securing serverless and container services
play

Securing Serverless and Container Services Marc Schrter AWS DevOps - PowerPoint PPT Presentation

Nov 24, 2022 •10 likes •410 views

Securing Serverless and Container Services Marc Schrter AWS DevOps Engineer @ globaldatanet Community Day 2019 Sponsors Serverless DevOps Automation Continuous Delivery Highly scalable and Infrastructure as Code fault-tolerant solutions

  1. Securing Serverless and Container Services Marc Schröter AWS DevOps Engineer @ globaldatanet Community Day 2019 Sponsors

  2. Serverless DevOps Automation Continuous Delivery Highly scalable and Infrastructure as Code fault-tolerant solutions Cloud Security Container Security and Managing the full Compliance Controls container life cycle

  3. What is serverless, and how does it impact your approach to security?

  4. What is serverless? Shift operational responsibilities to AWS Increasing your agility and innovation

  5. No infrastructure provisioning, Automatic scaling no management Pay for value Highly available and secure

  6. COMPUTE AWS AWS Lambda Fargate DATA STORES Amazon Amazon Aurora AWS S3 Serverless DynamoDB INTEGRATION Amazon Amazon Amazon Amazon API Gateway SQS SNS Step Functions

  8. Serverless Risks - OWASP A1: Injection A2: Broken Authentication A3: Sensitive Data Exposure A4: XML External Entities (XXE) A5: Broken Access Control A6: Security Misconfiguration A7: Cross-Site Scripting (XSS) A8: Insecure Deserialization A9: Using Components with Known Vulnerabilities A10: Insufficient Logging and Monitoring

  9. Serverless Risks - CSA SAS-1: Function Event Data Injection SAS-2: Broken Authentication SAS-3: Insecure Serverless Deployment Configuration SAS-4: Over-Privileged Function Permissions & Roles SAS-5: Inadequate Function Monitoring and Logging SAS-6: Insecure Third-Party Dependencies SAS-7: Insecure Application Secrets Storage SAS-8: Denial of Service & Financial Resource Exhaustion SAS-9: Serverless Business Logic Manipulation SAS-10: Improper Exception Handling and Verbose Error Messages SAS-11: Obsolete Functions, Cloud Resources and Event Triggers SAS-12: Cross-Execution Data Persistency

  10. Serverless Risk Categorization Application Code & Deployment Serverless Platform Misc.Risks App Logic Risks Configurations Risks Risks DoS Injection Security misconfiguration Broken access control Unused functions Broken Authentication Overprivileged permission Inadequate Monitoring Data Persistency Sensitive data exposure Insecure secrets storage XSS, XXE Insecure deserialization Known vulnerabilities Improper exception handling

  11. A1: Injection

  12. Injection

  13. Injection ● Use Web Application Firewall ● Validate data based on schemas and data transfer objects ● Always use an ORM ● Escape special characters ● Use least privileges ● Consider all event types and entry points into the system ● Use a commercial runtime defense solution

  14. A2: Broken Authentication

  15. Broken Authentication ● AWS Cognito or Single Sign-On ● API Gateway Access control ○ API keys ○ Usage plans ○ AWS IAM roles and policies ○ Amazon Cognito user pools ○ Lambda authorizer functions ● Service authentication between internal resources ○ SAML, OAuth2, Security Tokens ○ Encrypted channels ○ Password and key management ○ Client certificate ○ OTA/2FA

  16. A3: Sensitive Data Exposure

  17. Sensitive Data Exposure ● Identify and classify sensitive data ● Minimize storage of sensitive data ● Protect data at rest and in transit ● Use HTTPS only endpoints for APIs ● Key management ● Encryption of stored data ● Secret Management ● Environment variables encryption

  18. A5: Broken Access Control

  19. Broken Access Control Fine grained access control POST customers table GET orders table DELETE Amazon API Gateway queue

  20. Broken Access Control Follow least-privilege

  21. Broken Access Control Automate permission configuration

  22. Broken Access Control Automate permission configuration

  23. Broken Access Control Automate security testing of IaC CF Script Pull CF Script from S3 S3 Event for stack CREATE/UPDATE Notify on failure CloudFormation Lambda CloudWatch SES

