Mais conteúdo relacionado Semelhante a Securing serverless and container services - SDD306 - AWS re:Inforce 2019 (20) Mais de Amazon Web Services (20) Securing serverless and container services - SDD306 - AWS re:Inforce 2019 1. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securing serverless and container
services
Tomas Clemente Sanchez
Senior Security Consultant
AWS ProServe Global Financial Services
Amazon Web Services
S D D 3 0 6
2. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
• Serverless and containers
• Security of serverless and containers
• Security and deployment
• Demo
3. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Related breakouts
Tuesday, June 25
GRC340 – Container runtime security and automation
4:00 PM–5:00 PM | Level 1, Room 151B, Table 4
Wednesday, June 26
SEP309 – Containers and mission-critical applications
2:00 PM–3:00 PM | Level 2, Room 258B
Wednesday, June 26
SDD401 – Securing enterprise-grade serverless applications
3:30 PM–4:30 PM | Level 0, Hall B2, Yellow
5. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
“No server is easier to manage than
no server.”
Werner Vogels
Amazon CTO
6. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What is serverless?
No infrastructure provisioning,
no management
Automatic scaling
Pay for value Highly available and secure
7. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS
Lambda
AWS
Fargate
Amazon
API Gateway
Amazon
SNS
Amazon
SQS
AWS
Step Functions
Compute
Data stores
Integration
Amazon Aurora
Serverless
Amazon
S3
Amazon
DynamoDB
AWS
AppSync
8. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lambda functions
API Gateway
Core business
logic
RESTful
microservices
DynamoDB
https://api.myapp.com
AWS Cloud
Mobile app
Pure serverless can be straightforward
9. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
1-n
Lambda function sets
1-n
API Gateways
Microservices
environment
...
...
Various clients,
potentially
including
other microservices
Various data tier
components, as
needed
AWS Cloud
DynamoDBMobile
client
Amazon
ElastiCache
Amazon S3
Serverless architectural patterns are easily scalable
10. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lambda
functions
Amazon S3
API Gateway
Dynamic website
content
Web application
Amazon CloudFront
distribution
Static website content
(HTML/JS/CSS)
DynamoDB
Amazon
RDS
ElastiCache
Amazon S3
https://api.example.com
VPC
AWS Cloud
Web
browser
Some infrastructure is still there
11. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lambda
functions Amazon Cognito
API Gateway
AWS Security Token
Service
(AWS STS)
Core business
logic
Mobile backend
User identity
management
DynamoDB
Amazon
RDS
ElastiCache
Amazon S3
https://api.myapp.com
AWS Cloud
VPC
Mobile app
Core business logic elements can be code or containers
Amazon ECS
Lambda
functions
12. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Common security approach
• Serverless and containers share a common pattern: microservices
• Core business logic can be modeled as code or containers
• We can reuse the same thought model for both serverless and containers to
design secure architectures
14. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security domains
Communications (messaging, networking, and streaming)
Data
Compute
Access
management
and identity
Edge
Lambda functions API Gateway Step
Functions
Amazon ECS Amazon EKSAWS
Fargate
DynamoDB Amazon
RDS
ElastiCache
Amazon S3 AWS AppSync
Amazon SNS Amazon Kinesis Amazon VPC
Amazon Cognito
AWS Identity and Access
Management (IAM)
Amazon CloudWatch
AWS X-Ray
Amazon CloudFront
Systems
Monitoring &
Deployment
AWS CloudTrail
AWS SAM
No infra More infra
15. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Cloud adoption framework – Security perspective
