security best practices for serverless applications - july 2017 aws online tech talks
TRANSCRIPT
© 2017, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Justin Pirtle, AWS Solutions Architect
07/25/17
Security Best Practices for
Serverless Applications
Agenda
• What is Serverless?
• Overview of AWS Lambda, API Gateway, and Cognito
• Securing Serverless microservices
• Auditing and logging
• Summary
No servers to provision
or manage
Scales with usage
Never pay for idle Availability and fault
tolerance built in
Serverless means…
Serverless is real
Microservices
AWS Lambda + Amazon API Gateway is the
easiest way to create microservices
• Event handlers one function per event type
• Serverless backends one function per API / path
• Data processing one function per data type
Serverless Microservice
Internet
Mobile
apps
Websites
Partner
Services
AWS
Lambda
AWS Lambda Programming Model
Bring your own code
• Node.js, Java, Python, C#
• Bring your own libraries
(even native ones)
Simple resource model
• Select power rating from
128 MB to 1.5 GB
• CPU and network allocated
proportionately
• Pay only for what compute
you consume
Programming model
• AWS SDK built in (Python
and Node.js)
• Lambda is the “webserver”
• Use processes, threads,
/tmp, sockets normally
Stateless
• Persist data using Amazon
DynamoDB, S3, or
ElastiCache
• No affinity to infrastructure
(can’t “log in to the box”)
Serverless Microservice
Internet
Mobile
apps
Websites
Partner
Services
AWS
Lambda
API
GatewayAmazon
DynamoDB
Introduction to Amazon API Gateway
Create a unified
API frontend for
multiple micro-
services
Authenticate and
authorize
requests to a
backend
DDoS protection
and throttling for
your backend
Throttle, meter,
and monetize API
usage by 3rd
party developers
Amazon API Gateway: Serverless APIs
Internet
Mobile
apps
Websites
Partner
Services
AWS Lambda
functions
API
Gateway
response
cache
Endpoints on
Amazon EC2
Any publicly
accessible
endpoint
Amazon
CloudWatch
Amazon
CloudFront
API
Gateway
Serverless Microservice
Internet
Mobile
apps
Websites
Partner
Services
AWS
Lambda
API
GatewayAmazon
DynamoDB
Identity is mission critical for your applications
SecurityRevenue
Generation
Application
Backbone
Know your users
Monitor engagement
with your application
Store and manage
user data
Personalize your
users’ experiences
Protect sensitive data
Secure business-
critical processes
User Identity
Developing Auth Infrastructure is Difficult
• Need to develop a reliable user directory to manage identities
• Handling user data and passwords and protecting privacy
• Prioritizing scalability of your infrastructure upfront
• Implementing token-based authentication
• Support for multiple social identity providers
• Federation with corporate directories for B2E applications
1
2
3
5
6
4
Amazon Cognito Identity
Corporate
OIDC
Sign in with
Your User Pools
You can easily and securely add sign-up
and sign-in functionality to your mobile and
web apps with a fully-managed service that
scales to support 100s of millions of users.
Federated Identities
Your users can sign in with third-party
identity providers, such as Facebook and
SAML providers, and you can control
access to AWS resources from your app.
SAML
Sign in
Username
Password
Submit
Comprehensive Support for Identity Use Cases
Serverless Microservice
Internet
Mobile
apps
Websites
Partner
Services
AWS
Lambda
API
GatewayAmazon
DynamoDB
Amazon
Cognito
Securing Serverless
microservices
Securing AWS Lambda
Lambda execution models
Synchronous (push) Asynchronous (event) Stream-based
Amazon
API Gateway
AWS Lambda
function
Amazon
DynamoDBAmazon
SNS
/order
AWS Lambda
function
Amazon
S3
reqs
Amazon
Kinesis
changes
AWS Lambda
service
function
The push model and resource policies
Function (resource) policy
• Permissions you grant to your Lambda
function determine which service or
event source can invoke your function
• Resource policies make it easy to
grant cross-account permissions to
invoke your Lambda function
The pull model and IAM roles
IAM execution role
• Permissions you grant to this role
determine what your AWS Lambda
function can do at run-time
• If event source is Amazon DynamoDB
or Amazon Kinesis, then add read
permissions in IAM role
Lambda function security – best practices
Application Security Best practices still apply
(mandatory code review, static analysis, etc.)
