Learning Objectives:
- Learn security best practices for AWS Lambda and Amazon API Gateway
- Understand how to use Amazon Cognito to build identity and authentication features into serverless applications
- Learn identity and access management best practices for serverless applications
Securely building and deploying serverless applications requires cloud-native security best practices. In this talk, you will learn how to use AWS Lambda permissions and how to easily set up authentication and authorization for Amazon API Gateway. We will also cover how you can use Amazon Cognito for end user authentication and authorization. You'll also learn how to securely store your application secrets with AWS. This talk also discusses how to implement identity and access management best practices.
2. Agenda
• What is Serverless?
• Overview of AWS Lambda, API Gateway, and Cognito
• Securing Serverless microservices
• Auditing and logging
• Summary
3. No servers to provision
or manage
Scales with usage
Never pay for idle Availability and fault
tolerance built in
Serverless means…
5. Microservices
AWS Lambda + Amazon API Gateway is the
easiest way to create microservices
• Event handlers one function per event type
• Serverless backends one function per API / path
• Data processing one function per data type
7. AWS Lambda Programming Model
Bring your own code
• Node.js, Java, Python, C#
• Bring your own libraries
(even native ones)
Simple resource model
• Select power rating from
128 MB to 1.5 GB
• CPU and network allocated
proportionately
• Pay only for what compute
you consume
Programming model
• AWS SDK built in (Python
and Node.js)
• Lambda is the “webserver”
• Use processes, threads,
/tmp, sockets normally
Stateless
• Persist data using Amazon
DynamoDB, S3, or
ElastiCache
• No affinity to infrastructure
(can’t “log in to the box”)
9. Introduction to Amazon API Gateway
Create a unified
API frontend for
multiple micro-
services
Authenticate and
authorize
requests to a
backend
DDoS protection
and throttling for
your backend
Throttle, meter,
and monetize API
usage by 3rd
party developers
10. Amazon API Gateway: Serverless APIs
Internet
Mobile
apps
Websites
Partner
Services
AWS Lambda
functions
API
Gateway
response
cache
Endpoints on
Amazon EC2
Any publicly
accessible
endpoint
Amazon
CloudWatch
Amazon
CloudFront
API
Gateway
12. Identity is mission critical for your applications
Security
Revenue
Generation
Application
Backbone
Know your users
Monitor engagement
with your application
Store and manage
user data
Personalize your
users’ experiences
Protect sensitive data
Secure business-
critical processes
User Identity
13. Developing Auth Infrastructure is Difficult
• Need to develop a reliable user directory to manage identities
• Handling user data and passwords and protecting privacy
• Prioritizing scalability of your infrastructure upfront
• Implementing token-based authentication
• Support for multiple social identity providers
• Federation with corporate directories for B2E applications
1
2
3
5
6
4
14. Amazon Cognito Identity
Facebook
Corporate
OIDC
Sign in with
Your User Pools
You can easily and securely add sign-up
and sign-in functionality to your mobile and
web apps with a fully-managed service that
scales to support 100s of millions of users.
Federated Identities
Your users can sign in with third-party
identity providers, such as Facebook and
SAML providers, and you can control
access to AWS resources from your app.
SAML
Sign in
Username
Password
Submit
19. Lambda execution models
Synchronous (push) Asynchronous (event) Stream-based
Amazon
API Gateway
AWS Lambda
function
Amazon
DynamoDBAmazon
SNS
/order
AWS Lambda
function
Amazon
S3
reqs
Amazon
Kinesis
changes
AWS Lambda
service
function
20. The push model and resource policies
Function (resource) policy
• Permissions you grant to your Lambda
function determine which service or
event source can invoke your function
• Resource policies make it easy to
grant cross-account permissions to
invoke your Lambda function
21.
22.
23. The pull model and IAM roles
IAM execution role
• Permissions you grant to this role
determine what your AWS Lambda
function can do at run-time
• If event source is Amazon DynamoDB
or Amazon Kinesis, then add read
permissions in IAM role
24.
