On this webinar, AWS Solution Architect Mike Deck joined PureSec CTO, Ory Segal, to go in-depth on Lambda Security. Mike explained how Lambda works under the hood and went through the AWS Lambda Security Best Practices. Ory then went through the best practices for securing serverless applications.

1. AWS LAMBDA SECURITY: INSIDE & OUT
Mike Deck Principal Solutions Architect, AWS
Ory Segal PureSec CTO
https://www.puresec.io/
Get your free 30-day trial of PureSec SSP – https://www.puresec.io/get-puresec

2. Agenda
 AWS Lambda overview
 AWS Lambda under the hood
 Security isolation & network isolation
 Serverless security
 The evolution of the shared responsibility
model
 Protecting serverless applications

3. © 2019, Amazon Web Services, Inc. or its Affiliates.
SERVICES (ANYTHING)
Changes in
data state
Requests to
endpoints
Changes in
resource state
EVENT SOURCE FUNCTION
Node.js
Python
Java
C#
Go
AWS Lambda overview

4. © 2019, Amazon Web Services, Inc. or its Affiliates.
Lambda handles…
Load Balancing
Auto Scaling
Handling Failures
Security Isolation
Managing Utilization
(and many other things) for you

5. © 2019, Amazon Web Services, Inc. or its Affiliates.
Let’s take a look under the
hood

6. © 2019, Amazon Web Services, Inc. or its Affiliates.

7. © 2019, Amazon Web Services, Inc. or its Affiliates.
AWS Cloud
Region
Lambda customer
(Existing Worker,
New Sandbox)
Availability zone 2
Availability zone 1
Invoke
Front End
Invoke
Front End
Worker Mgr
Worker Mgr
Reserve Sandbox
Invoke
Worker
Worker
Worker
Init

8. © 2019, Amazon Web Services, Inc. or its Affiliates.© 2019, Amazon Web Services, Inc. or its Affiliates.
Sandbox isolation

9. © 2019, Amazon Web Services, Inc. or its Affiliates.© 2019, Amazon Web Services, Inc. or its Affiliates.
Hardware
Host OS
Hypervisor
Guest OS
Sandbox
Lambda Runtime
YourCode

10. © 2019, Amazon Web Services, Inc. or its Affiliates.© 2019, Amazon Web Services, Inc. or its Affiliates.
Hardware
Host OS
Hypervisor
Guest OS
Sandbox
Lambda Runtime
YourCode

11. © 2019, Amazon Web Services, Inc. or its Affiliates.© 2019, Amazon Web Services, Inc. or its Affiliates.
Hardware
Host OS
Hypervisor
Guest OS
Sandbox
Lambda Runtime
YourCode

12. © 2019, Amazon Web Services, Inc. or its Affiliates.© 2019, Amazon Web Services, Inc. or its Affiliates.
Hardware
Host OS
Hypervisor
Guest OS
Sandbox
Lambda Runtime
YourCode

13. © 2019, Amazon Web Services, Inc. or its Affiliates.© 2019, Amazon Web Services, Inc. or its Affiliates.
Hardware
Hypervisor
Guest OS
Sandbox
Lambda Runtime
YourCode

14. © 2019, Amazon Web Services, Inc. or its Affiliates.© 2019, Amazon Web Services, Inc. or its Affiliates.
Hardware
Host OS
Hypervisor
Guest OS
Sandbox
Lambda Runtime
YourCode

15. © 2019, Amazon Web Services, Inc. or its Affiliates.© 2019, Amazon Web Services, Inc. or its Affiliates.
Hardware
Host OS
Hypervisor
Guest OS
Sandbox
Lambda Runtime
YourCode
One Function
ManyAccounts

16. © 2019, Amazon Web Services, Inc. or its Affiliates.
Hardware
Host OS
Hypervisor
Guest OS
Virtual Devices
Device Emulation
Physical
Devices

17. © 2019, Amazon Web Services, Inc. or its Affiliates.
Hardware
Host OS
Hypervisor
Guest OS
virtio drivers
virtio host in Firecracker
Physical
Devices

18. © 2019, Amazon Web Services, Inc. or its Affiliates.
Hardware
Host OS
Hypervisor
Guest OS
Virtual Devices
Device Emulation
Physical
Devices

19. © 2019, Amazon Web Services, Inc. or its Affiliates.© 2019, Amazon Web Services, Inc. or its Affiliates.
Network isolation

20. © 2019, Amazon Web Services, Inc. or its Affiliates.
Worker
Lambda
Function
ENI in
yourVPC
YourVPC
Local
NAT

21. © 2019, Amazon Web Services, Inc. or its Affiliates.
Worker
Lambda
Function
ENI in
yourVPC
YourVPC
Remote
NAT

22. © 2019, Amazon Web Services, Inc. or its Affiliates.

