rights reserved. Security Principles in the serverless context ❑ Keep security simple ❑ The Principle of Least Privilege ❑ Defence in depth (defence at every layer) https://blog.threatpress.com/security-design-principles-owasp/
rights reserved. ❷The Principle of Least Privilege - Only assign what’s needed to perform the task at hand { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "dynamodb:PutItem", "Resource": "arn:aws:dynamodb:eu-west-1:084642048058:table/Flowers" } }
rights reserved. Security Patterns for Serverless architectures ❑ Protect against web attacks ❑ Authenticate access to web application ❑ Control access to APIs ❑ Secure storage of credentials ❑ Control access to AWS resources ❑ Protect against data loss
rights reserved. Client AWS WAF DDoS XSS SQLi AWS Firewall Manager Layer 3 Network, 4 Transport and 7 of OSI Model. Does your app have high visibility? Prone to frequent DDoS attacks? Simplifies admin and management across accounts. Using your WAF across accounts and need to accelerate your AWS WAF configurations? Application Layer 7 of OSI Model. Granular control over the protection that is added to your resources? Protect against web attacks or ALB or API Gateway Which to choose?
rights reserved. Client JWT JWT Authenticate access to web application • For user pools >> scalable user directories that provide sign-up and sign- in options for the app users • For identity pools >> provide temporary credentials to grant users access to AWS services (guest or signed in) >> federated identities for social sign- in (Facebook, Google, Amazon, Apple)
rights reserved. Protect against data loss ❑ AWS Key Management Service (KMS) is a managed service that makes it easy for you to create encryption keys ❑ Manage keys ❑ Control the use of encryption across a wide range of AWS services. ❑ KMS is secure ❑ KMS is a resilient service
rights reserved. Conclusion Privacy regulations e.g. GDPR places an imperative upon us to invest to limit information loss https://www.accenture.com/us-en/insights/security/cost-cybercrime-study