La sécurité de vos applications serverless

Transcript

1. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Securing serverless services Walid Benabderrahmane – Solutions Architect Amazon Web Services

2. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Customer’s responsibility AWS takes over responsibility from customers AWS IAM (Federation) Customer IAM API Endpoints Mgmt. Protocols API Calls Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer Content Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection Foundations: Shared Responsibility - Infrastructure

3. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Customer’s responsibility AWS takes over responsibility from customers AWS IAM (Federation) Customer IAM API Endpoints Mgmt. Protocols API Calls Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer Content Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection Foundations: Shared Responsibility - Container

4. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. AWS Foundation Services Compute Storage Database Networking AWS Global Infrastructure Regions Availability Zones Edge Locations Customer’s responsibility AWS takes over responsibility from customers AWS IAM (Federation) API Endpoints API Calls Platform, Applications, Identity & Access Management Operating System, Network & Firewall Configuration Customer Content Client-side Data Encryption Server-side Data Encryption (optional) Network Traffic Protection Foundations: Shared Responsibility - Abstracted

5. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. AWS Security: A Very High Bar Compliance – Programs and certifications

6. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved.

7. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. What is serverless? No infrastructure provisioning, no management Automatic scaling Pay for value Highly available and secure

8. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. AWS Lambda AWS Fargate Amazon API Gateway Amazon SNS Amazon SQS AWS Step Functions Compute Data stores Integration Amazon Aurora Serverless Amazon S3 Amazon DynamoDB AWS AppSync

9. © 2019, Amazon Web Services, Inc. or its affiliates. All

   rights reserved. Let’s focus on the compute layer Elastic container service For Kubernetes No control plane to manage Deploy worker nodes Amazon EKS Kubernetes- certified Amazon EKS Elastic container services Container orchestration Deploy in a VPC Docker-oriented Amazon ECS

10. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Serverless compute engine for containers Long-running Bring existing code Fully managed orchestration AWS Fargate Let’s focus on the compute layer Serverless event-driven code execution Short-lived All language runtimes Data source integrations AWS Lambda

11. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Comparison of operational responsibility Lambda Serverless functions Fargate Serverless containers Amazon ECS/ Amazon EKS Container management as a service Amazon EC2 Infrastructure as a service More opinionated Less opinionated AWS manages Customer manages • Data source integrations • Physical hardware, software, networking, and facilities • Provisioning • Application code • Container orchestration, provisioning • Cluster scaling • Physical hardware, host OS/kernel, networking, and facilities • Application code • Data source integrations • Security config and updates, network config, management tasks • Container orchestration control plane • Physical hardware software, networking, and facilities • Application code • Data source integrations • Work clusters • Security config and updates, network config, firewall, management tasks • Physical hardware software, networking, and facilities • Application code • Data source integrations • Scaling • Security config and updates, network config, management tasks • Provisioning, managing scaling and patching of servers

12. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lambda functions API Gateway Core business logic RESTful microservices DynamoDB https://api.myapp.com AWS Cloud Mobile app Pure serverless can be straightforward

13. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lambda functions Amazon S3 API Gateway Dynamic website content Web application Amazon CloudFront distribution Static website content (HTML/JS/CSS) DynamoDB Amazon RDS ElastiCache Amazon S3 https://api.example.com www.example.com VPC AWS Cloud Web browser Some infrastructure is still there

14. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.

15. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lambda worker architecture Hardware Host OS Hypervisor Guest OS Sandbox Lambda runtime Your code

16. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lambda isolation One function One account Many accounts Hardware Host OS Hypervisor Guest OS Sandbox Lambda runtime Your code Keeping workloads safe and separate

17. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lambda execution environments • Upon invocation, Lambda data plane creates execution environment (or chooses an existing one) in a microVM • Execution environments are never shared across functions, and microVMs are never shared across AWS accounts

18. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Isolation between MicroVMs Two models: EC2 instances and Firecracker (open source hypervisor)

19. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Firecracker Micro-VMs Security Speed by design Scale and efficiency Minimal device model reduces memory footprint and attack surface area User-space code in <125ms, 150 microVM per second per host Low memory overhead with high density (thousands) of microVMs on each server

20. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lambda isolation using Firecracker Hardware Host OS Hypervisor Guest OS Sandbox Lambda runtime Your code Firecracker Amazon EC2 bare metal

21. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lambda isolation using Firecracker One account and one function Many accounts Hardware Host OS Hypervisor Guest OS Sandbox Lambda runtime Your code Keeping workloads safe and separate

22. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved.

23. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Domains of security for (serverless) applications Infrastructure Data Code Identity & Access Logging & Monitoring

24. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. OWASP 2017- Top 10 Web Application Security Risks Rank Security risks 1 Injection 2 Broken Authentication 3 Sensitive Data Exposure 4 XML External Entities (XXE) 5 Broken Access Control 6 Security Misconfiguration 7 Cross-Site Scripting (XSS) 8 Insecure Deserialization 9 Using Components with Known Vulnerabilities 10 Insufficient Logging & Monitoring https://www.owasp.org • Exploitability • Prevalence • Detectability • Technical impact

25. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. OWASP Top 10 mapped to security domains Infrastructure Data Code Identity & Access Logging & Monitoring • Broken Authentication(#2) • Broken Access Control (#5) • Injection (#1) • XXE (#4) • XSS (#7) • Insecure Deserialization (#8) • Using Components with Known Vulnerabilities (#9) • Sensitive Data Exposure (#3) • Using Components with Known Vulnerabilities (#9) • Security Misconfiguration (#6) • Insufficient Logging & Monitoring (#10)

26. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Identity and access management for serverless applications • Authenticate and authorize end- users/clients • Access between backend services (e.g. AWS Lambda to DynamoDB tables) Infrastructure Data Code Identity & Access Logging & Monitoring

27. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Identity and Access Management Using AWS IAM Using Amazon Cognito

28. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lambda functions API Gateway DynamoDB Mobile app Reference architecture Amazon Cognito

29. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Security in access management and identity layer Access control between services Authenticate and authorize end users/clients

30. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Identity and Access Management—Lambda . . . { "Effect": "Allow", "Action": "dynamodb:*", "Resource": "*" } . . . { "Effect": "Allow", "Action": [ "dynamodb:BatchGetItem", "dynamodb:GetItem" ], "Resource": "arn:aws:dynamodb:us-east-1:*:table/session" }

31. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Securing code for serverless applications • Input validation • Dependency vulnerabilities • Secrets in source code Infrastructure Data Code Identity & Access Logging & Monitoring

32. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Security in compute Layer Input validation • AWS WAF: • XSS rules • SQL injection rules • Secrets Manager • AWS Systems Manager Dependency vulnerabilities Storing secrets • Use Lambda layers

33. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Lambda layers Lets functions easily share code: Upload layer once, reference within any function Promote separation of responsibilities, lets developers iterate faster on writing business logic Built-in support for secure sharing by ecosystem

34. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Securing data for serverless applications Your responsibility: • Data Classification and Data Flow • Tokenization • Encryption at rest • Encryption in transit • Data Backup/Replication/Recovery AWS platform takes care of: Automatic replication of data across availability zones for high durability Managed backups/ encryption Infrastructure Data Code Identity & Access Logging & Monitoring

35. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Security in data layer Data classification Data backup/replication Data encryption at rest Data flow Data encryption in transit Data tokenization

36. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Securing infrastructure for serverless applications Your responsibility: • DDOS protection • Throttling/ Rate limiting • Network boundaries Serverless platform takes care of: Physical security Virtualization OS security & patching Scaling & HA Infrastructure Data Code Identity & Access Logging & Monitoring

37. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Securing infrastructure for serverless applications DDOS protection + Throttling/ Rate limiting Network boundaries • AWS Shield Standard • AWS Shield Advanced • AWS WAF: • Geoblocking • IP reputation lists • Rate-based rules • Size constraint • … • API Gateway: • Account level throttling • API Stage level throttling • Usage Plan • Method level throttling • Metered by API key • Request rate and Quota limits • AWS Lambda : • concurrency Limits • API Gateway: • Private VPC endpoints • AWS Lambda: • Access resources in VPC • Security groups • NACLs • Proxy-based egress filtering

38. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Logging & monitoring for serverless applications • Application logs • Access logs • Control plane audit logs • Metrics • Alarms • Compliance validation Infrastructure Data Code Identity & Access Logging & Monitoring

39. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. X-Ray Security in system monitoring layer Logging and tracing Metrics Compliance validation

40. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Cloud adoption framework – Security perspective CloudWatch CloudTrail AWS Trusted Advisor Amazon Cognito Amazon GuardDuty AWS Certificate Manager IAM AWS KMS AWS Security Hub AWS Secrets Manager AWS Shield AWS WAF Amazon VPC PrivateLink Lambda functions CloudWatch X-Ray

41. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Serverless Security Partners

42. © 2019, Amazon Web Services, Inc. or its affiliates. All

    rights reserved. Serverless Monitoring Partners

43. Merci! © 2019, Amazon Web Services, Inc. or its affiliates.

    All rights reserved. Walid Benabderrahmane [email protected]