Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
The ~~Ten~~ Three Most Critical Security Risks ...
Search
Koji Nakayama
April 26, 2018
Technology
1.6k
2
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
The ~~Ten~~ Three Most Critical Security Risks in Serverless Architectures
Ruby開発様の姫島オフィスにて発表した資料です
Koji Nakayama
April 26, 2018
More Decks by Koji Nakayama
See All by Koji Nakayama
Software Testing in AWS IoT with The Power of Python
knakayama
0
1.8k
サーバーレス x IoT 〜我々はどういった課題に直面してそれをどのように解決したのか〜
knakayama
0
1.5k
Bloxが切り開くECSの世界
knakayama
1
1.3k
AWS Serverless Application Modelのデプロイ戦略
knakayama
4
2.5k
github-classmethod-study-20170426
knakayama
1
3.9k
サーバレスアーキテクチャはじめの一歩
knakayama
1
1.6k
Other Decks in Technology
See All in Technology
Control Planeで育てるBtoB SaaSの認証基盤 - SRE NEXT 2026
pokohide
1
1.9k
SRE依存からの脱却 運用を開 発チームへ移す、 フルサイ クル開 発体制の実践
joooee0000
0
2.2k
Baseline対応のDOMの型定義を作った
uhyo
3
720
アカウントが増えてからでは遅い? ~ マルチアカウント統制の勘所 ~
kenichinakamura
0
210
実装だけじゃない! CCA-F取得エンジニアが教えるClaude Code開発プロセス活用術
diggymo
2
480
ポストモーテム! DDoSからサイトは守れた。 でもビジネスは守れなかった。
bengo4com
0
2.2k
AIに「使われる」時代のSaaS戦略 〜既存WebAPIのMCPサーバー化における開発ノウハウ〜
ekispert_api
0
300
AIDLC_ヤフーショッピングの取り組み
lycorptech_jp
PRO
0
580
プロダクトだけじゃない、社内プロセスにおける自動化・省力化ノススメ
kakehashi
PRO
1
3.2k
デジタル・デザイン構想 by Sayaka Ishizuka
y150saya
0
200
“全部コピーしない”ファイルデータの活用 : — FSx for ONTAP × S3 Tables × Icebergで作るメタデータカタログ
yoshiki0705
0
600
cccccc
moznion
0
1.8k
Featured
See All Featured
What's in a price? How to price your products and services
michaelherold
247
13k
Money Talks: Using Revenue to Get Sh*t Done
nikkihalliwell
0
290
Dominate Local Search Results - an insider guide to GBP, reviews, and Local SEO
greggifford
PRO
0
200
How to optimise 3,500 product descriptions for ecommerce in one day using ChatGPT
katarinadahlin
PRO
1
3.7k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
35
3.5k
Thoughts on Productivity
jonyablonski
76
5.2k
Building Applications with DynamoDB
mza
96
7.1k
The SEO identity crisis: Don't let AI make you average
varn
0
510
Evolving SEO for Evolving Search Engines
ryanjones
0
240
How to make the Groovebox
asonas
2
2.3k
A better future with KSS
kneath
240
18k
Conquering PDFs: document understanding beyond plain text
inesmontani
PRO
4
2.9k
Transcript
The Ten Three Most Critical Security Risks in Serverless Architectures
2018/04/26 Ӿઊ ଛလ@䆠䎦 1
