Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The ~~Ten~~ Three Most Critical Security Risks ...
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Koji Nakayama
April 26, 2018
Technology
1.6k
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
The ~~Ten~~ Three Most Critical Security Risks in Serverless Architectures
Ruby開発様の姫島オフィスにて発表した資料です
Koji Nakayama
April 26, 2018
More Decks by Koji Nakayama
See All by Koji Nakayama
Software Testing in AWS IoT with The Power of Python
knakayama
0
1.8k
サーバーレス x IoT 〜我々はどういった課題に直面してそれをどのように解決したのか〜
knakayama
0
1.5k
Bloxが切り開くECSの世界
knakayama
1
1.3k
AWS Serverless Application Modelのデプロイ戦略
knakayama
4
2.5k
github-classmethod-study-20170426
knakayama
1
3.9k
サーバレスアーキテクチャはじめの一歩
knakayama
1
1.6k
Other Decks in Technology
See All in Technology
SRE Next 2026 何でも屋からの脱却
bto
0
220
なぜ私たちのSREプラクティスはなかなか機能しないのか 〜システムより先に組織を見る〜 / Why our SRE practices aren't really working
vtryo
3
3.1k
AWS Summit の片隅で、体育座りしながらコミュニティがにぎわう理由を考えた
k_adachi_01
2
360
しぶいSRE: サーバから見えない障害にどう向き合うか。ラストワンマイルのデバッグ実践 / Shibui SRE
kanny
12
5.4k
オブザーバビリティ、本当に活用できてる? 〜API連携×生成AIで成熟度を自動評価〜
dmmsre
1
2.5k
実装だけじゃない! CCA-F取得エンジニアが教えるClaude Code開発プロセス活用術
diggymo
2
480
事業価値を⽣み出すSREへ SREが担うべき意思決定の5層
kenta_hi
2
2.8k
【Claude Code】鹿野さんに聞く 私の推しの並行開発環境 大公開 / claude-code-parallel-2026-07-15
tonkotsuboy_com
3
470
Control Planeで育てるBtoB SaaSの認証基盤 - SRE NEXT 2026
pokohide
1
1.9k
SRE依存からの脱却 運用を開 発チームへ移す、 フルサイ クル開 発体制の実践
joooee0000
0
2.2k
20260702_生成AIはどこまで成長するのか_チャットだけじゃない世界
doradora09
PRO
0
110
AIペネトレーションテスト・ セキュリティ検証「AgenticSec」紹介資料
laysakura
2
8.1k
Featured
See All Featured
Documentation Writing (for coders)
carmenintech
77
5.4k
Discover your Explorer Soul
emna__ayadi
2
1.2k
The Curious Case for Waylosing
cassininazir
1
430
The SEO Collaboration Effect
kristinabergwall1
1
500
Faster Mobile Websites
deanohume
310
32k
Why You Should Never Use an ORM
jnunemaker
PRO
61
9.9k
The Illustrated Guide to Node.js - THAT Conference 2024
reverentgeek
1
410
A Modern Web Designer's Workflow
chriscoyier
698
190k
Scaling GitHub
holman
464
140k
Balancing Empowerment & Direction
lara
6
1.2k
Leading Effective Engineering Teams in the AI Era
addyosmani
9
2.1k
Measuring Dark Social's Impact On Conversion and Attribution
stephenakadiri
2
230
Transcript
The Ten Three Most Critical Security Risks in Serverless Architectures
2018/04/26 Ӿઊ ଛလ@䆠䎦 1
