Upgrade to Pro — share decks privately, control downloads, hide ads and more …

La sécurité de vos applications serverless

La sécurité de vos applications serverless

Les architectures serverless ont changé la manière dont nous développons du logiciel en nous donnant plus d'agilité, de fiabilité tout en diminuant les coûts. Dans cette session, nous montrerons comment sécuriser vos applications serverless et partagerons les "best practices" que nous observons chez nos clients. Nous parlerons du modèle de responsabilité partagé, du mode devops en serverless, de l'autentification et des authorisations, de la gestion et de la tracabilité de vos applications serverless.

More Decks by Sébastien Stormacq - AWS Developer Advocate

Other Decks in Technology

Transcript

  1. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Securing serverless services Walid Benabderrahmane – Solutions Architect Amazon Web Services
  2. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Customer’s responsibility AWS takes over responsibility from customers AWS IAM (Federation) Customer IAM API Endpoints Mgmt. Protocols API Calls Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer Content Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection Foundations: Shared Responsibility - Infrastructure
  3. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Customer’s responsibility AWS takes over responsibility from customers AWS IAM (Federation) Customer IAM API Endpoints Mgmt. Protocols API Calls Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer Content Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection Foundations: Shared Responsibility - Container
  4. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Customer’s responsibility AWS takes over responsibility from customers AWS IAM (Federation) API Endpoints API Calls Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer Content Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection Foundations: Shared Responsibility - Abstracted
  5. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS Security: A Very High Bar Compliance – Programs and certifications
  6. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. What is serverless? No infrastructure provisioning, no management Automatic scaling Pay for value Highly available and secure
  7. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. AWS Lambda AWS Fargate Amazon API Gateway Amazon SNS Amazon SQS AWS Step Functions Compute Data stores Integration Amazon Aurora Serverless Amazon S3 Amazon DynamoDB AWS AppSync
  8. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Let’s focus on the compute layer Elastic container service For Kubernetes No control plane to manage Deploy worker nodes Amazon EKS Kubernetes- certified Amazon EKS Elastic container services Container orchestration Deploy in a VPC Docker-oriented Amazon ECS
  9. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Serverless compute engine for containers Long-running Bring existing code Fully managed orchestration AWS Fargate Let’s focus on the compute layer Serverless event-driven code execution Short-lived All language runtimes Data source integrations AWS Lambda
  10. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Comparison of operational responsibility Lambda Serverless functions Fargate Serverless containers Amazon ECS/ Amazon EKS Container management as a service Amazon EC2 Infrastructure as a service More opinionated Less opinionated AWS manages Customer manages • Data source integrations • Physical hardware, software, networking, and facilities • Provisioning • Application code • Container orchestration, provisioning • Cluster scaling • Physical hardware, host OS/kernel, networking, and facilities • Application code • Data source integrations • Security config and updates, network config, management tasks • Container orchestration control plane • Physical hardware software, networking, and facilities • Application code • Data source integrations • Work clusters • Security config and updates, network config, firewall, management tasks • Physical hardware software, networking, and facilities • Application code • Data source integrations • Scaling • Security config and updates, network config, management tasks • Provisioning, managing scaling and patching of servers
  11. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lambda functions API Gateway Core business logic RESTful microservices DynamoDB https://api.myapp.com AWS Cloud Mobile app Pure serverless can be straightforward
  12. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lambda functions Amazon S3 API Gateway Dynamic website content Web application Amazon CloudFront distribution Static website content (HTML/JS/CSS) DynamoDB Amazon RDS ElastiCache Amazon S3 https://api.example.com www.example.com VPC AWS Cloud Web browser Some infrastructure is still there
  13. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lambda worker architecture Hardware Host OS Hypervisor Guest OS Sandbox Lambda runtime Your code
  14. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lambda isolation One function One account Many accounts Hardware Host OS Hypervisor Guest OS Sandbox Lambda runtime Your code Keeping workloads safe and separate
  15. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lambda execution environments • Upon invocation, Lambda data plane creates execution environment (or chooses an existing one) in a microVM • Execution environments are never shared across functions, and microVMs are never shared across AWS accounts
  16. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Isolation between MicroVMs Two models: EC2 instances and Firecracker (open source hypervisor)
  17. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Firecracker Micro-VMs Security Speed by design Scale and efficiency Minimal device model reduces memory footprint and attack surface area User-space code in <125ms, 150 microVM per second per host Low memory overhead with high density (thousands) of microVMs on each server
