Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Veliswa Boya

Veliswa Boya
November 05, 2020
Technology
0
89

Veliswa Boya

How to secure a serverless web application on AWS

Veliswa Boya

November 05, 2020
Tweet

More Decks by Veliswa Boya

See All by Veliswa Boya
Tools for building your MVP on AWS
veliswaboya
0
120
Chaos Engineering on AWS
veliswaboya
1
290

Other Decks in Technology

See All in Technology
来年もre:Invent2024 に行きたいあなたへ - “集中”と“つながり”で楽しむ -
ny7760
0
480
MAMを軸とした動画ハンドリングにおけるAI活用前提の整備と次世代ビジョン / abema-ai-mam
cyberagentdevelopers
PRO
1
120
visionOSでの空間表現実装とImmersive Video表示について / ai-immersive-visionos
cyberagentdevelopers
PRO
1
110
10分でわかるfreee エンジニア向け会社説明資料
freee
18
520k
ユーザーの購買行動モデリングとその分析 / dsc-purchase-analysis
cyberagentdevelopers
PRO
2
110
マネジメント視点でのre:Invent参加 ~もしCEOがre:Inventに行ったら~
kojiasai
0
490
なんで、私がAWS Heroに!? 〜社外の広い世界に一歩踏み出そう〜
minorun365
PRO
6
1.1k
20241031_AWS_生成AIハッカソン_GenMuck
tsumita
0
110
現地でMeet Upをやる場合の注意点 〜反省点を添えて〜
shotashiratori
0
540
リンクアンドモチベーション ソフトウェアエンジニア向け紹介資料 / Introduction to Link and Motivation for Software Engineers
lmi
4
290k
CyberAgent 生成AI Deep Dive with Amazon Web Services / genai-aws
cyberagentdevelopers
PRO
1
480
Figma Dev Modeで進化するデザインとエンジニアリングの協働 / figma-with-engineering
cyberagentdevelopers
PRO
1
440

Featured

See All Featured
The World Runs on Bad Software
bkeepers
PRO
65
11k
Producing Creativity
orderedlist
PRO
341
39k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
Practical Orchestrator
shlominoach
186
10k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.2k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
126
18k
Music & Morning Musume
bryan
46
6.1k
Why You Should Never Use an ORM
jnunemaker
PRO
53
9k
Visualization
eitanlees
145
15k
Product Roadmaps are Hard
iamctodd
PRO
48
10k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
504
140k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k

Transcript

  1. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Veliswa Boya 04 November 2020 Securing a serverless web app on AWS

  2. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Agenda • The case for serverless • Security principles in the serverless context • Serverless architectures and security patterns

  3. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. The case for serverless The Shared Responsibility Model

  4. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved.

  5. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Security Principles in the serverless context

  6. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Security Principles in the serverless context ❑ Keep security simple ❑ The Principle of Least Privilege ❑ Defence in depth (defence at every layer) https://blog.threatpress.com/security-design-principles-owasp/

  7. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ❶Keep security simple Client Amazon Cognito Amazon API Gateway AWS Lambda Amazon DynamoDB AWS WAF AWS IAM AWS KMS AWS Secrets Manager AWS Firewall Manager AWS Shield

  8. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ❷The Principle of Least Privilege - Only assign what’s needed to perform the task at hand { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "dynamodb:PutItem", "Resource": "arn:aws:dynamodb:eu-west-1:084642048058:table/Flowers" } }

  9. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. ❸Defence in depth (defence at every layer) Client Amazon Cognito Amazon API Gateway AWS Lambda Amazon DynamoDB AWS WAF AWS IAM AWS KMS AWS Secrets Manager AWS Firewall Manager AWS Shield

  10. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Security Patterns for Serverless architectures

  11. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Security Patterns for Serverless architectures ❑ Protect against web attacks ❑ Authenticate access to web application ❑ Control access to APIs ❑ Secure storage of credentials ❑ Control access to AWS resources ❑ Protect against data loss

  12. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Client AWS WAF DDoS XSS SQLi AWS Firewall Manager Layer 3 Network, 4 Transport and 7 of OSI Model. Does your app have high visibility? Prone to frequent DDoS attacks? Simplifies admin and management across accounts. Using your WAF across accounts and need to accelerate your AWS WAF configurations? Application Layer 7 of OSI Model. Granular control over the protection that is added to your resources? Protect against web attacks or ALB or API Gateway Which to choose?

  13. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved.

  14. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Client JWT JWT Authenticate access to web application • For user pools >> scalable user directories that provide sign-up and sign- in options for the app users • For identity pools >> provide temporary credentials to grant users access to AWS services (guest or signed in) >> federated identities for social sign- in (Facebook, Google, Amazon, Apple)

  15. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved.

  16. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to APIs √

  17. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to APIs

  18. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to APIs

  19. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to APIs

  20. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Secrets Manager for securing credentials AWS Secrets Manager Amazon RDS OR Automatic rotation very 30 days

  21. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Secrets Manager for securing credentials

  22. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Secrets Manager for securing credentials

  23. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to AWS resources AWS IAM ❑ Granular permissions ❑ Integrated with many AWS services ❑ Free to use

  24. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to AWS resources

  25. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to AWS resources – Lambda Execution Role { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" } ] }

  26. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Control access to AWS resources – DynamoDB table Inline Policy

  27. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Protect against data loss ❑ AWS Key Management Service (KMS) is a managed service that makes it easy for you to create encryption keys ❑ Manage keys ❑ Control the use of encryption across a wide range of AWS services. ❑ KMS is secure ❑ KMS is a resilient service

  28. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Protect against data loss

  29. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Conclusion Privacy regulations e.g. GDPR places an imperative upon us to invest to limit information loss https://www.accenture.com/us-en/insights/security/cost-cybercrime-study

  30. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Thank You!

  31. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Q&A

  32. © 2020, Amazon Web Services, Inc. or its Affiliates. All

    rights reserved. Contact me @vel12171 https://dev.to/vel12171 https://aws-community.africa/ https://veliswaboya.africa