25. Lambda function security – best practices
Application Security Best practices still apply
(mandatory code review, static analysis, etc.)
Use IAM Role per function and don’t be too
permissive – leverage principle of least privilege
Encrypt environment variables and sensitive data
via KMS and Lambda’s encryption helpers
Leverage EC2 SSM Parameter Store for secrets
and configuration management at scale
26.
27.
28.
29.
30.
31. Lambda vulnerabilities and security scan
Automate security analysis as part of your CI/CD
pipeline
Input validation/sanitization, SQLi, etc. still apply in
Serverless architectures
Continuously scan for vulnerabilities in
dependencies used; can be a step in your CI/CD
pipeline
33. API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Custom Authorizers
User Pools Authorizers
34. API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Custom Authorizers
User Pools Authorizers
42. API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Custom Authorizers
User Pools Authorizers
53. API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Custom Authorizers
User Pools Authorizers
63. Custom Authorizer Lambda
var testPolicy = new AuthPolicy(”userIdentifier", "XXXXXXXXXXXX", apiOptions);
testPolicy.allowMethod(AuthPolicy.HttpVerb.POST, "/locations/*");
testPolicy.allowMethod(AuthPolicy.HttpVerb.DELETE, "/locations/*");
callback(null, testPolicy.getPolicy());
Sample Code
64. API Gateway: three types of authorization
Amazon Cognito
User Pools
Amazon Cognito
Federated Identities
Custom Identity Providers
AWS IAM authorization
Custom Authorizers
User Pools Authorizers
65. Throttle
Usage Plans: Throttle specific consumers
Internet
Mobile
apps
Websites
Partner
Services
AWS Lambda
functions
API
Gateway
response
cache
Endpoints on
Amazon EC2
Any publicly
accessible
endpoint
Amazon
CloudWatch
Amazon
CloudFront
API
Gateway
66. Usage Plans: Quotas and Throttling
• Prevents one customer from consuming all your
backend system’s capacity
• Let’s you decide how to allocate capacity among your
API consumers. Sample plan:
• Professional plan users: 10 TPS, up to 100 calls / day
• Premium plan users: 100 TPS, up to 1000 calls / day
• Enterprise plan users: 500 TPS, no limit on calls / day
67. Set daily
quota
Usage Plans: Enforce per-consumer quotas
Internet
Mobile
apps
Websites
Partner
Services
AWS Lambda
functions
API
Gateway
response
cache
Endpoints on
Amazon EC2
Any publicly
accessible
endpoint
Amazon
CloudWatch
Amazon
CloudFront
API
Gateway
71. Cloudwatch – Log streaming and metrics
Leverage built-in metrics and alarm on aggregates
(throttling)
Create Custom Metrics via Metric Filter out of logs
Captures Lambda invocation details, and all
logging statement output
Stream and centralize logs from multiple accounts
to Amazon ElasticSearch for near real-time
analysis
built-in custom
Amazon Cloudwatch
75. What can you answer using a CloudTrail event?
Who made the API call?
What was the API call?
When was the API call made?
Where was the API call made from and made to?
Which resources were acted upon in the API call?
Supported services:
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-supported-services.html
76. AWS Config
• Get inventory of AWS resources
• Discover new and deleted resources
• Record configuration changes continuously
• Get notified when configurations change
77. Summary
• What is Serverless?
• Overview of AWS Lambda, API Gateway, and Cognito
• Securing Serverless microservices
• Auditing and logging
• Summary
78. Additional Resources
- Serverless on AWS
- Serverless Computing on AWS
- re:Invent Talks and Webinars
- Serverless Auth: Identity Management
- Add User Sign-in, Management, and Security with Cognito
- Deep Dive on AWS Lambda
- Reference Projects
- Serverless Auth Reference App
- Cognito Angular 2 Quickstart
- Cognito API Gateway Auth Reference