CloudWatch CloudTrailAWS Trusted
Advisor
Amazon
Cognito
Amazon GuardDuty
AWS Certificate
Manager
IAM
AWS KMS
AWS Security Hub
AWS Secrets
Manager
AWS ShieldAWS WAF Amazon VPC
PrivateLink
Lambda
functions
CloudWatch
X-Ray
16. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Serverless compute
engine
for containers
Long-running
Bring existing code
Fully managed
orchestration
AWS
Fargate
Let’s focus on the compute layer
Serverless event-driven
code execution
Short-lived
All language runtimes
Data source integrations
AWS Lambda
Elastic container
service For Kubernetes
No control plane to manage
Deploy worker nodes
Amazon EKS Kubernetes-
certified
Amazon EKS
Elastic container
services
Container orchestration
Deploy in a VPC
Docker-oriented
Amazon
ECS
17. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Comparison of operational responsibility
Lambda
Serverless functions
Fargate
Serverless containers
Amazon ECS/
Amazon EKS
Container management as a service
Amazon EC2
Infrastructure as a service
More opinionated
Less opinionated
AWS manages Customer manages
• Data source integrations
• Physical hardware, software, networking,
and facilities
• Provisioning
• Application code
• Container orchestration, provisioning
• Cluster scaling
• Physical hardware, host OS/kernel,
networking, and facilities
• Application code
• Data source integrations
• Security config and updates, network config,
management tasks
• Container orchestration control plane
• Physical hardware software, networking,
and facilities
• Application code
• Data source integrations
• Work clusters
• Security config and updates, network config,
firewall, management tasks
• Physical hardware software,
networking, and facilities
• Application code
• Data source integrations
• Scaling
• Security config and updates, network config,
management tasks
• Provisioning, managing scaling and
patching of servers
18. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security in compute Layer
Input validation
• AWS WAF:
• XSS rules
• SQL injection rules
• Use Lambda layers
• Secrets Manager
• AWS Systems Manager
Dependency vulnerabilities Storing secrets
19. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lambda layers
Lets functions easily share code: Upload layer once,
reference within any function
Promote separation of responsibilities, lets developers
iterate faster on writing business logic
Built-in support for secure sharing by ecosystem
20. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
What about insecure code?
21. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lambda execution environments
• Upon invocation, Lambda data plane creates
execution environment (or chooses an
existing one) in a microVM including:
• The function code
• Any Lambda layers selected for your function
• The function runtime, either built-in (Java 8, NodeJS 8,
Python 3.7, etc.) or custom runtime
• A minimal Linux userland based on Amazon Linux
• Execution environments are never shared
across functions, and microVMs are never
shared across AWS accounts
22. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Isolation between MicroVMs
Two models: EC2 instances and Firecracker (open source hypervisor)
23. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lambda design considerations
• First invocation of a Lambda function requires “bootstrapping,” which adds
some latency.
• Execution environments can be reused by subsequent invocations, with no
memory scrub.
• Execution environments includes a writeable file system, available at /tmp. that
remains for the lifetime of the execution environment.
• Lambda provides patching and updates for supported runtimes. Maintenance
of custom runtimes is customer responsibility.
24. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Lambda best practices
• Plan for cold start to optimize microVM reuse
• Minimize package size to necessities
• ENIs for VPC support are attached during cold start
• Instantiate AWS clients and database clients outside the scope of
the Lambda handler
• Avoid code to read or write to /tmp if not needed
• Leverage AWS-supported runtimes to avoid heavy
lifting of custom runtimes
import sys
import logging
import rds_config
import pymysql
rds_host = "rds-instance"
db_name = rds_config.db_name
try:
conn = pymysql.connect(
except:
logger.error("ERROR:
def handler(event, context):
with conn.cursor() as
cur:
Executes with
each invocation
Executes during
cold start
25. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon ECS and AWS Fargate
ECS
agent
Docker
agent
OS
EC2 instance
ECS
agent
Docker
agent
OS
EC2 instance
VPC
Auto
Scaling
group
AWS
Fargate
Amazon
ECS
Task
Task 1
Service
Cluster
Task
Service
VPC
CPU and
memory Task 2
Task 1
Task 2
Task 1
Task 2
26. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Amazon ECS and AWS Fargate
Networking
• ECS uses instance ENI by default, and awsvpc
(task ENI) as an option
• Can use existing VPC SG and NACL
IAM
• Granular Amazon ECS services role and task
roles
Host
• Customer provisioning, patching, and scaling
• Direct access to the underlying infra
• Privileged access is allowed
Networking
• Fargate requires awsvpc, all traffic uses the task
ENI
• Private and public IP setup for inbound traffic,
outbound is allowed
IAM
• Granular Amazon ECS services role and task
roles
Host
• AWS patches the platform version
• No direct access to the underlying infra
• Privileged access is forbidden
AWS FargateAmazon ECS
27. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security in data layer
Data classification Data backup/replicationData encryption at rest
Data flow
Data encryption in transit
Data tokenization
28. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security in access management and identity layer
Access control between
services
Authenticate and authorize end users/clients
29. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
X-Ray
Security in system monitoring layer
Logging and tracing Metrics Compliance validation
30. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dive deep on X-Ray
Analyze and debug
issues quickly
End-to-end view of
individual services
Identify customer
impact
Support for serverless
and container
31. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
X-Ray integration with serverless
• Lambda instruments incoming requests for
all supported languages
• Lambda runs the X-Ray daemon on all
languages with an SDK
var AWSXRay = require(‘aws-xray-sdk-core‘);
AWSXRay.middleware.setSamplingRules(‘sampling-rules.json’);
var AWS = AWSXRay.captureAWS(require(‘aws-sdk’));
S3Client = AWS.S3();
32. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
X-Ray integration with containers
• Build your application
• Deploy a X-Ray docker/pod on each worker
node
• EC2Plugin and ECSPlugin can be used to
send extra information about the underlying
infra (except when using AWS Fargate)
33. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
X-Ray view example
34. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
X-Ray trace example
36. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS developer tools for CI/CD
Source Build Test Deploy Monitor
AWS CodeBuild +
third-party tools
AWS CodeCommit AWS CodeDeploy
AWS CodePipeline
AWS CodeBuild X-Ray
37. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
How can we ensure security in the deployment?
CodeBuild
Amazon SNS
S3 bucket
Stack
Stack
Pre-create
Create stacks
Post-create
Deploy
region
Region
Region
cfn-nag
AWS CloudFormationCodeCommit
CodePipeline
Developer
38. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Integrate security controls in CI/CD pipelines
Developer
CodeBuild
Amazon SNS
S3 bucket
65
65
Stack
Stack
Pre-create
Create stacks
Post-create
Deploy
region
Region
Region
cfn-nag
AWS CloudFormationCodeCommit
CodePipeline
Security
39. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Delivery via CodePipeline
1. Commit your code to a source code repository
2. Package/test in CodeBuild, including container packaging
and security controls
3. Use AWS CloudFormation actions in CodePipeline to create
or update stacks via AWS SAM templates
• Optional: Make use of ChangeSets
4. Test your application and increase control severity between
stages/environments
• Optional: Make use of manual approvals
40. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
CodeDeploy and Lambda canary deployments
• Direct a portion of traffic to a
new version
• Monitor stability with
CloudWatch
• Initiate rollback if needed
• Incorporate into your
AWS SAM templates
41. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Security in deployment layer
Code quality StrategiesVersion control
43. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pipeline pattern
Developer
Code
CloudFormation
template
Ingest Code Analysis Test Deployment Prod DeploymentSecurity
44. © 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Pattern architecture
Developer
AWS CodeCommitCode
Code Analysis Test Production
Security
Source Code
Validation
Master Pipeline
CloudFormation
Template
CloudFormation
Repo
CFNCompliance
Validation
Service Test
Controls
Security and
Compliance
Controls
Code
Code
CFNSecurity
Validation
App Testing
Validation
App Deployment Pipeline
45. Thank you!
© 2019,Amazon Web Services, Inc. or its affiliates. All rights reserved.
Tomas Clemente Sanchez
tomascle@amazon.com