Securing Serverless and Container Services Marc Schrter AWS DevOps - - PowerPoint PPT Presentation

securing serverless and container services
SMART_READER_LITE
LIVE PREVIEW

Securing Serverless and Container Services Marc Schrter AWS DevOps - - PowerPoint PPT Presentation

Nov 24, 2022 10 likes •415 views

Securing Serverless and Container Services Marc Schrter AWS DevOps Engineer @ globaldatanet Community Day 2019 Sponsors Serverless DevOps Automation Continuous Delivery Highly scalable and Infrastructure as Code fault-tolerant solutions

slide-1
SLIDE 1

Securing Serverless and Container Services

Marc Schröter AWS DevOps Engineer @ globaldatanet

Community Day 2019 Sponsors

slide-2
SLIDE 2

DevOps Automation Continuous Delivery Infrastructure as Code Cloud Security Security and Compliance Controls Container Managing the full container life cycle Serverless Highly scalable and fault-tolerant solutions

slide-3
SLIDE 3

What is serverless, and how does it impact your approach to security?

slide-4
SLIDE 4

What is serverless?

Shift operational responsibilities to AWS Increasing your agility and innovation

slide-5
SLIDE 5

No infrastructure provisioning, no management Automatic scaling Pay for value Highly available and secure

slide-6
SLIDE 6

COMPUTE INTEGRATION DATA STORES

AWS Lambda AWS Fargate Amazon S3 Amazon Aurora Serverless AWS DynamoDB Amazon API Gateway Amazon SQS Amazon SNS Amazon Step Functions

slide-7
SLIDE 7
slide-8
SLIDE 8

Serverless Risks - OWASP

A1: Injection A2: Broken Authentication A3: Sensitive Data Exposure A4: XML External Entities (XXE) A5: Broken Access Control A6: Security Misconfiguration A7: Cross-Site Scripting (XSS) A8: Insecure Deserialization A9: Using Components with Known Vulnerabilities A10: Insufficient Logging and Monitoring

slide-9
SLIDE 9

Serverless Risks - CSA

SAS-1: Function Event Data Injection SAS-2: Broken Authentication SAS-3: Insecure Serverless Deployment Configuration SAS-4: Over-Privileged Function Permissions & Roles SAS-5: Inadequate Function Monitoring and Logging SAS-6: Insecure Third-Party Dependencies SAS-7: Insecure Application Secrets Storage SAS-8: Denial of Service & Financial Resource Exhaustion SAS-9: Serverless Business Logic Manipulation SAS-10: Improper Exception Handling and Verbose Error Messages SAS-11: Obsolete Functions, Cloud Resources and Event Triggers SAS-12: Cross-Execution Data Persistency

slide-10
SLIDE 10

Serverless Risk Categorization

Application Code & App Logic Risks Deployment Configurations Risks Serverless Platform Risks Misc.Risks

Injection Broken Authentication Sensitive data exposure Insecure deserialization Known vulnerabilities Improper exception handling Security misconfiguration Overprivileged permission Insecure secrets storage Broken access control Inadequate Monitoring DoS Unused functions Data Persistency XSS, XXE

slide-11
SLIDE 11

A1: Injection

slide-12
SLIDE 12

Injection

slide-13
SLIDE 13

Injection

  • Use Web Application Firewall
  • Validate data based on schemas and data transfer objects
  • Always use an ORM
  • Escape special characters
  • Use least privileges
  • Consider all event types and entry points into the system
  • Use a commercial runtime defense solution
slide-14
SLIDE 14

A2: Broken Authentication

slide-15
SLIDE 15

Broken Authentication

  • AWS Cognito or Single Sign-On
  • API Gateway Access control

○ API keys ○ Usage plans ○ AWS IAM roles and policies ○ Amazon Cognito user pools ○ Lambda authorizer functions

  • Service authentication between internal resources

○ SAML, OAuth2, Security Tokens ○ Encrypted channels ○ Password and key management ○ Client certificate ○ OTA/2FA

slide-16
SLIDE 16

A3: Sensitive Data Exposure

slide-17
SLIDE 17

Sensitive Data Exposure

  • Identify and classify sensitive data
  • Minimize storage of sensitive data
  • Protect data at rest and in transit
  • Use HTTPS only endpoints for APIs
  • Key management
  • Encryption of stored data
  • Secret Management
  • Environment variables encryption
slide-18
SLIDE 18