Use IAM Role per function and don’t be too
permissive – leverage principle of least privilege
Encrypt environment variables and sensitive data
via KMS and Lambda’s encryption helpers
Leverage EC2 SSM Parameter Store for secrets
and configuration management at scale
Lambda vulnerabilities and security scan
Automate security analysis as part of your CI/CD
pipeline
Input validation/sanitization, SQLi, etc. still apply in
Serverless architectures
Continuously scan for vulnerabilities in
dependencies used; can be a step in your CI/CD
pipeline
Securing API Gateway
API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Custom Authorizers
User Pools Authorizers
API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Custom Authorizers
User Pools Authorizers
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
AmazonAPIGateway
User Pools Authorizers
Amazon Cognito
User Pools
Amazon
DynamoDB
Lambdafunction
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
User Pools Authorizers
AmazonAPIGateway
Amazon Cognito
User Pools
Amazon
DynamoDB
Lambdafunction
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
User Pools Authorizers
AmazonAPIGateway
Amazon Cognito
User Pools
Amazon
DynamoDB
Lambdafunction
• Identity
• Access
• Refresh
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
User Pools Authorizers
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
Amazon Cognito
User Pools
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
User Pools Authorizers
4. Validate
Identity token
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
Amazon Cognito
User Pools
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
User Pools Authorizers
5. Invoke API Call
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
Amazon Cognito
User Pools
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
User Pools Authorizers
6. Access
AWS ResourcesAmazon
DynamoDB
Lambdafunction
AmazonAPIGateway
Amazon Cognito
User Pools
API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Custom Authorizers
User Pools Authorizers
IAM-based authorization
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
Amazon Cognito
Federated Identities
Amazon Cognito
User Pools
AWS Identity &
Access Management
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
Amazon Cognito
User Pools
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
IAM-based authorization
Amazon Cognito
Federated Identities
AWS Identity &
Access Management
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
IAM-based authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
AWS Identity &
Access Management
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
3. Request AWS credentials
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
IAM-based authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
AWS Identity &
Access Management
Tro
ttlin
g
Ca
ch
e
Mo
nit
ori
ng
Auth
Mobile app
4. Validate Id token
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
IAM-based authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
AWS Identity &
Access Management
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Auth
Mobile app
5. Temp AWS credentials
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
IAM-based authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
AWS Identity &
Access Management
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Mobile app
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
IAM-based authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
AWS Identity &
Access Management
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Mobile app
Amazon
DynamoDB
Lambdafunction
AmazonAPIGateway
IAM-based authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
AWS Identity &
Access Management
Tro
ttlin
g
Ca
ch
e
Lo
gg
ing
Mo
nit
ori
ng
Mobile app
8. Invoke Lambda
Lambdafunction
AmazonAPIGateway
IAM-based authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
AWS Identity &
Access Management
Amazon
DynamoDB
IAM Policy Detail
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "execute-api:Invoke",
"Effect": ”Allow",
"Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*"
},
{
"Action": "execute-api:Invoke",
"Effect": "Deny",
"Resource": "arn:aws:execute-api:*:*:ff5h9tpwfh/*/POST/locations/*"
}
]
}
API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Custom Authorizers
User Pools Authorizers
Custom Authorizer
Lambda function
Auth
Mobile app
Lambdafunction
AmazonAPIGateway
Amazon
DynamoDB
AWS Identity &
Access Management
Custom Authorizers
Custom Authorizer
Lambda function
Mobile app
Lambdafunction
AmazonAPIGateway
Amazon
DynamoDB
