SlideShare uma empresa Scribd logo

Winning in the Dark: Defending Serverless Infrastructure

Puma Security, LLC
Puma Security, LLC

This technical session examines real world scenarios security professionals will encounter defending Cloud workloads running on Serverless Infrastructure. Attendees will see a series of hands-on attack techniques for extracting credentials from serverless functions, and how to leverage those credentials for data exfiltration. The session starts with insecure secrets management in Serverless. Live demonstrations will show how a vulnerability in a function can allow attackers to exfiltrate secrets from a configuration file inside the function’s execution environment. Attendees will then see how to extract credentials from a function’s execution environment, and use those credentials from a remote machine to gain unauthorized access to data. Next, the session explores the ephemeral execution environment that is supposed to live for a few hundred milliseconds and then disappear. In practice, does that hold true? Concluding the session, we discuss some defensive techniques for locking down serverless environments, controlling egress traffic, restricting credential access, and querying audit logs. Attendees will leave with an understanding of the common attacks and practical security controls for defending their Serverless Infrastructure.

Tecnologia
1 de 22
Baixar para ler offline
© 2020 Puma Security, LLC | All Rights Reserved FWD:CLOUDSEC 2020 Winning in the Dark: Defending Serverless Infrastructure Eric Johnson Principal Security Engineer, Puma Security Senior Instructor, SANS Institute www.linkedin.com/in/eric-m-johnson @emjohn20 June 29, 2020
© 2020 Puma Security, LLC | All Rights Reserved SESSION GOALS • Discover insecurely stored function secrets • Exfiltrate authentication tokens from the serverless container • Detect stolen authentication tokens accessing cloud resources • Apply network controls to prevent command and control • Leverage audit logging and monitoring to detect malicious activity
© 2020 Puma Security, LLC | All Rights Reserved ACKNOWLEDGEMENTS Gal Bashan - @galbashan1 • https://github.com/epsagon/lambda-internals OWASP Serverless Top 10 Project • https://www.owasp.org/index.php/OWASP_Serverless_Top _10_Project • Major contributions from Puresec and Protego Rhino Security • AWS Penetration Testing with Kali Linux
© 2020 Puma Security, LLC | All Rights Reserved PUMA SECURITY: SERVERLESS PREY Serverless Prey is an open source repository containing: • Functions to establish a reverse shell in each cloud • Cheetah: Google Function • Cougar: Azure Function • Panther: AWS Lambda • https://github.com/pumasecurity/serverless-prey • https://www.youtube.com/watch?v=- SSrAro8m3M
© 2020 Puma Security, LLC | All Rights Reserved Function Execution Environment Defending Serverless Infrastructure
© 2020 Puma Security, LLC | All Rights Reserved SERVERLESS EXECUTION ENVIRONMENT Reverse engineering each function's execution environment: Function OS Directory User NodeJS 12 Amazon Linux 2 /var/task sbx_user1051 .NET Core 3.1 Debian GNU/Linux 9 / app Go 1.11 Ubuntu 18.04.2 LTS /srv/files root
© 2020 Puma Security, LLC | All Rights Reserved SERVERLESS SECRETS: WHERE IS THE SOURCE CODE? Start by looking for secrets in the function source code: AWS Lambda Azure Functions GCP Functions /var/task /home/site/wwwroot/ /srv/files
© 2020 Puma Security, LLC | All Rights Reserved SERVERLESS SECRETS : ENVIRONMENT VARIABLES Secrets in environment variables can be accessed by remote attackers using local file inclusion or command injection vulnerabilities: 1 2 3 4 5 6 7 8 9 $ cat /proc/self/environ WEBSITE_AUTH_ENCRYPTION_KEY=BBDAD8269958635C8D4E3C713636D APPSETTING_AzureWebJobsStorage=6BZ4kOCoSD7T1fc8v4h8JpRg== APPSETTING_APPINSIGHTS_INSTRUMENTATIONKEY=5D17A234-6B81- 4777-8528-6814374E9BD3 MSI_SECRET=A788C6DE68224140A927BB412B4E24AB AzureWebEncryptionKey=BBDAD8046F6B9F0E81A4B349 CONTAINER_ENCRYPTION_KEY=AYXxtNMabRpw2EIgoGpibUk= Azure Functions
