deep dive on serverless web applications - aws may 2016 webinar series
TRANSCRIPT
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Brittany Doncaster, Solutions Architect, AWS
May 24, 2016
Deep Dive on Serverless Web Applications
Agenda
Overview of Serverless Architecture Anatomy of a Web Application Securing the Web Application Demo Other Options
Overview of Serverless ArchitecturesServerless? What’s that mean?
What is Serverless?
Provisioningand Utilization
Operations and Management
Scaling Availability and Fault Tolerance
Removes the need for….
Benefits of Serverless?
Provisioningand Utilization
Operations and Management
Scaling Availability and Fault Tolerance
Which leads to….
Low Cost Simple Low Latency Scalable Reliable
Platform of Serverless Products
Storage DatabaseCompute
Messaging and QueuesGateways
User Management
Internet of Things
Machine LearningStreaming Analytics
Real-time Processing
Streams
Files
ETL
IoT Backends
Web Application Serverless Architecture
Anatomy of a Web Application
What makes up a web application?Let’s break it down…
What makes up a web application?
What makes up a web application?
What makes up a web application?
Serverless Web Application
Where did all the servers go?
Static Website Hosting on S3 - refresher
Specify an index document (i.e. index.html) Specify an error document Objects publicly readable Supports redirects
All Requests Conditional
bucket with objects
API Gateway - refresher
Create Configure Publish
Maintain Monitor Secure
API Gateway – Stage Variables
Key/Value pairs used for configuration Used for different stages of API Specify a Lambda function name Pass to backend
Lambda
Serverless, event-driven compute Code is: NodeJS, Python, JVM based Specify memory allocated Determine what invokes the functions
API Gateway, S3, DynamoDB, Kinesis, SNS, SES, Cognito, Cloudwatch Logs, Cloudwatch Events, CloudFormation, Config, Scheduled Events
Lambda – Versioning and Aliases
Versioning ARN for each one (immutable) Versions of functions for Dev, Staging, Prod
Aliases Point to a version Have an ARN also Event sources point to Alias ARNs
Lambda – Dynamic Configuration
One option:
Pull Configs from DDB Write values to global vars Code uses global vars
Lambda Function
Amazon DynamoDB
DynamoDB - refresher
NoSQL database Keys: Hash Key and (optional) Range Key Tips:
Plan your keys Think about your queries
Serverless Web Application
…..but what’s missing from this architecture?
Authentication/Authorization
Securing your Serverless Web Application
AWS IAM and AWS STS
temporary security
credential
AWS STS
AWS cloud
client
1
2
permissionsrole
AWS IAM
OR
Amazon API Gateway
Action: [‘s3:*’,’sts:Get*’]Effect: AllowResource: *
Securing API Gateway
Cognito and STS
Authentication Options with Cognito
Federated Identity Providers• Amazon• Facebook• Google
Custom Developed Authentication System
Cognito Identity User Pools (Preview)
Unauthenticated vs Authenticated roles
Ability to define both in Cognito Start out unauthenticated switch to authenticated!
browsing a blogging site then log in to post or comment
Example IAM Policy for API Gateway{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "execute-api:Invoke" ], "Resource": [ "arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts", "arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts/*", "arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts/*/comments", "arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts/*/comments/*", "arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/POST/users", "arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/POST/login" ] } ]}
Cognito – Authentication Flow
Amazon API Gateway
AWSLambda
Other Security Features
IAM Roles for Lambda Functions Client-side Encryption library using KMS for DynamoDB
Demo
Demo App Architecture
AWS Lambda
Functions
web browser
Amazon S3
Call UnauthenticatedAPIs methods
Sta
tic C
onte
nt
Amazon DynamoDB
AmazonCognito
ObtainUser Credentials
Amazon API Gateway
encrypted user data
AWS Lambda
Functions
Amazon DynamoDB
Amazon API Gateway
Authentication APIs
Obtain AuthenticatedUser Credentials
AWS STS
AWS Lambda Functions –
Logic for POST Functions
Amazon DynamoDB
Amazon API Gateway –
POST Functions
Call AuthenticatedAPIs methods
3
2
4
5
6
1
AWS KMS
Other Options
Authentication Options
Cognito:• Federated Identity Providers (Amazon, Facebook, Google)• Cognito Identity User Pools
Federated Web Identities• Interact directly with STS and 3rd party identity providers
Authorization Options with API Gateway
API Gateway
Lambda Auth function
Client
Request w/ a bearer token
Policy is cached
Policy is evaluated
AWS Lambda functions
Endpoints on Amazon EC2
Context + TokenPrincipal + Policy
403 Denied
Allowed
Any other publicly accessible endpoint
Some Tidbits
Authorization failures to API Gateway get returned as a CORS error
Lambda Functions as stage variable values = manual permissions configuration
Architect to be Serverless
Fully Managed No provisioning Zero administration High availability
Developer Productivity Focus on the code that
matters Innovate rapidly Reduce time to market
Continuous Scaling Automatically Scale up and scale down
Q&A