AWS Lambda Security Inside & Out

AWS LAMBDA SECURITY: INSIDE & OUT
Mike Deck Principal Solutions Architect, AWS
Ory Segal PureSec CTO
https://www.puresec.io/
Get your free 30-day trial of PureSec SSP – https://www.puresec.io/get-puresec

Agenda
 AWS Lambda overview
 AWS Lambda under the hood
 Security isolation & network isolation
 Serverless security
 The evolution of the shared responsibility
model
 Protecting serverless applications

© 2019, Amazon Web Services, Inc. or its Affiliates.
SERVICES (ANYTHING)
Changes in
data state
Requests to
endpoints
Changes in
resource state
EVENT SOURCE FUNCTION
Node.js
Python
Java
C#
Go
AWS Lambda overview

Lambda handles…
Load Balancing
Auto Scaling
Handling Failures
Security Isolation
Managing Utilization
(and many other things) for you

Let’s take a look under the
hood

AWS Cloud
Region
Lambda customer
(Existing Worker,
New Sandbox)
Availability zone 2
Availability zone 1
Invoke
Front End
Invoke
Front End
Worker Mgr
Worker Mgr
Reserve Sandbox
Invoke
Worker
Worker
Worker
Init

© 2019, Amazon Web Services, Inc. or its Affiliates.© 2019, Amazon Web Services, Inc. or its Affiliates.
Sandbox isolation

Hardware
Host OS
Hypervisor
Guest OS
Sandbox
Lambda Runtime
YourCode

Hardware
Hypervisor
Guest OS
Sandbox
Lambda Runtime
YourCode

Hardware
Host OS
Hypervisor
Guest OS
Sandbox
Lambda Runtime
YourCode
One Function
ManyAccounts

Hardware
Host OS
Hypervisor
Guest OS
Virtual Devices
Device Emulation
Physical
Devices

Hardware
Host OS
Hypervisor
Guest OS
virtio drivers
virtio host in Firecracker
Physical
Devices

Network isolation

Worker
Lambda
Function
ENI in
yourVPC
YourVPC
Local
NAT

Worker
Lambda
Function
ENI in
yourVPC
YourVPC
Remote
NAT

↓
↓
↑
Firecracker Hypervisor vs. Others

Security Whitepaper
https://bit.ly/lambda-security

Learn more
Available onYouTube
https://youtu.be/QdzV04T_kec

AWS LAMBDA
SECURITY
SERVERLESS
SECURITY

Shared Model Of Responsibility
CLOUD PROVIDER
Responsible for security
“of”
The cloud
REGIONS AVAILABILITY ZONES EDGE LOCATIONS
COMPUTE STORAGE DATABASE NETWORK
OPERATING SYSTEM + VIRTUAL MACHINES + CONTAINERS
APPLICATION
OWNER
Responsible for
security “in” the cloud
APPLICATIONS (FUNCTIONS)
IDENTITY & ACCESS
MANAGEMENT
CLOUD SERVICES
CONFIGURATION
CLIENT-SIDE DATA IN CLOUD DATA IN TRANSIT

Security Responsibility: When You Own The
Infrastructure (IaaS)
 Physical infrastructure, access restrictions to physical perimeter and hardware
 Secure configuration of infrastructure devices and systems
 Regularly testing the security of all systems/processes (OS, services)
 Identification and authentication of access to systems (OS, services)
 Patching and fixing flaws in OS
 Hardening OS and services
 Protecting all systems against malware and backdoors
 Patching and fixing flaws in runtime environment and related software packages
 Exploit prevention and memory protection
 Network segmentation
 Tracking and monitoring all network resources and access
 Installation and maintenance of network firewalls
 Network-layer DoS protection
 Authentication of users
 Authorization controls when accessing application and data
 Log and maintain audit trails of all access to application and data
 Deploy an application layer firewall for event-data inspection
 Detect and fix vulnerabilities in third-party dependencies
 Use least-privileged IAM roles and permissions
 Enforce legitimate application behavior
 Data leak prevention
 Scan code and configurations statically during development
 Maintain serverless/cloud asset inventory
 Remove obsolete/unused cloud services and functions
 Continuously monitor errors and security incidents
8%
92%
APPLICATION
OWNER
CLOUD
PROVIDER

