Security Aspekts on Services for Serverless Architectures Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance
Jan 10, 2017
Security Aspekts on Services for
Serverless Architectures
Bertram Dorn
EMEA Specialized Solutions Architect
Security and Compliance
Agenda:
• Security in General
• Services in Scope
• Aspects of Services for Serverless Architectures
• API Endpoint Concept
• API Calls
• Some Service Details
What is AWS?
AWS Global Infrastructure
Application Services
Networking
Deployment & Administration
DatabaseStorageCompute
Service in Scope I
• Architect should not care about AZ setup
• Architect should not care about scaling
• Architect should not care about availability
• Architect should not care about sizing
• Architect should not care about serivce side communication
• Architect should not take action on service side security
ENTERPRISE
APPS
DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS
Data
Warehousing
Hadoop/
Spark
Streaming Data
Collection
Machine
Learning
Elastic
Search
Virtual
Desktops
Sharing &
Collaboration
Corporate
Backup
Queuing &
Notifications
Workflow
Search
Transcoding
One-click App
Deployment
Identity
Sync
Single Integrated
Console
Push
Notifications
DevOps Resource
Management
Application Lifecycle
Management
Containers
Triggers
Resource
Templates
TECHNICAL &
BUSINESS
SUPPORT
Account
Management
Support
Professional
Services
Training &
Certification
Security
& Pricing
Reports
Partner
Ecosystem
Solutions
Architects
MARKETPLACE
Business
Apps
Business
IntelligenceDatabases
DevOps
ToolsNetworkingSecurity Storage
RegionsAvailability
Zones
Points of
Presence
INFRASTRUCTURE
CORE SERVICES
ComputeVMs, Auto-scaling,
& Load Balancing
StorageObject, Blocks,
Archival, Import/Export
DatabasesRelational, NoSQL,
Caching, Migration
NetworkingVPC, DX, DNS
CDN
Access
Control
Identity
Management
Key
Management
& Storage
Monitoring
& Logs
Assessment
and reporting
Resource &
Usage Auditing
SECURITY & COMPLIANCE
Configuration
Compliance
Web application
firewall
HYBRID
ARCHITECTURE
Data
Backups
Integrated
App
Deployments
Direct
Connect
Identity
Federation
Integrated
Resource
Management
Integrated
Networking
API
Gateway
IoT
Rules
Engine
Device
Shadows
Device
SDKs
Registry
Device
Gateway
Streaming Data
Analysis
Business
Intelligence
Mobile
Analytics
ENTERPRISE
APPS
DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS
Data
Warehousing
Hadoop/
Spark
Streaming Data
Collection
Machine
Learning
Elastic
Search
Virtual
Desktops
Sharing &
Collaboration
Corporate
Backup
Queuing &
Notifications
Workflow
Search
Transcoding
One-click App
Deployment
Identity
Sync
Single Integrated
Console
Push
Notifications
DevOps Resource
Management
Application Lifecycle
Management
Containers
Triggers
Resource
Templates
TECHNICAL &
BUSINESS
SUPPORT
Account
Management
Support
Professional
Services
Training &
Certification
Security
& Pricing
Reports
Partner
Ecosystem
Solutions
Architects
MARKETPLACE
Business
Apps
Business
IntelligenceDatabases
DevOps
ToolsNetworkingSecurity Storage
RegionsAvailability
Zones
Points of
Presence
INFRASTRUCTURE
CORE SERVICES
ComputeVMs, Auto-scaling,
& Load Balancing
StorageObject, Blocks,
Archival, Import/Export
DatabasesRelational, NoSQL,
Caching, Migration
NetworkingVPC, DX, DNS
CDN
Access
Control
Identity
Management
Key
Management
& Storage
Monitoring
& Logs
Assessment
and reporting
Resource &
Usage Auditing
SECURITY & COMPLIANCE
Configuration
Compliance
Web application
firewall
HYBRID
ARCHITECTURE
Data
Backups
Integrated
App
Deployments
Direct
Connect
Identity
Federation
Integrated
Resource
Management
Integrated
Networking
API
Gateway
IoT
Rules
Engine
Device
Shadows
Device
SDKs
Registry
Device
Gateway
Streaming Data
Analysis
Business
Intelligence
Mobile
Analytics
AWS Global Footprint
US West (N.California)
US West (Oregon)
GovCloud
US East (Virginia)
EU West (Ireland)
Asia Pacific (Tokyo)
Asia Pacific (Singapore)
Asia Pacific (Sydney)
China (Beijing)
São Paulo
EU Central (Frankfurt)
Korea (Seul)
Region
An independent collection of AWS
resources in a defined geography
A solid foundation for meeting location-
dependent privacy and compliance
requirements
AWS Global Footprint
Availability Zone
Designed as independent failure zones
Physically separated within a typical
metropolitan region
Shared Responsibility
Cross-service Controls