© 2020 Puma Security, LLC | All Rights Reserved Defending Serverless Infrastructure Function Execution Role
© 2020 Puma Security, LLC | All Rights Reserved SERVERLESS EXECUTION ROLE AWS Lambda Azure Functions GCP Functions Functions gain access to other cloud resources (vault, secrets, storage, database, etc.) by executing with predefined permissions: Execution Role Managed Identity Service Account
© 2020 Puma Security, LLC | All Rights Reserved GCP FUNCTION DEFAULT SERVICE ACCOUNT • New functions inherit the Google managed "Editor" role by default • Editor role inherits read and modify state permissions for all existing resources • Function has full read and write access to storage buckets • Payloads in the Secrets Manager require additional permissions GCP Functions
© 2020 Puma Security, LLC | All Rights Reserved SERVERLESS ACCOUNT CREDENTIAL STORAGE Managed serverless platforms executing under a service account have credentials stored in the following locations: AWS Lambda Azure Functions GCP Functions Environment Variables Instance Metadata Service Managed Identity
© 2020 Puma Security, LLC | All Rights Reserved Function Data Persistence & Exfiltration Defending Serverless Infrastructure
© 2020 Puma Security, LLC | All Rights Reserved SERVERLESS FUNCTION CREDENTIAL LIFETIME Comparing the credential expiration time (number of minutes) across cloud providers: AWS Lambda Azure Functions GCP Functions 0 100 200 300 400 500 600 700 800
© 2020 Puma Security, LLC | All Rights Reserved Comparing the malware persistence lifetime (number of minutes) across cloud providers: AWS Lambda Azure Functions GCP Functions FUNCTION MALWARE PERSISTENCE EXAMPLE 0 2 4 6 8 10 12
© 2020 Puma Security, LLC | All Rights Reserved Detecting Compromised Function Credentials Defending Serverless Infrastructure
© 2020 Puma Security, LLC | All Rights Reserved Analyzing service audit logs can identify credential usage outside the function execution environment AWS Lambda Azure Functions GCP Functions Cloud Trail FUNCTION CREDENTIAL AUDIT LOGGING Azure Monitor (partial service support) IAM Audit Logs
© 2020 Puma Security, LLC | All Rights Reserved Function Network Access Controls Defending Serverless Infrastructure
© 2020 Puma Security, LLC | All Rights Reserved DEFAULT FUNCTION EXECUTION NETWORKING • Configurable triggers from HTTP or API Gateway events • Routing allows egress traffic to the Internet • Routing allows egress traffic to public cloud service APIs
© 2020 Puma Security, LLC | All Rights Reserved Function execution environments can integrate with customer managed virtual private cloud networks: AWS Lambda Azure Functions GCP Functions Virtual Private Cloud FUNCTION NETWORK INTEGRATION OPTIONS Virtual Network Integration *premium plan only Not Available
© 2020 Puma Security, LLC | All Rights Reserved • Create egress traffic filters • Enable flow logging / traffic mirroring • Create private endpoints for managed cloud services access • Block access to cloud resources from the public API FUNCTION PRIVATE ENDPOINT CONFIGURATION Function Private Subnet Public Subnet Private Cloud Endpoints Internet Storage Secrets NAT Gateway Virtual Private Cloud Database
© 2020 Puma Security, LLC | All Rights Reserved FWD:CLOUDSEC 2020 THANK YOU FOR ATTENDING! QUESTIONS? Eric Johnson Principal Security Engineer, Puma Security Senior Instructor, SANS Institute www.linkedin.com/in/eric-m-johnson @emjohn20 June 29, 2020

Recomendados

Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Puma Security, LLC
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServicePuma Security, LLC
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsPuma Security, LLC
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsPuma Security, LLC
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelinePuma Security, LLC
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Puma Security, LLC
 