  24. Broken Access Control Analyze IAM access patterns programmatically

  25. Broken Access Control Analyze IAM access patterns programmatically

  26. Broken Access Control Follow AWS IAM Best Practices

  27. A7: Security Misconfiguration

  28. Security Misconfiguration ● Enforce access control ● Providers security best practices ● Check for functions with unlinked triggers ● Resources that appear in policies but are not linked back to the function ● Set timeouts to the minimum required by the function ● Use automatic tools that detect security misconfigurations

  29. A7: Known Vulnerabilities

  30. Known Vulnerabilities ● Continuously monitor dependencies and their versions ● Only obtain components from official sources ● Continuously monitor sources like CVE and NVD ● Platform based advisories like NodeSecurity, PyUp, OWASP SafeNuGet, etc. ● Scan dependencies for known vulnerabilities ○ OWASP Dependency Check ○ GitHub Security Alerts ○ Gitlab Dependency Scanning ○ WhiteSource

  31. Serverless Security Demo

  32. Serverless Security Demo 1. Information Gathering 2. Function Reverse Engineering 3. Digging For Gold Inside Environment Variables 4. Exploiting Over-Privileged IAM Roles 5. Abusing Insecure Cloud Configurations 6. Finding Known Vulnerabilities In Open Source Packages

  33. Security for Amazon Kubernetes Cluster

  34. Encrypt communication ● Between web clients and your loadbalancer ○ Use the application loadbalancer (ALB) ○ Can be achieved with the ALB-Ingress-Controller ○ ALB provides routing and security options for the application layer ● Between your loadbalancer and pod ○ Encryptions support of your application or application server ○ Run a sidecar on your pod which performs encryption ○ Run a complete service mesh like Istio ● Between your pod and your AWS RDS database

  35. Encrypt storage ● Databases ● Persistent Volume Claims (PVC)

  36. Restrict inbound and outbound traffic ● Use network policies ● Network Policy engine (Calico)

  37. More EKS Security Tips ● Use a firewall to block known web attacks ● Protect yourself from DDos attacks ● Secure your AWS account ● Use namespaces and secrets ● Cyber attack detection ● Review your security setup ● Scan your container images ○ Aqua Security Microscanner ○ CoresOS Clair ○ Anchore engine

  38. Container DevSecOps

  39. AWS Cloud9 7. Adds feedback to 6. Triggers Lambda 1.Pull Request Pull Request Function Amazon CloudWatch AWS CodeCommit AWS Lambda Developer Event Rule (Application Repo) Function 2. Triggers 5. CodeBuild Success/Failure CodePipeline triggers Rule AWS CodePipeline VULNERABILITY PUBLISH IMAGE PULL REQUEST DOCKER LINTING SECRETS SCANNING SCANNING Configs Development AWS CodeBuild AWS CodeBuild AWS CodeBuild AWS CodeBuild 4. Builds and pushes 3. Pushes vulnerabilities Image to ECR to Security Hub AWS Security Hub Amazon ECR

  40. Build with services not servers Ahhhh and we are hiring globaldatanet mail@globaldatanet.com globaldatanet globaldatanet.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Build Your Serverless Container Cloud with OpenStack and Kubernetes Kevin Zhao Senior Software

Build Your Serverless Container Cloud with OpenStack and Kubernetes Kevin Zhao Senior Software

22.05.2018 Build Your Serverless Container Cloud with OpenStack and Kubernetes Kevin Zhao Senior Software Engineer on Arm. OpenStack Zun Core Reviewer kevin.zhao@arm.com Agenda What is Serverless Container Cloud Demo Zun and Container

750 views • 35 slides
Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in

Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in

www.securing.pl Pawel Rzepa Serverless security: attack & defense www.securing.pl #whoami Senior Security Consultant in - Pentesting - Cloud security assessment Blog: https://medium.com/@rzepsky @Rzepsky

1.1k views • 63 slides
Serverless On Your Own Terms Using Knative Context Serverless more than Function Serverless

Serverless On Your Own Terms Using Knative Context Serverless more than Function Serverless

Serverless at Google @mchmarny Serverless On Your Own Terms Using Knative Context Serverless more than Function Serverless Models Operator No Infra Management Managed Security Pay only for usage Developer Service-based Event-driven Open

1.06k views • 51 slides
Securing Serverless - By Breaking In Guy Podjarny, Snyk @guypod snyk.io About Me Guy

