Securing your Lambda 101

Transcript

1. Securing your Lambda 101

2. :~/$whoami • Security Engineer @Yandex Cloud • Author of quite

   a few articles on macOS malware • Former macOS malware analyst @Kaspersky • /in/mogilin/ 2

3. • What are AWS Lambdas? • Why go serverless? •

   How do Lambdas work? • Security and risk assessment • Case 1: Abusing environment secrets • Case 2: Abusing request forgery + demo • Case 3: Avoiding fork bombs • Questions and feedback Agenda 3

4. AWS Lambda is a compute service that runs your code

   in response to events and automatically manages the compute resources, making it the fastest way to turn an idea into a modern, production, serverless applications. What are AWS Lambdas? 4

5. Why go serverless? 5

6. Why go serverless? 6

7. Why go serverless? 7

8. Why go serverless? 8

9. • Cost-e ff ective. Pay as you go Why go

   serverless? 9

10. • Cost-e ff ective. Pay as you go • No

    ops. No need to provision additional resources, k8s- clusters, schedulers Why go serverless? 10

11. • Cost-e ff ective. Pay as you go • No

    ops. No need to provision additional resources, k8s- clusters, schedulers • Speed. Lambda functions provide cached runtime Why go serverless? 11

12. • Cost-e ff ective. Pay as you go • No

    ops. No need to provision additional resources, k8s- clusters, schedulers • Speed. Lambda functions provide cached runtime • Scalability. Let your CSP handle the scaling Why go serverless? 12

13. How do Lambdas work? Your_code.zip 13

14. How do Lambdas work? 14 import json import logging logger

    = logging.getLogger() logger.setLevel(logging.INFO) def lambda_handler(event, context): # main code goes here… Init section Function-handler of the event Your_code.zip

15. How do Lambdas work? 15 import json import logging logger

    = logging.getLogger() logger.setLevel(logging.INFO) def lambda_handler(event, context): # main code goes here… Init section Function-handler of the event Your_code.zip context includes: • function ARN • CloudWatch log group name • Lambda request ID event holds the data of request

16. How do Lambdas work? 16

17. How do Lambdas work? 17

18. Security and risks assessment Original NIST 800-30 presentation 18

19. Key Lambda risks *RCE = Remote code execution **SSRF =

    Server Side Request Forgery Rami McCarthy on Lamda risks 1. backdoor Lambda 👉 leak subsequent events via RCE* 2. retrieve the source via RCE* 3. retrieve environment variables, given a fi le read vulnerability or SSRF** 4. given permission to invoke the function, view its logs 5. generate a fork bomb 19

20. What?!

21. Abusing environment secrets Do you see the vulnerability?👀 21

22. Abusing environment secrets event[‘prefix’] is unsanitized and passed directly into

    bash 22 try event[‘prefix’]=“; env”

23. • Sanitize your input • No eval() or os.Popen() or

    any other direct executions • AWS_SESSION_TOKEN, AWS_SECRET_ACCESS_KEY, AWS_ACCESS_KEY_ID should be kept in secret!! Abusing environment secrets Lessons learned 23

24. Abusing request forgery 24

25. Abusing request forgery 25

26. Demo

27. • Validate your input — no internal IPs, no excess

    URL schemes • One Lambda per one task 👉 least privilege Abusing request forgery Lessons learned 27

28. Avoiding fork bombs 28

29. Avoiding fork bombs 29

30. • Avoid recursion — 1 Lambda per 1 task •

    Con fi gure logging inside Lambda • Create a billing alarm per service • Limit concurrent executions (if possible) Avoiding fork bombs Lessons learned 30

31. Thank you!

32. Questions? Feedback form