Security Responsibility: When You Adopt
Serverless
 Physical infrastructure, access restrictions to physical perimeter and hardware
 Secure configuration of infrastructure devices and systems
 Regularly testing the security of all systems/processes (OS, services)
 Identification and authentication of access to systems (OS, services)
 Patching and fixing flaws in OS
 Hardening OS and services
 Protecting all systems against malware and backdoors
 Patching and fixing flaws in runtime environment and related software packages
 Exploit prevention and memory protection
 Network segmentation
 Tracking and monitoring all network resources and access
 Installation and maintenance of network firewalls
 Network-layer DoS protection
 Authentication of users
 Authorization controls when accessing application and data
 Log and maintain audit trails of all access to application and data
 Deploy an application layer firewall for event-data inspection
 Detect and fix vulnerabilities in third-party dependencies
 Use least-privileged IAM roles and permissions
 Enforce legitimate application behavior
 Data leak prevention
 Scan code and configurations statically during development
 Maintain serverless/cloud asset inventory
 Remove obsolete/unused cloud services and functions
 Continuously monitor errors and security incidents
52%
48%
APPLICATION
OWNER
CLOUD
PROVIDER

Top Risks for Serverless Applicationshttp://bit.ly/csa-top-12
SAS-1
Function event-data injection
Broken authentication
SAS-2
Insecure serverless deployment
SAS-3
Over-privileged function permissions
SAS-4
Inadequate function monitoring
SAS-5
Insecure 3rd party dependencies
SAS-6
Insecure app secrets storage
SAS-7
DoS & Financial exhaustion
SAS-8
Serverless business logic manipulation
SAS-9
Improper exceptions handling & errors
SAS-10
Legacy functions & cloud resources
SAS-11
Cross-execution data persistency
SAS-12

Existing Application Security Solutions Do
Not Fit
Protects applications by
being deployed on
networks and servers
TRADITIONAL SECURITY
The application owner doesn't
have any control over the
infrastructure
SERVERLESS

INFRASTRUCTURE
SERVERLESS
FUNCTIONS WAF
LAYER 7
NG-FW
INBOUND
WSG
OUTBOUND
IPS
NETWORK
EPP
BEHAVIORAL
APPLICATION
Traditional Protections Cannot Be Deployed
On Serverless
With No Infrastructure Based Protections,
Your Security is Reduced to
Good Coding and Strict Configuration

THE CHALLENGE OF ”LEAST-
PRIVILEGED” IAM ROLES
 Functions should only be allowed to do
what they are tasked with
 AWS IAM model is extremely powerful,
yet hard to get right, especially at large
scale
 Human factor
 ‘Over-privileged’ issues are the most
common problem
C O N F I G U R AT I O N

GETTING IAM PERMISSIONS RIGHT
 Adopt ‘Role-per-Function’ model
 Single responsibility principle – each
function should have a single focused task
 Use SAM managed policies where
applicable
 Automate IAM permissions scanning and
role generation (PureSec)

Your Function
Static Code
Analysis
Learn about cloud
resource interactions,
and least required
privileges
IAM Role
Configuration
Analysis
Learn about
privileges granted
Account Analysis
Learn about cloud
resources in your
account that might be
at risk
Automating Least-Privileged IAM w/ PureSec

• Remediate risks during development with the CLI-based scanner
• Enforce least-privilege policy during build (CI/CD integration)
• Continuously monitor & enforce security on deployed applications

There’s more to AWS Lambda than
AWS Gateway
HTTP
…47 services
• Web Application Firewalls inspect HTTP(s) web traffic
• Require deployment in-line between client and Lambda
• Parse and inspect HTTP messages (parameters, cookies, headers)
Cloud-native event inspection requires a
different approach.
* Where is data coming from?
Eventually from the outside…

PureSec Runtime Protection: serverless, scalable & blazing-fast
 Serverless application firewall - inspects all cloud-native events
 Serverless Behavioral Protection – enforces expected app behavior
 Protects real-world production applications with billions of invocations

ory@puresec.io
Get your free 30-day trial of PureSec SSP – https://www.puresec.io/get-puresec

AWS Lambda Security Inside & Out

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (19)

Semelhante a AWS Lambda Security Inside & Out

Semelhante a AWS Lambda Security Inside & Out (20)

Último

Último (20)

AWS Lambda Security Inside & Out