23. © 2019, Amazon Web Services, Inc. or its Affiliates.
↓
↓
↑
Firecracker Hypervisor vs. Others

24. © 2019, Amazon Web Services, Inc. or its Affiliates.
Security Whitepaper
https://bit.ly/lambda-security

25. © 2019, Amazon Web Services, Inc. or its Affiliates.
Learn more
Available onYouTube
https://youtu.be/QdzV04T_kec

26. AWS LAMBDA
SECURITY
SERVERLESS
SECURITY

27. Shared Model Of Responsibility
CLOUD PROVIDER
Responsible for security
“of”
The cloud
REGIONS AVAILABILITY ZONES EDGE LOCATIONS
COMPUTE STORAGE DATABASE NETWORK
OPERATING SYSTEM + VIRTUAL MACHINES + CONTAINERS
APPLICATION
OWNER
Responsible for
security “in” the cloud
APPLICATIONS (FUNCTIONS)
IDENTITY & ACCESS
MANAGEMENT
CLOUD SERVICES
CONFIGURATION
CLIENT-SIDE DATA IN CLOUD DATA IN TRANSIT

28. Security Responsibility: When You Own The
Infrastructure (IaaS)
 Physical infrastructure, access restrictions to physical perimeter and hardware
 Secure configuration of infrastructure devices and systems
 Regularly testing the security of all systems/processes (OS, services)
 Identification and authentication of access to systems (OS, services)
 Patching and fixing flaws in OS
 Hardening OS and services
 Protecting all systems against malware and backdoors
 Patching and fixing flaws in runtime environment and related software packages
 Exploit prevention and memory protection
 Network segmentation
 Tracking and monitoring all network resources and access
 Installation and maintenance of network firewalls
 Network-layer DoS protection
 Authentication of users
 Authorization controls when accessing application and data
 Log and maintain audit trails of all access to application and data
 Deploy an application layer firewall for event-data inspection
 Detect and fix vulnerabilities in third-party dependencies
 Use least-privileged IAM roles and permissions
 Enforce legitimate application behavior
 Data leak prevention
 Scan code and configurations statically during development
 Maintain serverless/cloud asset inventory
 Remove obsolete/unused cloud services and functions
 Continuously monitor errors and security incidents
8%
92%
APPLICATION
OWNER
CLOUD
PROVIDER

29. Security Responsibility: When You Adopt
Serverless
 Physical infrastructure, access restrictions to physical perimeter and hardware
 Secure configuration of infrastructure devices and systems
 Regularly testing the security of all systems/processes (OS, services)
 Identification and authentication of access to systems (OS, services)
 Patching and fixing flaws in OS
 Hardening OS and services
 Protecting all systems against malware and backdoors
 Patching and fixing flaws in runtime environment and related software packages
 Exploit prevention and memory protection
 Network segmentation
 Tracking and monitoring all network resources and access
 Installation and maintenance of network firewalls
 Network-layer DoS protection
 Authentication of users
 Authorization controls when accessing application and data
 Log and maintain audit trails of all access to application and data
 Deploy an application layer firewall for event-data inspection
 Detect and fix vulnerabilities in third-party dependencies
 Use least-privileged IAM roles and permissions
 Enforce legitimate application behavior
 Data leak prevention
 Scan code and configurations statically during development
 Maintain serverless/cloud asset inventory
 Remove obsolete/unused cloud services and functions
 Continuously monitor errors and security incidents
52%
48%
APPLICATION
OWNER
CLOUD
PROVIDER

30. Top Risks for Serverless Applicationshttp://bit.ly/csa-top-12
SAS-1
Function event-data injection
Broken authentication
SAS-2
Insecure serverless deployment
SAS-3
Over-privileged function permissions
SAS-4
Inadequate function monitoring
SAS-5
Insecure 3rd party dependencies
SAS-6
Insecure app secrets storage
SAS-7
DoS & Financial exhaustion
SAS-8
Serverless business logic manipulation
SAS-9
Improper exceptions handling & errors
SAS-10
Legacy functions & cloud resources
SAS-11
Cross-execution data persistency
SAS-12

31. Existing Application Security Solutions Do
Not Fit
Protects applications by
being deployed on
networks and servers
TRADITIONAL SECURITY
The application owner doesn't
have any control over the
infrastructure
SERVERLESS

32. INFRASTRUCTURE
SERVERLESS
FUNCTIONS WAF
LAYER 7
NG-FW
INBOUND
WSG
OUTBOUND
IPS
NETWORK
EPP
BEHAVIORAL
APPLICATION
Traditional Protections Cannot Be Deployed
On Serverless
With No Infrastructure Based Protections,
Your Security is Reduced to
Good Coding and Strict Configuration

34. THE CHALLENGE OF ”LEAST-
PRIVILEGED” IAM ROLES
 Functions should only be allowed to do
what they are tasked with
 AWS IAM model is extremely powerful,
yet hard to get right, especially at large
scale
 Human factor
 ‘Over-privileged’ issues are the most
common problem
C O N F I G U R AT I O N

35. GETTING IAM PERMISSIONS RIGHT
 Adopt ‘Role-per-Function’ model
 Single responsibility principle – each
function should have a single focused task
 Use SAM managed policies where
applicable
 Automate IAM permissions scanning and
role generation (PureSec)

36. Your Function
Static Code
Analysis
Learn about cloud
resource interactions,
and least required
privileges
IAM Role
Configuration
Analysis
Learn about
privileges granted
Account Analysis
Learn about cloud
resources in your
account that might be
at risk
Automating Least-Privileged IAM w/ PureSec

37. • Remediate risks during development with the CLI-based scanner
• Enforce least-privilege policy during build (CI/CD integration)
• Continuously monitor & enforce security on deployed applications

39. There’s more to AWS Lambda than
AWS Gateway
HTTP
…47 services
• Web Application Firewalls inspect HTTP(s) web traffic
• Require deployment in-line between client and Lambda
• Parse and inspect HTTP messages (parameters, cookies, headers)
Cloud-native event inspection requires a
different approach.
* Where is data coming from?
Eventually from the outside…

40. PureSec Runtime Protection: serverless, scalable & blazing-fast
 Serverless application firewall - inspects all cloud-native events
 Serverless Behavioral Protection – enforces expected app behavior
 Protects real-world production applications with billions of invocations

41. ory@puresec.io
Get your free 30-day trial of PureSec SSP – https://www.puresec.io/get-puresec