  18. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lambda isolation using Firecracker Hardware Host OS Hypervisor Guest OS Sandbox Lambda runtime Your code Firecracker Amazon EC2 bare metal
  19. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lambda isolation using Firecracker One account and one function Many accounts Hardware Host OS Hypervisor Guest OS Sandbox Lambda runtime Your code Keeping workloads safe and separate
  20. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Domains of security for (serverless) applications Infrastructure Data Code Identity & Access Logging & Monitoring
  21. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. OWASP 2017- Top 10 Web Application Security Risks Rank Security risks 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities (XXE) 5 Broken Access Control 6 Security Misconfiguration 7 Cross-Site Scripting (XSS) 8 Insecure Deserialization 9 Using Components with Known Vulnerabilities 10 Insufficient Logging & Monitoring https://www.owasp.org • Exploitability • Prevalence • Detectability • Technical impact
  22. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. OWASP Top 10 mapped to security domains Infrastructure Data Code Identity & Access Logging & Monitoring • Broken Authentication(#2) • Broken Access Control (#5) • Injection (#1) • XXE (#4) • XSS (#7) • Insecure Deserialization (#8) • Using Components with Known Vulnerabilities (#9) • Sensitive Data Exposure (#3) • Using Components with Known Vulnerabilities (#9) • Security Misconfiguration (#6) • Insufficient Logging & Monitoring (#10)
  23. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Identity and access management for serverless applications • Authenticate and authorize end- users/clients • Access between backend services (e.g. AWS Lambda to DynamoDB tables) Infrastructure Data Code Identity & Access Logging & Monitoring
  24. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Identity and Access Management Using AWS IAM Using Amazon Cognito
  25. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lambda functions API Gateway DynamoDB Mobile app Reference architecture Amazon Cognito
  26. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Security in access management and identity layer Access control between services Authenticate and authorize end users/clients
  27. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Identity and Access Management—Lambda . . . { "Effect": "Allow", "Action": "dynamodb:*", "Resource": "*" } . . . { "Effect": "Allow", "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetItem" ], "Resource": "arn:aws:dynamodb:us-east-1:*:table/session" }
  28. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Securing code for serverless applications • Input validation • Dependency vulnerabilities • Secrets in source code Infrastructure Data Code Identity & Access Logging & Monitoring
  29. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Security in compute Layer Input validation • AWS WAF: • XSS rules • SQL injection rules • Secrets Manager • AWS Systems Manager Dependency vulnerabilities Storing secrets • Use Lambda layers
  30. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lambda layers Lets functions easily share code: Upload layer once, reference within any function Promote separation of responsibilities, lets developers iterate faster on writing business logic Built-in support for secure sharing by ecosystem
  31. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Securing data for serverless applications Your responsibility: • Data Classification and Data Flow • Tokenization • Encryption at rest • Encryption in transit • Data Backup/Replication/Recovery AWS platform takes care of: Automatic replication of data across availability zones for high durability Managed backups/ encryption Infrastructure Data Code Identity & Access Logging & Monitoring
  32. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Security in data layer Data classification Data backup/replication Data encryption at rest Data flow Data encryption in transit Data tokenization
  33. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Securing infrastructure for serverless applications Your responsibility: • DDOS protection • Throttling/ Rate limiting • Network boundaries Serverless platform takes care of: Physical security Virtualization OS security & patching Scaling & HA Infrastructure Data Code Identity & Access Logging & Monitoring
  34. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Securing infrastructure for serverless applications DDOS protection + Throttling/ Rate limiting Network boundaries • AWS Shield Standard • AWS Shield Advanced • AWS WAF: • Geoblocking • IP reputation lists • Rate-based rules • Size constraint • … • API Gateway: • Account level throttling • API Stage level throttling • Usage Plan • Method level throttling • Metered by API key • Request rate and Quota limits • AWS Lambda : • concurrency Limits • API Gateway: • Private VPC endpoints • AWS Lambda: • Access resources in VPC • Security groups • NACLs • Proxy-based egress filtering
  35. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Logging & monitoring for serverless applications • Application logs • Access logs • Control plane audit logs • Metrics • Alarms • Compliance validation Infrastructure Data Code Identity & Access Logging & Monitoring
  36. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. X-Ray Security in system monitoring layer Logging and tracing Metrics Compliance validation
  37. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Cloud adoption framework – Security perspective CloudWatch CloudTrail AWS Trusted Advisor Amazon Cognito Amazon GuardDuty AWS Certificate Manager IAM AWS KMS AWS Security Hub AWS Secrets Manager AWS Shield AWS WAF Amazon VPC PrivateLink Lambda functions CloudWatch X-Ray
  38. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Serverless Security Partners
  39. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Serverless Monitoring Partners