Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Deploy Security Controls for Serverless Apps wi...

Deploy Security Controls for Serverless Apps with Infrastructure as Code Tools

Many fundamental security practices and controls apply to serverless applications, including implementing proper monitoring and logging of all requests and events. This session will cover recommendations published by the Center for Internet Security (CIS), how to automate the deployment of some of these controls, as well as outlining additional considerations relevant to serverless functions.

Luis Colon @ AWS

May 15, 2018
Tweet

More Decks by Luis Colon @ AWS

Other Decks in Programming

Transcript

  1. AWS User Group Vancouver May 15 2018 Deploy Security Controls

    for Serverless Apps with Infrastructure as Code Tools Luis Colon ([email protected]) Senior Developer Advocate, AWS CloudFormation © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved
  2. Agenda •Serverless security compared to traditional challenges •Top security concerns

    for serverless, with examples •Monitoring •Additional advice •Tools to harden and automate controls
  3. Monitoring and Logging •AWS CloudWatch •AWS CloudTrail •AWS Config •AWS

    ConfigRules •AWS X-Ray •Amazon Macie •Dashbird •…no need to write your own
  4. Monitoring and Logging •AWS CloudWatch •AWS CloudTrail •AWS Config •AWS

    ConfigRules •AWS X-Ray •Amazon Macie •Dashbird •…no need to write your own
  5. Monitoring and Logging •AWS CloudWatch •AWS CloudTrail •AWS Config •AWS

    ConfigRules •AWS X-Ray •Amazon Macie •Dashbird •…no need to write your own
  6. Authentication and Permissions •Reuse existing systems •AWS Cognito •Auth0 •JWT

    •Least Privilege •No * in IAM policies •No individual permissions (use roles/groups) •Per function •Single responsibility •Protect secrets •Don’t expose in logs, code or alerts •Encryption •Rotate keys to mitigate events
  7. Assume the worst • Use the tools at your disposal

    • Your own audits • Log logins, failed logins, account changes (password changes, email changes), confirm db transactions… • have thresholds on logins from an address, db connections, queries per second • DoW • Chaos engineering • Improve testing • Rotate credentials • Separate credentials and policies for different functions • Remove unused functions • Harden accounts and environments • Automate your controls
  8. Summary •With serverless, you have a few less things to

    worry about, but still plenty of things… •Many standard best practices apply •Improve controls, logging, monitoring, etc. incrementally and on an ongoing basis •Automate your controls •Leverage the many tools available
  9. Further Reading •Securing Serverless - a Newbie's Guide •https://www.jeremydaly.com/securing-serverless-a-newbies-guide/ •Yan

    Cui’s “Many-faced threats to Serverless security” – October 25, 2017 •Hacking Severless Runtimes whitepaper - Andrew Krug and Graham Jones – July 15, 2017 •Serverless Security implications—from infra to OWASP - Guy Podjarny – April 19, 2017 •The Ten Most Critical Security Risks in Serverless Architectures - PureSec – January 17, 2018 •AWS Doc: Lambda Best Practices •https://docs.aws.amazon.com/lambda/latest/dg/best-practices.html
  10. Links •Detect vulnerabilities on your dependencies https://snyk.io/ •Prowler for CLI

    checks: https://github.com/toniblyx/prowler •https://hackernoon.com/many-faced-threats-to-serverless-security-519e94d19dba •CIS Hardening Guidelines: https://aws.amazon.com/blogs/security/announcing-industry- best-practices-for-securing-aws-resources/ •https://github.com/awslabs/aws-security-benchmark •https://medium.com/dashbird/is-your-serverless-as-good-as-you-think-it- is-2baa3d36b1de •https://medium.com/@fastup/aws-iam-for-serverless-development-ba24be03cd2