On this webinar, AWS Solution Architect Mike Deck joined PureSec CTO, Ory Segal, to go in-depth on Lambda Security. Mike explained how Lambda works under the hood and went through the AWS Lambda Security Best Practices. Ory then went through the best practices for securing serverless applications.
HTML Injection Attacks: Impact and Mitigation Strategies
AWS Lambda Security Inside & Out
1. AWS LAMBDA SECURITY: INSIDE & OUT
Mike Deck Principal Solutions Architect, AWS
Ory Segal PureSec CTO
https://www.puresec.io/
Get your free 30-day trial of PureSec SSP – https://www.puresec.io/get-puresec
2. Agenda
AWS Lambda overview
AWS Lambda under the hood
Security isolation & network isolation
Serverless security
The evolution of the shared responsibility
model
Protecting serverless applications
27. Shared Model Of Responsibility
CLOUD PROVIDER
Responsible for security
“of”
The cloud
REGIONS AVAILABILITY ZONES EDGE LOCATIONS
COMPUTE STORAGE DATABASE NETWORK
OPERATING SYSTEM + VIRTUAL MACHINES + CONTAINERS
APPLICATION
OWNER
Responsible for
security “in” the cloud
APPLICATIONS (FUNCTIONS)
IDENTITY & ACCESS
MANAGEMENT
CLOUD SERVICES
CONFIGURATION
CLIENT-SIDE DATA IN CLOUD DATA IN TRANSIT
28. Security Responsibility: When You Own The
Infrastructure (IaaS)
Physical infrastructure, access restrictions to physical perimeter and hardware
Secure configuration of infrastructure devices and systems
Regularly testing the security of all systems/processes (OS, services)
Identification and authentication of access to systems (OS, services)
Patching and fixing flaws in OS
Hardening OS and services
Protecting all systems against malware and backdoors
Patching and fixing flaws in runtime environment and related software packages
Exploit prevention and memory protection
Network segmentation
Tracking and monitoring all network resources and access
Installation and maintenance of network firewalls
Network-layer DoS protection
Authentication of users
Authorization controls when accessing application and data
Log and maintain audit trails of all access to application and data
Deploy an application layer firewall for event-data inspection
Detect and fix vulnerabilities in third-party dependencies
Use least-privileged IAM roles and permissions
Enforce legitimate application behavior
Data leak prevention
Scan code and configurations statically during development
Maintain serverless/cloud asset inventory
Remove obsolete/unused cloud services and functions
Continuously monitor errors and security incidents
8%
92%
APPLICATION
OWNER
CLOUD
PROVIDER
29. Security Responsibility: When You Adopt
Serverless
Physical infrastructure, access restrictions to physical perimeter and hardware
Secure configuration of infrastructure devices and systems
Regularly testing the security of all systems/processes (OS, services)
Identification and authentication of access to systems (OS, services)
Patching and fixing flaws in OS
Hardening OS and services
Protecting all systems against malware and backdoors
Patching and fixing flaws in runtime environment and related software packages
Exploit prevention and memory protection
Network segmentation
Tracking and monitoring all network resources and access
Installation and maintenance of network firewalls
Network-layer DoS protection
Authentication of users
Authorization controls when accessing application and data
Log and maintain audit trails of all access to application and data
Deploy an application layer firewall for event-data inspection
Detect and fix vulnerabilities in third-party dependencies
Use least-privileged IAM roles and permissions
Enforce legitimate application behavior
Data leak prevention
Scan code and configurations statically during development
Maintain serverless/cloud asset inventory
Remove obsolete/unused cloud services and functions
Continuously monitor errors and security incidents
52%
48%
APPLICATION
OWNER
CLOUD
PROVIDER
30. Top Risks for Serverless Applicationshttp://bit.ly/csa-top-12
SAS-1
Function event-data injection
Broken authentication
SAS-2
Insecure serverless deployment
SAS-3
Over-privileged function permissions
SAS-4
Inadequate function monitoring
SAS-5
Insecure 3rd party dependencies
SAS-6
Insecure app secrets storage
SAS-7
DoS & Financial exhaustion
SAS-8
Serverless business logic manipulation
SAS-9
Improper exceptions handling & errors
SAS-10
Legacy functions & cloud resources
SAS-11
Cross-execution data persistency
SAS-12
31. Existing Application Security Solutions Do
Not Fit
Protects applications by
being deployed on
networks and servers
TRADITIONAL SECURITY
The application owner doesn't
have any control over the
infrastructure
SERVERLESS
34. THE CHALLENGE OF ”LEAST-
PRIVILEGED” IAM ROLES
Functions should only be allowed to do
what they are tasked with
AWS IAM model is extremely powerful,
yet hard to get right, especially at large
scale
Human factor
‘Over-privileged’ issues are the most
common problem
C O N F I G U R AT I O N
35. GETTING IAM PERMISSIONS RIGHT
Adopt ‘Role-per-Function’ model
Single responsibility principle – each
function should have a single focused task
Use SAM managed policies where
applicable
Automate IAM permissions scanning and
role generation (PureSec)
36. Your Function
Static Code
Analysis
Learn about cloud
resource interactions,
and least required
privileges
IAM Role
Configuration
Analysis
Learn about
privileges granted
Account Analysis
Learn about cloud
resources in your
account that might be
at risk
Automating Least-Privileged IAM w/ PureSec
37. • Remediate risks during development with the CLI-based scanner
• Enforce least-privilege policy during build (CI/CD integration)
• Continuously monitor & enforce security on deployed applications
38.
39. There’s more to AWS Lambda than
AWS Gateway
HTTP
…47 services
• Web Application Firewalls inspect HTTP(s) web traffic
• Require deployment in-line between client and Lambda
• Parse and inspect HTTP messages (parameters, cookies, headers)
Cloud-native event inspection requires a
different approach.
* Where is data coming from?
Eventually from the outside…
40. PureSec Runtime Protection: serverless, scalable & blazing-fast
Serverless application firewall - inspects all cloud-native events
Serverless Behavioral Protection – enforces expected app behavior
Protects real-world production applications with billions of invocations