Service-specific Controls
Managed by
AWS
Managed by
Customer
Security of the Cloud
Security in the Cloud
Cloud Service Provider
Controls
Optimized
Network/OS/App Controls
Request reports at:
aws.amazon.com/compliance/#contact
ISO
27000
ISO
9001
Service in Scope II
• Architect needs to care about IAM
• Architect must secuire his access keys
• Architect should be aware of service features
• Architect should cross check service against compliance setup
• Architect must take care of encryption
• Knowledge of the service features
• Know how to work his own encryption into the architecture
ENTERPRISE
APPS
DEVELOPMENT & OPERATIONSMOBILE SERVICESAPP SERVICESANALYTICS
Data
Warehousing
Hadoop/
Spark
Streaming Data
Collection
Machine
Learning
Elastic
Search
Virtual
Desktops
Sharing &
Collaboration
Corporate
Backup
Queuing &
Notifications
Workflow
Search
Transcoding
One-click App
Deployment
Identity
Sync
Single Integrated
Console
Push
Notifications
DevOps Resource
Management
Application Lifecycle
Management
Containers
Triggers
Resource
Templates
TECHNICAL &
BUSINESS
SUPPORT
Account
Management
Support
Professional
Services
Training &
Certification
Security
& Pricing
Reports
Partner
Ecosystem
Solutions
Architects
MARKETPLACE
Business
Apps
Business
IntelligenceDatabases
DevOps
ToolsNetworkingSecurity Storage
RegionsAvailability
Zones
Points of
Presence
INFRASTRUCTURE
CORE SERVICES
ComputeVMs, Auto-scaling,
& Load Balancing
StorageObject, Blocks,
Archival, Import/Export
DatabasesRelational, NoSQL,
Caching, Migration
NetworkingVPC, DX, DNS
CDN
Access
Control
Identity
Management
Key
Management
& Storage
Monitoring
& Logs
Assessment
and reporting
Resource &
Usage Auditing
SECURITY & COMPLIANCE
Configuration
Compliance
Web application
firewall
HYBRID
ARCHITECTURE
Data
Backups
Integrated
App
Deployments
Direct
Connect
Identity
Federation
Integrated
Resource
Management
Integrated
Networking
API
Gateway
IoT
Rules
Engine
Device
Shadows
Device
SDKs
Registry
Device
Gateway
Streaming Data
Analysis
Business
Intelligence
Mobile
Analytics
API
• WebInterface
• CLI
• SDK
• API
Architect
AWS
IAM
Resource / Application
User
Amazon
S3
Amazon
DynamoDB
Amazon API
Gateway Amazon
SES
Amazon
SQS
Application
API Features
• DDoS Protected
• MultiAZ
• Available
• Encryption in
Transport
• Authenticated
• Logging
Services for Serverless Architectures
• Route53
• CloudFront
• Lambda
• API Gateway
• S3
• SNS
• SQS
• KMS
• SWF
• ELB
• Kinesis
• DynamoDB
• Elasticsearch
• Redshift
• RDS
Full Flexible Sizing Needed Sizing/Communication
Aws Shared Responsibility
• Secure Infrastructure (Physics/Logic/Certification)
• Tennant Isolation
• Availability
• Platform Scaling
• In some services: Crypto Options
Amazon
S3 • Secure Transport
• Sever Side Encryption
• Individual Vector for each object
• Re-Encryption through copy and versioning
• KMS Integration
• Customer Managed KEYs
• IAM integration
• Versioning
• MFA Delete
• Storage Class
• S3 Logging
Security related features which need to be instrumented by the Architect
A view on S3
Bucket with
Objects
Region S3
Bucket with
Objects
• WebInterface
• CLI
• SDK
• APIAdmin
For instrumentation
AWS
AWS
IAM
Command PATHS3 Endpoints
Datapath
HTTP(s)
Bucket Policy
Object Policy
User Policy S3 Logging
Amazon
S3
Amazon API
Gateway
• Secure Transport
• Setup of Paths
• Secure coding inside the Lambda functions
• Client Certificates
• CloudWatchLogs Logging
Security related features which need to be instrumented by the Architect
A view on API Gateway
AWS Region
• WebInterface
• CLI
• SDK
• APIAdmin
For instrumentation
AWS
AWS
IAM
Command PATHAPP GW Endpoints
Datapath
HTTP(s)
CloudWatch
Logs
Amazon API
Gateway
Mockups Proxy
AWS
Lambda
Possibilities which need to be instrumented by the Architect
• IAM Role needs to be focussed
• Secure Coding
• CloudWatchLogs Logging
• Well choosen triggers
A view on Lambda
AWS Region
• WebInterface
• CLI
• SDK
• APIAdmin
For instrumentation
AWS
AWS
IAM
Command PATHAPP GW Endpoints
Datapath
HTTP(s)
CloudWatch
Logs
AWS
Lambda
Other Services
Amazon
SESAmazon
SQS
• IAM Role needs to be focussed
• What data dou you send
• Subscribers
• Take care of logging
A view on Messaging
AWS Region
• WebInterface
• CLI
• SDK
• APIAdmin
For instrumentation
AWS
AWS
IAM
Command PATHAPP GW Endpoints
Datapath
HTTP(s)
CloudTrail
Other Services
Amazon
SESAmazon
SQS