ᛔ૩奧Օ • Ӿઊ ଛလ • μ϶φϮϊϐϖ ϯϝαϸίϤϷςЄϠ φ᮱ • AWSϊϷϲЄτϴЀίЄκϓμϕ
• ςЄϝЄςαϖεЀυϘί • GitHub: knakayama 2
ψϐτϴЀٖͺ͚ͼ • αφ϶εϸ΄PureSecᐒ1 ͢ڊͭ͵White Paper΄ٖΨ䝏壧ͭͼͪ奧Օ • ͩ΄White Paper΅ςЄϝЄϹφίϤϷξЄτϴЀͽ䶲ΨͺͧΡΏͣψ κϲϷϓΰΨ10㮆奧Օͭ͵Θ΄ •
ᇙ岉ޱႮ͡͵3ͺΨ奧Օ • ΞΠ托ͭͥ΅ܻ݇ᆙ2 2 https://www.puresec.io/resource-download 1 https://www.puresec.io/ 3
ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection 3. Broken Authentication
4. Functions Execution Flow Manipulation 4
ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection 3. Broken Authentication
4. Functions Execution Flow Manipulation 5
ςЄϝЄϹφίϤϷξЄ τϴЀ;ψκϲϷϓΰ • ϳЄσ͢ᓕቘͯΡ᮱ړ͚͢ݍᶎ̵ͽͣΡ ͩ;Θ͚ • ͺΔΠ̵䕪ጱψκϲϷϓΰ΄ᘍ͞ො͢ͳ ΄ΔΔၞአͭͻΟ͚ • εЄυδЀϕαЀφϕЄϸ僻ቘ
• ψκϲϷϓΰ΄ϓφϕͿ͜ΚΡҘ • ͫΟΔͶΔͶ咲Ӿ΄ದ悬ړᰀ΄ͽ̵ϔ ϢήμϕφόЀύЄϖጱ枣䯤౮Θͫͳ ͜ 6
ΕΩͿ͜ψκϲίͯΡ͡ ಋറΠᇫ䙪Γ͚ 7
͵ͶဳͯΏͣᅩ΅ ͩ΄White Paper͡Ο憎͞Ρ͡Θ 8
ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection ! 3. Broken
Authentication 4. Functions Execution Flow Manipulation 9
Function Event-Data Injection • ςЄϝЄϹφίϤϷξЄτϴЀ΅αϦЀϕϖϷϣЀ㳌ቘ͢ᤈΥΡ • ֺ: S3 -> Lambda
-> DynamoDB • ͩ΄檭̵ڹྦྷ΄αϦЀϕ͡ΟჁͫ͵ఘ䁭Ψ͚Σ͚ΣےૡͭͼOutputͯ Ρ̵;͚͜΄͢ΞֵͥΥΡϞόЄЀ • ͵Ͷ̵ͭͩ΄ϔЄόΨͳ΄ΔΔֵͼͭΔ͜;ψκϲϷϓΰ΄㺔氂 ΠΡ • ᥝͯΡ̵فێ㮔Ψͭ͡ΠϝϷϔЄτϴЀͭΔͭΝ͜;͚͜扖 10
S3 Event Notification΄ֺ { "Records": [ { ... "s3": {
"s3SchemaVersion": "1.0", "configurationId": "testConfigRule", "bucket": { "name": "example-bucket", "ownerIdentity": { "principalId": "EXAMPLE" }, "arn": "arn:aws:s3:::example-bucket" }, "object": { "key": "example-object", "size": 1024, "eTag": "0123456789abcdef0123456789abcdef", "sequencer": "0A1B2C3D4E5F678901" } } } ] } 11
ύϮύϮֺ • ηϣυδμϕ΄Ӿͩ͢ΩͶ͵Ο {"username":"foobar"+require('child_process').exec('uname -a')} 12
ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection 3. Broken Authentication
! 4. Functions Execution Flow Manipulation 13
Broken Authentication • API Gateway + CognitoͽϳЄσ扯戣䌙فͭͼͼΘ՜΄᮱ړͽᑩ ᑮ͚ͼ͵Οޱ͚ͽͯΞ • S3ϝξϐϕΨ僻洏ϞϣϷϐμͭͼ͚ͽͯ͡Ҙ
• ϔϤϺαϮЀϕϞϐξЄυل樄ͭͷΙͼ͚ͽͯ͡Ҙ • ͷΙΩ;IAM戔ਧͭΞ͜ 14
ύϮύϮֺ 15
ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection 3. Broken Authentication
4. Functions Execution Flow Manipulation 16
Functions Execution Flow Manipulation • ίϤϷξЄτϴЀ΄ϺυϐμΨͼ䘂ͫͯΡ;͚͜Θ΄ • ςЄϝЄϹφίϤϷξЄτϴЀ΄䁰ݳ̵愢හ΄AWSϷϊЄφ͢ 奲ΕݳΥͫͼ㵕ͥ;͚͜ᇙӤ̵1ͺͽΘᑩ͘͢Ρ;䘂ͫͭ Κ͚ͯ᮱ړ΅͵ͭ͘͡Πͳ͜
• ͩͷΘݶͮΞ͜IAM΄戔ਧͭͼ䘂ͫͽ͚ͣΞͭ͜Δ ͭΝ͜;͚͜͠扖 17
Manipulation΄ֺ 18
Δ;Η • White Paper䨗͚ͼ͘Ρͩ;΅奾䯤୮͵Πڹ΄ͩ;ͭ͡䨗͚ͼ ͚ • ͵Ͷ̵ͭ୮͵Πڹ΄ͩ;Ψ୮͵ΠڹͯΡ΄΅क़;櫞͚ͭ • ͘͞ͼݷڹΨͺͧΡͩ;ͽͳ΄㺔氂Ψ扯挷̵ͭ挷ͭΚͯͥͯ Ρ΄΅᯿ᥝ
• 䌏ᒽΘͷΙΩ;䨗͚ͼ͘Ρ΄ͽӞଶ抎ΩͽΕͼ΅ 19