ᛔ૩奧Օ • Ӿઊ ଛလ • μ϶φϮϊϐϖ ϯϝαϸίϤϷςЄϠ φ᮱ • AWSϊϷϲЄτϴЀίЄκϓμϕ
• ςЄϝЄςαϖεЀυϘί • GitHub: knakayama 2
ψϐτϴЀٖͺ͚ͼ • αφ϶εϸ΄PureSecᐒ1 ͢ڊͭ͵White Paper΄ٖΨ䝏壧ͭͼͪ奧Օ • ͩ΄White Paper΅ςЄϝЄϹφίϤϷξЄτϴЀͽ䶲ΨͺͧΡΏͣψ κϲϷϓΰΨ10㮆奧Օͭ͵Θ΄ •
ᇙ岉ޱႮ͡͵3ͺΨ奧Օ • ΞΠ托ͭͥ΅ܻ݇ᆙ2 2 https://www.puresec.io/resource-download 1 https://www.puresec.io/ 3
ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection 3. Broken Authentication
4. Functions Execution Flow Manipulation 4
ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection 3. Broken Authentication
4. Functions Execution Flow Manipulation 5
ςЄϝЄϹφίϤϷξЄ τϴЀ;ψκϲϷϓΰ • ϳЄσ͢ᓕቘͯΡ᮱ړ͚͢ݍᶎ̵ͽͣΡ ͩ;Θ͚ • ͺΔΠ̵䕪ጱψκϲϷϓΰ΄ᘍ͞ො͢ͳ ΄ΔΔၞአͭͻΟ͚ • εЄυδЀϕαЀφϕЄϸ僻ቘ
• ψκϲϷϓΰ΄ϓφϕͿ͜ΚΡҘ • ͫΟΔͶΔͶ咲Ӿ΄ದ悬ړᰀ΄ͽ̵ϔ ϢήμϕφόЀύЄϖጱ枣䯤౮Θͫͳ ͜ 6
ΕΩͿ͜ψκϲίͯΡ͡ ಋറΠᇫ䙪Γ͚ 7
͵ͶဳͯΏͣᅩ΅ ͩ΄White Paper͡Ο憎͞Ρ͡Θ 8
ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection ! 3. Broken
Authentication 4. Functions Execution Flow Manipulation 9
Function Event-Data Injection • ςЄϝЄϹφίϤϷξЄτϴЀ΅αϦЀϕϖϷϣЀ㳌ቘ͢ᤈΥΡ • ֺ: S3 -> Lambda
-> DynamoDB • ͩ΄檭̵ڹྦྷ΄αϦЀϕ͡ΟჁͫ͵ఘ䁭Ψ͚Σ͚ΣےૡͭͼOutputͯ Ρ̵;͚͜΄͢ΞֵͥΥΡϞόЄЀ • ͵Ͷ̵ͭͩ΄ϔЄόΨͳ΄ΔΔֵͼͭΔ͜;ψκϲϷϓΰ΄㺔氂 ΠΡ • ᥝͯΡ̵فێ㮔Ψͭ͡ΠϝϷϔЄτϴЀͭΔͭΝ͜;͚͜扖 10
S3 Event Notification΄ֺ { "Records": [ { ... "s3": {
"s3SchemaVersion": "1.0", "configurationId": "testConfigRule", "bucket": { "name": "example-bucket", "ownerIdentity": { "principalId": "EXAMPLE" }, "arn": "arn:aws:s3:::example-bucket" }, "object": { "key": "example-object", "size": 1024, "eTag": "0123456789abcdef0123456789abcdef", "sequencer": "0A1B2C3D4E5F678901" } } } ] } 11
ύϮύϮֺ • ηϣυδμϕ΄Ӿͩ͢ΩͶ͵Ο {"username":"foobar"+require('child_process').exec('uname -a')} 12
ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection 3. Broken Authentication
! 4. Functions Execution Flow Manipulation 13
Broken Authentication • API Gateway + CognitoͽϳЄσ扯戣䌙فͭͼͼΘ՜΄᮱ړͽᑩ ᑮ͚ͼ͵Οޱ͚ͽͯΞ • S3ϝξϐϕΨ僻洏ϞϣϷϐμͭͼ͚ͽͯ͡Ҙ
• ϔϤϺαϮЀϕϞϐξЄυل樄ͭͷΙͼ͚ͽͯ͡Ҙ • ͷΙΩ;IAM戔ਧͭΞ͜ 14
ύϮύϮֺ 15
ίυδЀύ 1. ςЄϝЄϹφίϤϷξЄτϴЀᇙํ΄ψκϲϷϓΰ 2. Function Event-Data Injection 3. Broken Authentication
4. Functions Execution Flow Manipulation 16
Functions Execution Flow Manipulation • ίϤϷξЄτϴЀ΄ϺυϐμΨͼ䘂ͫͯΡ;͚͜Θ΄ • ςЄϝЄϹφίϤϷξЄτϴЀ΄䁰ݳ̵愢හ΄AWSϷϊЄφ͢ 奲ΕݳΥͫͼ㵕ͥ;͚͜ᇙӤ̵1ͺͽΘᑩ͘͢Ρ;䘂ͫͭ Κ͚ͯ᮱ړ΅͵ͭ͘͡Πͳ͜
• ͩͷΘݶͮΞ͜IAM΄戔ਧͭͼ䘂ͫͽ͚ͣΞͭ͜Δ ͭΝ͜;͚͜͠扖 17
Manipulation΄ֺ 18
Δ;Η • White Paper䨗͚ͼ͘Ρͩ;΅奾䯤୮͵Πڹ΄ͩ;ͭ͡䨗͚ͼ ͚ • ͵Ͷ̵ͭ୮͵Πڹ΄ͩ;Ψ୮͵ΠڹͯΡ΄΅क़;櫞͚ͭ • ͘͞ͼݷڹΨͺͧΡͩ;ͽͳ΄㺔氂Ψ扯挷̵ͭ挷ͭΚͯͥͯ Ρ΄΅᯿ᥝ
• 䌏ᒽΘͷΙΩ;䨗͚ͼ͘Ρ΄ͽӞଶ抎ΩͽΕͼ΅ 19