Veliswa Boya

© 2020, Amazon Web Services, Inc. or its Affiliates. All
rights reserved. Veliswa Boya 04 November 2020 Securing a serverless web app on AWS

rights reserved. Agenda • The case for serverless • Security principles in the serverless context • Serverless architectures and security patterns

rights reserved. The case for serverless The Shared Responsibility Model

rights reserved.

rights reserved. Security Principles in the serverless context

rights reserved. Security Principles in the serverless context ❑ Keep security simple ❑ The Principle of Least Privilege ❑ Defence in depth (defence at every layer) https://blog.threatpress.com/security-design-principles-owasp/

rights reserved. ❶Keep security simple Client Amazon Cognito Amazon API Gateway AWS Lambda Amazon DynamoDB AWS WAF AWS IAM AWS KMS AWS Secrets Manager AWS Firewall Manager AWS Shield

rights reserved. ❷The Principle of Least Privilege - Only assign what’s needed to perform the task at hand { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "dynamodb:PutItem", "Resource": "arn:aws:dynamodb:eu-west-1:084642048058:table/Flowers" } }

rights reserved. ❸Defence in depth (defence at every layer) Client Amazon Cognito Amazon API Gateway AWS Lambda Amazon DynamoDB AWS WAF AWS IAM AWS KMS AWS Secrets Manager AWS Firewall Manager AWS Shield

rights reserved. Security Patterns for Serverless architectures

rights reserved. Security Patterns for Serverless architectures ❑ Protect against web attacks ❑ Authenticate access to web application ❑ Control access to APIs ❑ Secure storage of credentials ❑ Control access to AWS resources ❑ Protect against data loss

rights reserved. Client AWS WAF DDoS XSS SQLi AWS Firewall Manager Layer 3 Network, 4 Transport and 7 of OSI Model. Does your app have high visibility? Prone to frequent DDoS attacks? Simplifies admin and management across accounts. Using your WAF across accounts and need to accelerate your AWS WAF configurations? Application Layer 7 of OSI Model. Granular control over the protection that is added to your resources? Protect against web attacks or ALB or API Gateway Which to choose?

rights reserved.

rights reserved. Client JWT JWT Authenticate access to web application • For user pools >> scalable user directories that provide sign-up and sign- in options for the app users • For identity pools >> provide temporary credentials to grant users access to AWS services (guest or signed in) >> federated identities for social sign- in (Facebook, Google, Amazon, Apple)

rights reserved.

rights reserved. Control access to APIs √

rights reserved. Control access to APIs

rights reserved. Secrets Manager for securing credentials AWS Secrets Manager Amazon RDS OR Automatic rotation very 30 days

rights reserved. Secrets Manager for securing credentials

rights reserved. Control access to AWS resources AWS IAM ❑ Granular permissions ❑ Integrated with many AWS services ❑ Free to use

rights reserved. Control access to AWS resources

rights reserved. Control access to AWS resources – Lambda Execution Role { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }

rights reserved. Control access to AWS resources – DynamoDB table Inline Policy

rights reserved. Protect against data loss ❑ AWS Key Management Service (KMS) is a managed service that makes it easy for you to create encryption keys ❑ Manage keys ❑ Control the use of encryption across a wide range of AWS services. ❑ KMS is secure ❑ KMS is a resilient service

rights reserved. Protect against data loss

rights reserved. Conclusion Privacy regulations e.g. GDPR places an imperative upon us to invest to limit information loss https://www.accenture.com/us-en/insights/security/cost-cybercrime-study

rights reserved. Thank You!

rights reserved. Q&A

rights reserved. Contact me @vel12171 https://dev.to/vel12171 https://aws-community.africa/ https://veliswaboya.africa

Veliswa Boya

Veliswa Boya

Veliswa Boya

More Decks by Veliswa Boya

Other Decks in Technology

Featured

Transcript

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All

© 2020, Amazon Web Services, Inc. or its Affiliates. All