(book);
return book.getName() + " saved!";
}
17. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Serverless applications
SERVICES (ANYTHING)EVENT SOURCE FUNCTION
18. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda function
Function myhandler(event, context) {
<Event handling logic> {
result = SubfunctionA()
}else {
result = SubfunctionB()
return result;
}
Function subFunctionA(thing){
## logic here
}
Function subFunctionA(thing){
## logic here
}
19. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Serverless applications
SERVICES (ANYTHING)EVENT SOURCE FUNCTION
20. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda functionImport sdk
Import http-lib
Import ham-sandwich
Pre-handler-secret-getter()
Pre-handler-db-connect()
Function myhandler(event, context) {
<Event handling logic> {
result = SubfunctionA()
}else {
result = SubfunctionB()
return result;
}
Function Pre-handler-secret-getter() {
}
Function Pre-handler-db-connect(){
}
Function subFunctionA(thing){
## logic here
}
Function subFunctionA(thing){
## logic here
}
21. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda functionImport sdk
Import http-lib
Import ham-sandwich
Pre-handler-secret-getter()
Pre-handler-db-connect()
Function myhandler(event, context) {
<Event handling logic> {
result = SubfunctionA()
}else {
result = SubfunctionB()
return result;
}
Function Pre-handler-secret-getter() {
}
Function Pre-handler-db-connect(){
}
Function subFunctionA(thing){
## logic here
}
Function subFunctionA(thing){
## logic here
}
Where you
can have a
bad time
22. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OWASP Top 10 - 2017
• Injection
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access Control
• Security Misconfiguration
• Cross-Site Scripting (XSS)
• Insecure Deserialization
• Using Components with Known Vulnerabilities
• Insufficient Logging&Monitoring
23. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OWASP Top 10 - 2017
• Injection
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access Control
• Security Misconfiguration
• Cross-Site Scripting (XSS)
• Insecure Deserialization
• Using Components with Known Vulnerabilities
• Insufficient Logging&Monitoring
24. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda functionImport sdk
Import http-lib
Import ham-sandwich
Pre-handler-secret-getter()
Pre-handler-db-connect()
Function myhandler(event, context) {
<Event handling logic> {
result = SubfunctionA()
}else {
result = SubfunctionB()
return result;
}
Function Pre-handler-secret-getter() {
}
Function Pre-handler-db-connect(){
}
Function subFunctionA(thing){
## logic here
}
Function subFunctionA(thing){
## logic here
}
25. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
26. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
27. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
29. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Bonus round: project/repo scoping
If functions share an event
source they can go in the same
repo, if not they go in their own
repo as separate “applications”
• Simplifies permissions
If functions share an event
source but require varying
different imported packages,
make them their own function
files/jars/etc.
• Keep dependency bloat
minimized per function
Monorepo == anti-pattern for FaaS
Two rules:
30. Bonus round: project/repo scoping
If functions share an event
source they can go in the same
repo, if not they go in their own
repo as separate “applications”
• Simplifies permissions
If functions share an event
source but require varying
different imported packages,
make them their own function
files/jars/etc.
• Keep dependency bloat
minimized per function
Monorepo == anti-pattern for FaaS
Two rules:
Use language native dependency tools and put
shared logic in sub-packages
31. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda functionImport sdk
Import http-lib
Import ham-sandwich
Pre-handler-secret-getter()
Pre-handler-db-connect()
Function myhandler(event, context) {
<Event handling logic> {
result = SubfunctionA()
}else {
result = SubfunctionB()
return result;
}
Function Pre-handler-secret-getter() {
}
Function Pre-handler-db-connect(){
}
Function subFunctionA(thing){
## logic here
}
Function subFunctionA(thing){
## logic here
}
32. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda Environment Variables
• Key-value pairs that you can dynamically pass to your function
• Available via standard environment variable APIs such as process.env
for Node.js or os.environ for Python
• Can optionally be encrypted via AWS Key Management Service (KMS)
• Allows you to specify in IAM what roles have access to the keys to decrypt
the information
• Useful for creating environments per stage (i.e. dev, testing,
production)
33. AWS Systems Manager – Parameter Store
Centralized store to manage your
configuration data
• supports hierarchies
• plain-text or encrypted with KMS
• Can send notifications of changes
to Amazon SNS/ AWS Lambda
• Can be secured with IAM
• Calls recorded in CloudTrail
• Can be tagged
• Available via API/SDK
Useful for: centralized environment
variables, secrets control, feature
flags
from __future__ import print_function
import json
import boto3
ssm = boto3.client('ssm', 'us-east-1')
def get_parameters():
response = ssm.get_parameters(
Names=['LambdaSecureString'],WithDe
cryption=True
)
for parameter in
response['Parameters']:
return parameter['Value']
def lambda_handler(event, context):
value = get_parameters()
print("value1 = " + value)
return value # Echo back the first key
value
34. AWS Systems Manager – Parameter Store
Centralized store to manage your
configuration data
• supports hierarchies
• plain-text or encrypted with KMS
• Can send notifications of changes
to Amazon SNS/ AWS Lambda
• Can be secured with IAM
• Calls recorded in CloudTrail
• Can be tagged
• Available via API/SDK
Useful for: centralized environment
variables, secrets control, feature
flags
from __future__ import print_function
import json
import boto3
ssm = boto3.client('ssm', 'us-east-1')
def get_parameters():
response = ssm.get_parameters(
Names=['LambdaSecureString'],WithDe
cryption=True
)
for parameter in
response['Parameters']:
return parameter['Value']
def lambda_handler(event, context):
value = get_parameters()
print("value1 = " + value)
return value # Echo back the first key
value
#somuchawesome
35. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda functionImport sdk
Import http-lib
Import ham-sandwich
Pre-handler-secret-getter()
Pre-handler-db-connect()
Function myhandler(event, context) {
<Event handling logic> {
result = SubfunctionA()
}else {
result = SubfunctionB()
return result;
}
Function Pre-handler-secret-getter() {
}
Function Pre-handler-db-connect(){
}
Function subFunctionA(thing){
## logic here
}
Function subFunctionA(thing){
## logic here
}
36. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OWASP Top 10 - 2017
• Injection
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access Control
• Security Misconfiguration
• Cross-Site Scripting (XSS)
• Insecure Deserialization
• Using Components with Known Vulnerabilities
• Insufficient Logging&Monitoring
37. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
“Insecure Deserialization” – Event parsing
True story: JSON parsing can be tricky
Good news: AWS services give Lambda the event payload in a defined
structure per service.