AWS Identity &
Access Management
Custom Authorizers
Custom Authorizer
Lambda function
Auth
Mobile app
Lambdafunction
AmazonAPIGateway
Amazon
DynamoDB
AWS Identity &
Access Management
Custom Authorizers
Custom Authorizer
Lambda function
Auth
Mobile app
Lambdafunction
AmazonAPIGateway
Amazon
DynamoDB
AWS Identity &
Access Management
Custom Authorizers
Auth
Mobile app
Lambdafunction
AmazonAPIGateway
Custom Authorizers
Amazon
DynamoDB
4. Check
policy
cache
AWS Identity &
Access Management
Custom Authorizer
Lambda function
Auth
Mobile app
Lambdafunction
AmazonAPIGateway
Custom Authorizers
Amazon
DynamoDB
5. V
alid
ate
to
ken
AWS Identity &
Access Management
Custom Authorizer
Lambda function
Custom Authorizer
Lambda function
Auth
Mobile app
Lambdafunction
AmazonAPIGateway
Custom Authorizers
Amazon
DynamoDB
6. G
en
era
te a
nd
retu
rn
use
r IAM
po
licy AWS Identity &
Access Management
Custom Authorizer
Lambda function
Auth
Mobile app
Lambdafunction
AmazonAPIGateway
Custom Authorizers
Amazon
DynamoDB
AWS Identity &
Access Management
Custom Authorizer
Lambda function
Auth
Mobile app
Lambdafunction
AmazonAPIGateway
Custom Authorizers
Amazon
DynamoDB
8. Invoke Lambda
AWS Identity &
Access Management
Custom Authorizer Lambda
var testPolicy = new AuthPolicy(”userIdentifier", "XXXXXXXXXXXX", apiOptions);
testPolicy.allowMethod(AuthPolicy.HttpVerb.POST, "/locations/*");
testPolicy.allowMethod(AuthPolicy.HttpVerb.DELETE, "/locations/*");
callback(null, testPolicy.getPolicy());
Sample Code
API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Custom Authorizers
User Pools Authorizers
Throttle
Usage Plans: Throttle specific consumers
Internet
Mobile
apps
Websites
Partner
Services
AWS Lambda
functions
API
Gateway
response
cache
Endpoints on
Amazon EC2
Any publicly
accessible
endpoint
Amazon
CloudWatch
Amazon
CloudFront
API
Gateway
Usage Plans: Quotas and Throttling
• Prevents one customer from consuming all your
backend system’s capacity
• Let’s you decide how to allocate capacity among your
API consumers. Sample plan:
• Professional plan users: 10 TPS, up to 100 calls / day
• Premium plan users: 100 TPS, up to 1000 calls / day
• Enterprise plan users: 500 TPS, no limit on calls / day
Set daily
quota
Usage Plans: Enforce per-consumer quotas
Internet
Mobile
apps
Websites
Partner
Services
AWS Lambda
functions
API
Gateway
response
cache
Endpoints on
Amazon EC2
Any publicly
accessible
endpoint
Amazon
CloudWatch
Amazon
CloudFront
API
Gateway
Example Serverless
Architecture
Amazon API
GatewayAWS
Lambda
Amazon
DynamoDB
Amazon
S3Amazon
CloudFront
• Bucket Policies
• ACLs
• Geo-Restriction
• Private Content
• DDOS
AuthZ
Serverless app security
• Throttling
• Caching
• Usage Plans
Browser
• Invocation
Policies
• Execution Roles
• Secure
Parameters
• IAM Fine-
grained Access
Control
Audit and log your Serverless
application
Cloudwatch – Log streaming and metrics
Leverage built-in metrics and alarm on aggregates
(throttling)
Create Custom Metrics via Metric Filter out of logs
Captures Lambda invocation details, and all
logging statement output
Stream and centralize logs from multiple accounts
to Amazon ElasticSearch for near real-time
analysis
built-in custom
Amazon Cloudwatch
Different log categories
AWS infrastructure logs
AWS CloudTrail
Amazon VPC Flow
Logs
AWS service logs
AWS Lambda
Amazon API Gateway
Amazon S3
Amazon CloudFront
Amazon Kinesis
…
Different log categories
AWS infrastructure logs
AWS CloudTrail
Amazon VPC Flow
Logs
AWS service logs
AWS Lambda
Amazon API Gateway
Amazon S3
Amazon CloudFront
Amazon Kinesis
…
Security-related events
AWS CloudTrailRecords AWS API calls for your account
What can you answer using a CloudTrail event?
Who made the API call?
What was the API call?
When was the API call made?
Where was the API call made from and made to?
Which resources were acted upon in the API call?
Supported services:
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html
AWS Config
• Get inventory of AWS resources
• Discover new and deleted resources
• Record configuration changes continuously
• Get notified when configurations change
Summary
• What is Serverless?
• Overview of AWS Lambda, API Gateway, and Cognito
• Securing Serverless microservices
• Auditing and logging
• Summary
Additional Resources
- Serverless on AWS
- Serverless Computing on AWS
- re:Invent Talks and Webinars
- Serverless Auth: Identity Management
- Add User Sign-in, Management, and Security with Cognito
- Deep Dive on AWS Lambda
- Reference Projects
- Serverless Auth Reference App
- Cognito Angular 2 Quickstart
- Cognito API Gateway Auth Reference
Thank you!