A5: Broken Access Control

slide-19
SLIDE 19

Broken Access Control

Fine grained access control

POST GET DELETE customers table

  • rders table

queue Amazon API Gateway

slide-20
SLIDE 20

Broken Access Control

Follow least-privilege

slide-21
SLIDE 21

Broken Access Control

Automate permission configuration

slide-22
SLIDE 22

Broken Access Control

Automate permission configuration

slide-23
SLIDE 23

Broken Access Control

Automate security testing of IaC

CloudFormation CloudWatch Lambda Event for stack CREATE/UPDATE Pull CF Script from S3 S3 Notify on failure SES CF Script

slide-24
SLIDE 24

Broken Access Control

Analyze IAM access patterns programmatically

slide-25
SLIDE 25

Broken Access Control

Analyze IAM access patterns programmatically

slide-26
SLIDE 26

Broken Access Control

Follow AWS IAM Best Practices

slide-27
SLIDE 27

A7: Security Misconfiguration

slide-28
SLIDE 28

Security Misconfiguration

  • Enforce access control
  • Providers security best practices
  • Check for functions with unlinked triggers
  • Resources that appear in policies but are not linked back to the function
  • Set timeouts to the minimum required by the function
  • Use automatic tools that detect security misconfigurations
slide-29
SLIDE 29

A7: Known Vulnerabilities

slide-30
SLIDE 30

Known Vulnerabilities

  • Continuously monitor dependencies and their versions
  • Only obtain components from official sources
  • Continuously monitor sources like CVE and NVD
  • Platform based advisories like NodeSecurity, PyUp, OWASP SafeNuGet, etc.
  • Scan dependencies for known vulnerabilities

○ OWASP Dependency Check ○ GitHub Security Alerts ○ Gitlab Dependency Scanning ○ WhiteSource

slide-31
SLIDE 31

Serverless Security Demo

slide-32
SLIDE 32

Serverless Security Demo

1. Information Gathering 2. Function Reverse Engineering 3. Digging For Gold Inside Environment Variables 4. Exploiting Over-Privileged IAM Roles 5. Abusing Insecure Cloud Configurations 6. Finding Known Vulnerabilities In Open Source Packages

slide-33
SLIDE 33

Security for Amazon Kubernetes Cluster

slide-34
SLIDE 34

Encrypt communication

  • Between web clients and your loadbalancer

○ Use the application loadbalancer (ALB) ○ Can be achieved with the ALB-Ingress-Controller ○ ALB provides routing and security options for the application layer

  • Between your loadbalancer and pod

○ Encryptions support of your application or application server ○ Run a sidecar on your pod which performs encryption ○ Run a complete service mesh like Istio

  • Between your pod and your AWS RDS database
slide-35
SLIDE 35

Encrypt storage

  • Databases
  • Persistent Volume Claims (PVC)
slide-36
SLIDE 36

Restrict inbound and outbound traffic

  • Use network policies
  • Network Policy engine (Calico)
slide-37
SLIDE 37

More EKS Security Tips

  • Use a firewall to block known web attacks
  • Protect yourself from DDos attacks
  • Secure your AWS account
  • Use namespaces and secrets
  • Cyber attack detection
  • Review your security setup
  • Scan your container images

○ Aqua Security Microscanner ○ CoresOS Clair ○ Anchore engine

slide-38
SLIDE 38

Container DevSecOps

slide-39
SLIDE 39

Developer AWS Cloud9 1.Pull Request AWS CodeCommit (Application Repo) AWS Lambda Function Amazon CloudWatch Event Rule

  • 7. Adds feedback to

Pull Request

  • 6. Triggers Lambda

Function

  • 5. CodeBuild Success/Failure

triggers Rule AWS CodePipeline AWS CodeBuild AWS CodeBuild AWS CodeBuild AWS CodeBuild DOCKER LINTING PUBLISH IMAGE VULNERABILITY SCANNING SECRETS SCANNING Configs Development PULL REQUEST AWS Security Hub Amazon ECR

  • 3. Pushes vulnerabilities

to Security Hub

  • 4. Builds and pushes

Image to ECR

  • 2. Triggers

CodePipeline

slide-40
SLIDE 40

Build with services not servers

Ahhhh and we are hiring globaldatanet globaldatanet globaldatanet.com mail@globaldatanet.com