What to do:
• Explore JSON schema validation tools if processing messages
embedded in the JSON payload itself (see jsonschema npm
package as an example )
• Check data types of attributes in JSON after validation
• If processing a binary objects (say from S3): explore packages that
can help verify/test contents
38. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Anatomy of a Lambda function
Your function
code
Language
runtime
Execution
Environment
Compute
substrate
Places where
you can
impact
security
39. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OWASP Top 10 - 2017
• Injection
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access Control
• Security Misconfiguration
• Cross-Site Scripting (XSS)
• Insecure Deserialization
• Using Components with Known Vulnerabilities
• Insufficient Logging&Monitoring
40. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Lambda permissions model
Fine grained security controls for both
execution and invocation:
Execution policies:
• Define what AWS resources/API calls can this
function access via IAM
• Used in streaming invocations
• E.g. “Lambda function A can read from
DynamoDB table users”
Function policies:
• Used for sync and async invocations
• E.g. “Actions on bucket X can invoke Lambda
function Z"
• Resource policies allow for cross account
access
42. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Do yourself a favor,
go read the docs..
43. AWS Serverless Application Model (SAM)
CloudFormation extension optimized for
serverless
New serverless resource types: functions, APIs,
and tables
Supports anything CloudFormation supports
Open specification (Apache 2.0)
- SAM Translator recently open sourced!
https://github.com/awslabs/serverless-application-model
44. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
SAM Policy Templates
MyFunction:
Type: AWS::Serverless::Function
Properties:
...
Policies:
# Give just CRUD permissions to one table
- DynamoDBCrudPolicy:
TableName: !Ref MyTable
...
MyTable:
Type: AWS::Serverless::SimpleTable
45. SAM Policy Templates
MyFunction:
Type: AWS::Serverless::Function
Properties:
...
Policies:
# Give just CRUD permissions to one table
- DynamoDBCrudPolicy:
TableName: !Ref MyTable
...
MyTable:
Type: AWS::Serverless::SimpleTable
36 Predefined policies
All found here:
https://bit.ly/2LM6qml
46. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
IAM + Lambda best practices
• Where/when possible try to leverage
the pre-created managed policies that
exist today
• If you are doing “service:*” be REALLY
REALLY REALLY sure that’s what you
should and need to do
• Keep tight lockdown on who/what can
invoke functions
47. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Do I need to put my functions in an Amazon VPC?
Putting your functions inside of a
VPC provides little extra security
benefit to your AWS Lambda
functions
48. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Do I need to put my functions in an Amazon VPC?
Should my
Lambda
function be
in a VPC?
Does my function
need to access
any specific
resources in a
VPC?
Does it also need to
access resources or
services in the
public internet?
Don’t put the
function in a
VPC
Put the
function in a
private subnet
Put the
function in a
subnet with a
NAT’d route to
the internet
Yes Yes
No No
49. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
OWASP Top 10 - 2017
• Injection
• Broken Authentication
• Sensitive Data Exposure
• XML External Entities (XXE)
• Broken Access Control
• Security Misconfiguration
• Cross-Site Scripting (XSS)
• Insecure Deserialization
• Using Components with Known Vulnerabilities
• Insufficient Logging & Monitoring
50. I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
I will turn on CloudTrail, Config, and CloudTrail Data Events
51. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
52. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
53. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
54. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
55. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
56. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
aws.amazon.com/serverless
57. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Chris Munns
munns@amazon.com
@chrismunnshttps://www.flickr.com/photos/theredproject/3302110152/
58. © 2018, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
?
https://secure.flickr.com/photos/dullhunk/202872717/