Amazon EKS - security best practices - 2022
Amazon EKS - security best practices - 2022 Amazon EKS - security best practices - 2022
Amazon EKS - security best practices - 2022 Jean-François LOMBARDO
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsAmazon Web Services
 

Recomendados

Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020Puma Security, LLC
 
Cloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServiceCloud Security: Attacking The Metadata Service
Cloud Security: Attacking The Metadata ServicePuma Security, LLC
 
DevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsDevSecOps: Let's Write Security Unit Tests
DevSecOps: Let's Write Security Unit TestsPuma Security, LLC
 
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsLessons Learned Deploying Modern Cloud Systems in Highly Regulated Environments
Lessons Learned Deploying Modern Cloud Systems in Highly Regulated EnvironmentsPuma Security, LLC
 
Weaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelineWeaponizing Your DevOps Pipeline
Weaponizing Your DevOps PipelinePuma Security, LLC
 
Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Cloud Security: Attacking The Metadata Service v2
Cloud Security: Attacking The Metadata Service v2Puma Security, LLC
 
Amazon EKS - security best practices - 2022
Amazon EKS - security best practices - 2022 Amazon EKS - security best practices - 2022
Amazon EKS - security best practices - 2022 Jean-François LOMBARDO
 
CI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsCI/CD Pipeline Security: Advanced Continuous Delivery Recommendations
CI/CD Pipeline Security: Advanced Continuous Delivery RecommendationsAmazon Web Services
 
Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Teri Radichel
 
Security in Serverless world
Security in Serverless worldSecurity in Serverless world
Security in Serverless worldYan Cui
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignAmazon Web Services
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...Amazon Web Services
 
Meeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageMeeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageCloudPassage
 
Build a social network in 4 weeks with Serverless and GraphQL
Build a social network in 4 weeks with Serverless and GraphQLBuild a social network in 4 weeks with Serverless and GraphQL
Build a social network in 4 weeks with Serverless and GraphQLYan Cui
 
APIC EM APIs: a deep dive
APIC EM APIs: a deep diveAPIC EM APIs: a deep dive
APIC EM APIs: a deep diveCisco DevNet
 
How to build observability into a serverless application
How to build observability into a serverless applicationHow to build observability into a serverless application
How to build observability into a serverless applicationYan Cui
 
AWS Summit 2014 - Perth - Keynote
AWS Summit 2014 - Perth - KeynoteAWS Summit 2014 - Perth - Keynote
AWS Summit 2014 - Perth - KeynoteAmazon Web Services
 
Securing your cloud perimeter with azure network security brk3185
Securing your cloud perimeter with azure network security brk3185Securing your cloud perimeter with azure network security brk3185
Securing your cloud perimeter with azure network security brk3185jtaylor707
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksDevOps.com
 
(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN SecurityPriyanka Aash
 
AWS Lambda Security Inside & Out
AWS Lambda Security Inside & OutAWS Lambda Security Inside & Out
AWS Lambda Security Inside & OutPureSec
 
Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Amazon Web Services
 
T4 – Understanding aws security
T4 – Understanding aws securityT4 – Understanding aws security
T4 – Understanding aws securityAmazon Web Services
 
Incident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesIncident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesAmazon Web Services
 
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...Amazon Web Services
 
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014Amazon Web Services
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...Amazon Web Services
 
Presentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesPresentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesOscar Romano
 
Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill ChainPuma Security, LLC
 
Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKawimbaLofgrens
 

Mais conteúdo relacionado

Mais procurados

Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Teri Radichel
 
Security in Serverless world
Security in Serverless worldSecurity in Serverless world
Security in Serverless worldYan Cui
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignAmazon Web Services
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...Amazon Web Services
 
Meeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageMeeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageCloudPassage
 
Build a social network in 4 weeks with Serverless and GraphQL
Build a social network in 4 weeks with Serverless and GraphQLBuild a social network in 4 weeks with Serverless and GraphQL
Build a social network in 4 weeks with Serverless and GraphQLYan Cui
 
