Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Veliswa Boya

Veliswa Boya

How to secure a serverless web application on AWS

Veliswa Boya

November 05, 2020
Tweet

More Decks by Veliswa Boya

Other Decks in Technology

Transcript

  1. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Veliswa Boya 04 November 2020 Securing a serverless web app on AWS
  2. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Agenda • The case for serverless • Security principles in the serverless context • Serverless architectures and security patterns
  3. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. The case for serverless The Shared Responsibility Model
  4. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Security Principles in the serverless context
  5. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Security Principles in the serverless context ❑ Keep security simple ❑ The Principle of Least Privilege ❑ Defence in depth (defence at every layer) https://blog.threatpress.com/security-design-principles-owasp/
  6. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ❶Keep security simple Client Amazon Cognito Amazon API Gateway AWS Lambda Amazon DynamoDB AWS WAF AWS IAM AWS KMS AWS Secrets Manager AWS Firewall Manager AWS Shield
  7. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ❷The Principle of Least Privilege - Only assign what’s needed to perform the task at hand { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "dynamodb:PutItem", "Resource": "arn:aws:dynamodb:eu-west-1:084642048058:table/Flowers" } }
  8. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ❸Defence in depth (defence at every layer) Client Amazon Cognito Amazon API Gateway AWS Lambda Amazon DynamoDB AWS WAF AWS IAM AWS KMS AWS Secrets Manager AWS Firewall Manager AWS Shield
  9. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Security Patterns for Serverless architectures
  10. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Security Patterns for Serverless architectures ❑ Protect against web attacks ❑ Authenticate access to web application ❑ Control access to APIs ❑ Secure storage of credentials ❑ Control access to AWS resources ❑ Protect against data loss
  11. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Client AWS WAF DDoS XSS SQLi AWS Firewall Manager Layer 3 Network, 4 Transport and 7 of OSI Model. Does your app have high visibility? Prone to frequent DDoS attacks? Simplifies admin and management across accounts. Using your WAF across accounts and need to accelerate your AWS WAF configurations? Application Layer 7 of OSI Model. Granular control over the protection that is added to your resources? Protect against web attacks or ALB or API Gateway Which to choose?
  12. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Client JWT JWT Authenticate access to web application • For user pools >> scalable user directories that provide sign-up and sign- in options for the app users • For identity pools >> provide temporary credentials to grant users access to AWS services (guest or signed in) >> federated identities for social sign- in (Facebook, Google, Amazon, Apple)
  13. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to APIs √
  14. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to APIs
  15. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to APIs
  16. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to APIs
  17. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Secrets Manager for securing credentials AWS Secrets Manager Amazon RDS OR Automatic rotation very 30 days
  18. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Secrets Manager for securing credentials
  19. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Secrets Manager for securing credentials
  20. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to AWS resources AWS IAM ❑ Granular permissions ❑ Integrated with many AWS services ❑ Free to use
  21. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to AWS resources
  22. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to AWS resources – Lambda Execution Role { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }
  23. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to AWS resources – DynamoDB table Inline Policy
  24. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Protect against data loss ❑ AWS Key Management Service (KMS) is a managed service that makes it easy for you to create encryption keys ❑ Manage keys ❑ Control the use of encryption across a wide range of AWS services. ❑ KMS is secure ❑ KMS is a resilient service
  25. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Protect against data loss
  26. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Conclusion Privacy regulations e.g. GDPR places an imperative upon us to invest to limit information loss https://www.accenture.com/us-en/insights/security/cost-cybercrime-study
  27. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Contact me @vel12171 https://dev.to/vel12171 https://aws-community.africa/ https://veliswaboya.africa