APIC EM APIs: a deep dive
APIC EM APIs: a deep diveAPIC EM APIs: a deep dive
APIC EM APIs: a deep diveCisco DevNet
 
How to build observability into a serverless application
How to build observability into a serverless applicationHow to build observability into a serverless application
How to build observability into a serverless applicationYan Cui
 
AWS Summit 2014 - Perth - Keynote
AWS Summit 2014 - Perth - KeynoteAWS Summit 2014 - Perth - Keynote
AWS Summit 2014 - Perth - KeynoteAmazon Web Services
 
Securing your cloud perimeter with azure network security brk3185
Securing your cloud perimeter with azure network security brk3185Securing your cloud perimeter with azure network security brk3185
Securing your cloud perimeter with azure network security brk3185jtaylor707
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksDevOps.com
 
(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN SecurityPriyanka Aash
 
AWS Lambda Security Inside & Out
AWS Lambda Security Inside & OutAWS Lambda Security Inside & Out
AWS Lambda Security Inside & OutPureSec
 
Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Amazon Web Services
 
T4 – Understanding aws security
T4 – Understanding aws securityT4 – Understanding aws security
T4 – Understanding aws securityAmazon Web Services
 
Incident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesIncident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesAmazon Web Services
 
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...Amazon Web Services
 
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014Amazon Web Services
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...Amazon Web Services
 
Presentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesPresentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesOscar Romano
 

Mais procurados (20)

Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?Are You Ready for a Cloud Pentest?
Are You Ready for a Cloud Pentest?
 
Security in Serverless world
Security in Serverless worldSecurity in Serverless world
Security in Serverless world
 
Compliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by DesignCompliance in the Cloud Using Security by Design
Compliance in the Cloud Using Security by Design
 
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
AWS Summit 2013 | Singapore - Security & Compliance and Integrated Security w...
 
Meeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassageMeeting PCI DSS Requirements with AWS and CloudPassage
Meeting PCI DSS Requirements with AWS and CloudPassage
 
Build a social network in 4 weeks with Serverless and GraphQL
Build a social network in 4 weeks with Serverless and GraphQLBuild a social network in 4 weeks with Serverless and GraphQL
Build a social network in 4 weeks with Serverless and GraphQL
 
APIC EM APIs: a deep dive
APIC EM APIs: a deep diveAPIC EM APIs: a deep dive
APIC EM APIs: a deep dive
 
How to build observability into a serverless application
How to build observability into a serverless applicationHow to build observability into a serverless application
How to build observability into a serverless application
 
AWS Summit 2014 - Perth - Keynote
AWS Summit 2014 - Perth - KeynoteAWS Summit 2014 - Perth - Keynote
AWS Summit 2014 - Perth - Keynote
 
Securing your cloud perimeter with azure network security brk3185
Securing your cloud perimeter with azure network security brk3185Securing your cloud perimeter with azure network security brk3185
Securing your cloud perimeter with azure network security brk3185
 
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto NetworksSecurity Across the Cloud Native Continuum with ESG and Palo Alto Networks
Security Across the Cloud Native Continuum with ESG and Palo Alto Networks
 
(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security(SACON 2020) Adventures In SDN Security
(SACON 2020) Adventures In SDN Security
 
AWS Lambda Security Inside & Out
AWS Lambda Security Inside & OutAWS Lambda Security Inside & Out
AWS Lambda Security Inside & Out
 
Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019 Making application threat intelligence practical - DEM06 - AWS reInforce 2019
Making application threat intelligence practical - DEM06 - AWS reInforce 2019
 
T4 – Understanding aws security
T4 – Understanding aws securityT4 – Understanding aws security
T4 – Understanding aws security
 
Incident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of NeedlesIncident Response - Finding a Needle in a Stack of Needles
Incident Response - Finding a Needle in a Stack of Needles
 
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
Cloud Conversations: Giving Business Transformation a Voice_AWSPSSummit_Singa...
 
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014
(HLS401) Architecting for HIPAA Compliance on AWS | AWS re:Invent 2014
 
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
5 Steps to a Secure Hybrid Architecture - Session Sponsored by Palo Alto Netw...
 
Presentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER ServicesPresentación - Cisco ASA with FirePOWER Services
Presentación - Cisco ASA with FirePOWER Services
 

Semelhante a Winning in the Dark: Defending Serverless Infrastructure

Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKawimbaLofgrens
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsDerek Downey
 
Anthos Security: modernize your security posture for cloud native applications
Anthos Security: modernize your security posture for cloud native applicationsAnthos Security: modernize your security posture for cloud native applications
Anthos Security: modernize your security posture for cloud native applicationsGreg Castle
 
Deep Dive - Hybrid Architectures
Deep Dive - Hybrid ArchitecturesDeep Dive - Hybrid Architectures
Deep Dive - Hybrid ArchitecturesAmazon Web Services
 
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...kreuzwerker GmbH
 
AWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityAWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityCobus Bernard
 
Trusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate SecurityTrusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate SecurityWeaveworks
 
Configs, Configs, Everywhere! (Actually, Let's Simplify All Those Configs)
Configs, Configs, Everywhere! (Actually, Let's Simplify All Those Configs)Configs, Configs, Everywhere! (Actually, Let's Simplify All Those Configs)
Configs, Configs, Everywhere! (Actually, Let's Simplify All Those Configs)Akamai Developers & Admins
 
Week 4 lecture material cc (1)
Week 4 lecture material cc (1)Week 4 lecture material cc (1)
Week 4 lecture material cc (1)Ankit Gupta
 
Secure your Azure Web App 2019
Secure your Azure Web App 2019Secure your Azure Web App 2019
Secure your Azure Web App 2019Frans Lytzen
 
Openstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud NetworkingOpenstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud NetworkingShannon McFarland
 
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdf
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdfData & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdf
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdfChris Bingham
 
Monitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWSMonitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWSjavier ramirez
 
Api management update for optus
Api management update for optusApi management update for optus
Api management update for optussflynn073
 
Securing Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the CloudSecuring Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the CloudOlivia LaMar
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteOWASP Kyiv
 

Semelhante a Winning in the Dark: Defending Serverless Infrastructure (20)

Breaking The Cloud Kill Chain
Breaking The Cloud Kill ChainBreaking The Cloud Kill Chain
Breaking The Cloud Kill Chain
 
Kubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdfKubernetes fingerprinting with Prometheus.pdf
Kubernetes fingerprinting with Prometheus.pdf
 
Using Vault to decouple MySQL Secrets
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
 
F5 Automation Toolchain
F5 Automation ToolchainF5 Automation Toolchain
F5 Automation Toolchain
 
Anthos Security: modernize your security posture for cloud native applications
Anthos Security: modernize your security posture for cloud native applicationsAnthos Security: modernize your security posture for cloud native applications
Anthos Security: modernize your security posture for cloud native applications
 
Deep Dive - Hybrid Architectures
Deep Dive - Hybrid ArchitecturesDeep Dive - Hybrid Architectures
Deep Dive - Hybrid Architectures
 
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
kreuzwerker AWS Modernizing Legacy Operations with Containerized Solutions 20...
 
AWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: SecurityAWS SSA Webinar 11 - Getting started on AWS: Security
AWS SSA Webinar 11 - Getting started on AWS: Security
 
Trusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate SecurityTrusted Application Delivery: Achieving Ultimate Security
Trusted Application Delivery: Achieving Ultimate Security
 
Configs, Configs, Everywhere! (Actually, Let's Simplify All Those Configs)
Configs, Configs, Everywhere! (Actually, Let's Simplify All Those Configs)Configs, Configs, Everywhere! (Actually, Let's Simplify All Those Configs)
Configs, Configs, Everywhere! (Actually, Let's Simplify All Those Configs)
 
Week 4 lecture material cc (1)
Week 4 lecture material cc (1)Week 4 lecture material cc (1)
Week 4 lecture material cc (1)
 
Secure your Azure Web App 2019
Secure your Azure Web App 2019Secure your Azure Web App 2019
Secure your Azure Web App 2019
 
Openstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud NetworkingOpenstack Summit Vancouver 2018 - Multicloud Networking
Openstack Summit Vancouver 2018 - Multicloud Networking
 
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdf
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdfData & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdf
Data & Analytics ReInvent Recap [AWS Basel Meetup - Jan 2023].pdf
 
Monitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWSMonitorización de seguridad y detección de amenazas con AWS
Monitorización de seguridad y detección de amenazas con AWS
 
Unlocking the Cloud Operating Model
Unlocking the Cloud Operating ModelUnlocking the Cloud Operating Model
Unlocking the Cloud Operating Model
 
Api management update for optus
Api management update for optusApi management update for optus
Api management update for optus
 
Securing Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the CloudSecuring Your Apps & APIs in the Cloud
Securing Your Apps & APIs in the Cloud
 
Guob - MySQL e LGPD
Guob - MySQL e LGPDGuob - MySQL e LGPD
Guob - MySQL e LGPD
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
 

Último

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Último (20)

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Winning in the Dark: Defending Serverless Infrastructure

  • 1. © 2020 Puma Security, LLC | All Rights Reserved FWD:CLOUDSEC 2020 Winning in the Dark: Defending Serverless Infrastructure Eric Johnson Principal Security Engineer, Puma Security Senior Instructor, SANS Institute www.linkedin.com/in/eric-m-johnson @emjohn20 June 29, 2020
  • 2. © 2020 Puma Security, LLC | All Rights Reserved SESSION GOALS • Discover insecurely stored function secrets • Exfiltrate authentication tokens from the serverless container • Detect stolen authentication tokens accessing cloud resources • Apply network controls to prevent command and control • Leverage audit logging and monitoring to detect malicious activity
  • 3. © 2020 Puma Security, LLC | All Rights Reserved ACKNOWLEDGEMENTS Gal Bashan - @galbashan1 • https://github.com/epsagon/lambda-internals OWASP Serverless Top 10 Project • https://www.owasp.org/index.php/OWASP_Serverless_Top _10_Project • Major contributions from Puresec and Protego Rhino Security • AWS Penetration Testing with Kali Linux
  • 4. © 2020 Puma Security, LLC | All Rights Reserved PUMA SECURITY: SERVERLESS PREY Serverless Prey is an open source repository containing: • Functions to establish a reverse shell in each cloud • Cheetah: Google Function • Cougar: Azure Function • Panther: AWS Lambda • https://github.com/pumasecurity/serverless-prey • https://www.youtube.com/watch?v=- SSrAro8m3M
  • 5. © 2020 Puma Security, LLC | All Rights Reserved Function Execution Environment Defending Serverless Infrastructure
  • 6. © 2020 Puma Security, LLC | All Rights Reserved SERVERLESS EXECUTION ENVIRONMENT Reverse engineering each function's execution environment: Function OS Directory User NodeJS 12 Amazon Linux 2 /var/task sbx_user1051 .NET Core 3.1 Debian GNU/Linux 9 / app Go 1.11 Ubuntu 18.04.2 LTS /srv/files root
  • 7. © 2020 Puma Security, LLC | All Rights Reserved SERVERLESS SECRETS: WHERE IS THE SOURCE CODE? Start by looking for secrets in the function source code: AWS Lambda Azure Functions GCP Functions /var/task /home/site/wwwroot/ /srv/files
  • 8. © 2020 Puma Security, LLC | All Rights Reserved SERVERLESS SECRETS : ENVIRONMENT VARIABLES Secrets in environment variables can be accessed by remote attackers using local file inclusion or command injection vulnerabilities: 1 2 3 4 5 6 7 8 9 $ cat /proc/self/environ WEBSITE_AUTH_ENCRYPTION_KEY=BBDAD8269958635C8D4E3C713636D APPSETTING_AzureWebJobsStorage=6BZ4kOCoSD7T1fc8v4h8JpRg== APPSETTING_APPINSIGHTS_INSTRUMENTATIONKEY=5D17A234-6B81- 4777-8528-6814374E9BD3 MSI_SECRET=A788C6DE68224140A927BB412B4E24AB AzureWebEncryptionKey=BBDAD8046F6B9F0E81A4B349 CONTAINER_ENCRYPTION_KEY=AYXxtNMabRpw2EIgoGpibUk= Azure Functions
  • 9. © 2020 Puma Security, LLC | All Rights Reserved Defending Serverless Infrastructure Function Execution Role
  • 10. © 2020 Puma Security, LLC | All Rights Reserved SERVERLESS EXECUTION ROLE AWS Lambda Azure Functions GCP Functions Functions gain access to other cloud resources (vault, secrets, storage, database, etc.) by executing with predefined permissions: Execution Role Managed Identity Service Account
  • 11. © 2020 Puma Security, LLC | All Rights Reserved GCP FUNCTION DEFAULT SERVICE ACCOUNT • New functions inherit the Google managed "Editor" role by default • Editor role inherits read and modify state permissions for all existing resources • Function has full read and write access to storage buckets • Payloads in the Secrets Manager require additional permissions GCP Functions
  • 12. © 2020 Puma Security, LLC | All Rights Reserved SERVERLESS ACCOUNT CREDENTIAL STORAGE Managed serverless platforms executing under a service account have credentials stored in the following locations: AWS Lambda Azure Functions GCP Functions Environment Variables Instance Metadata Service Managed Identity
  • 13. © 2020 Puma Security, LLC | All Rights Reserved Function Data Persistence & Exfiltration Defending Serverless Infrastructure
  • 14. © 2020 Puma Security, LLC | All Rights Reserved SERVERLESS FUNCTION CREDENTIAL LIFETIME Comparing the credential expiration time (number of minutes) across cloud providers: AWS Lambda Azure Functions GCP Functions 0 100 200 300 400 500 600 700 800
  • 15. © 2020 Puma Security, LLC | All Rights Reserved Comparing the malware persistence lifetime (number of minutes) across cloud providers: AWS Lambda Azure Functions GCP Functions FUNCTION MALWARE PERSISTENCE EXAMPLE 0 2 4 6 8 10 12
  • 16. © 2020 Puma Security, LLC | All Rights Reserved Detecting Compromised Function Credentials Defending Serverless Infrastructure
  • 17. © 2020 Puma Security, LLC | All Rights Reserved Analyzing service audit logs can identify credential usage outside the function execution environment AWS Lambda Azure Functions GCP Functions Cloud Trail FUNCTION CREDENTIAL AUDIT LOGGING Azure Monitor (partial service support) IAM Audit Logs
  • 18. © 2020 Puma Security, LLC | All Rights Reserved Function Network Access Controls Defending Serverless Infrastructure
  • 19. © 2020 Puma Security, LLC | All Rights Reserved DEFAULT FUNCTION EXECUTION NETWORKING • Configurable triggers from HTTP or API Gateway events • Routing allows egress traffic to the Internet • Routing allows egress traffic to public cloud service APIs
  • 20. © 2020 Puma Security, LLC | All Rights Reserved Function execution environments can integrate with customer managed virtual private cloud networks: AWS Lambda Azure Functions GCP Functions Virtual Private Cloud FUNCTION NETWORK INTEGRATION OPTIONS Virtual Network Integration *premium plan only Not Available
  • 21. © 2020 Puma Security, LLC | All Rights Reserved • Create egress traffic filters • Enable flow logging / traffic mirroring • Create private endpoints for managed cloud services access • Block access to cloud resources from the public API FUNCTION PRIVATE ENDPOINT CONFIGURATION Function Private Subnet Public Subnet Private Cloud Endpoints Internet Storage Secrets NAT Gateway Virtual Private Cloud Database
  • 22. © 2020 Puma Security, LLC | All Rights Reserved FWD:CLOUDSEC 2020 THANK YOU FOR ATTENDING! QUESTIONS? Eric Johnson Principal Security Engineer, Puma Security Senior Instructor, SANS Institute www.linkedin.com/in/eric-m-johnson @emjohn20 June 29, 2020