Securing Serverless - By Breaking In Guy Podjarny, Snyk @guypod snyk.io About Me Guy

Securing Serverless - By Breaking In Guy Podjarny, Snyk @guypod snyk.io About Me Guy Podjarny, @guypod on Twitter CEO & Co-founder at Snyk History: Cyber Security part of Israel Defense Forces First Web App Firewall

345 views • 30 slides
How Serverless Changes the IT Department Paul Johnston Opinionated Serverless Person

How Serverless Changes the IT Department Paul Johnston Opinionated Serverless Person

How Serverless Changes the IT Department Paul Johnston Opinionated Serverless Person Serverless all the things Medium/Twitter: @PaulDJohnston Velocify Conf London 2018 Paul Johnston Experienced Interim CTO and Serverless Consultant

1.11k views • 63 slides
Lunch and Learn John McKim @johncmckim Software Engineer A Cloud Guru Serverless Framework

Lunch and Learn John McKim @johncmckim Software Engineer A Cloud Guru Serverless Framework

Lunch and Learn John McKim @johncmckim Software Engineer A Cloud Guru Serverless Framework Contributor Serverless Framework https://serverless.com What is Serverless? Functions as a Service Properties of FaaS Services Function as unit of

570 views • 12 slides
Serverless Gardens IoT + Serverless johncmckim.me twitter.com/@johncmckim

Serverless Gardens IoT + Serverless johncmckim.me twitter.com/@johncmckim

Serverless Gardens IoT + Serverless johncmckim.me twitter.com/@johncmckim medium.com/@johncmckim John McKim Software Engineer at A Cloud Guru Contribute to Serverless Framework @johncmckim https://acloud.guru Serverless Framework

814 views • 50 slides
Functions as a Service (a.k.a. Serverless functions) Func unctio tions ns-as as-a-Ser

Functions as a Service (a.k.a. Serverless functions) Func unctio tions ns-as as-a-Ser

Functions as a Service (a.k.a. Serverless functions) Func unctio tions ns-as as-a-Ser Service vice Recall PaaS Treats servers and computation like electricity (i.e. a commodity consumed on-demand) No VM or container to manage

482 views • 21 slides
Instance Support Elastic Load Balancing Amazon EC2 AWS Elastic Beanstalk Amazon EC2 Container

Instance Support Elastic Load Balancing Amazon EC2 AWS Elastic Beanstalk Amazon EC2 Container

Instance Support Elastic Load Balancing Amazon EC2 AWS Elastic Beanstalk Amazon EC2 Container Amazon ECS VMWare Cloud on AWS Registry Amazon Lightsail AWS Outposts AWS Batch Container Functions (Serverless Compute) Amazon ECS* AWS

347 views • 15 slides
DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x

DISASTER RELIEF CENTER 2x Accommodation Container 2x Sanitary Container 1x Galley Container 1x Medical Container 1x Feed Water Container 1x Water Treatment Container 2x Generator Container 1x

569 views • 8 slides
Databases Gone Serverless Alkin Tezuysal (@ask_dba) Sr. Technical Manager, Percona Who am I?

Databases Gone Serverless Alkin Tezuysal (@ask_dba) Sr. Technical Manager, Percona Who am I?

Databases Gone Serverless Alkin Tezuysal (@ask_dba) Sr. Technical Manager, Percona Who am I? @ask_dba 2 Agenda Serverless Architectures Serverless Solutions in Database World Wheres Serverless technology going? 3 What does

796 views • 20 slides
Kotlin Serverless Framework Vladislav Tankov What is serverless? cloud-computing execution model

Kotlin Serverless Framework Vladislav Tankov What is serverless? cloud-computing execution model

Kotlin Serverless Framework Vladislav Tankov What is serverless? cloud-computing execution model , in which the cloud provider runs the server and dynamically manages the allocation of machine resources Wikipedia How are serverless

995 views • 46 slides
Serverless in the Wild: Characterizing and Optimizing the Serverless Workload at a Large Cloud

Serverless in the Wild: Characterizing and Optimizing the Serverless Workload at a Large Cloud

Serverless in the Wild: Characterizing and Optimizing the Serverless Workload at a Large Cloud Provider Mohammad Shahrad , Rodrigo Fonseca , igo Goiri, Gohar Chaudhry, Paul Batum, Jason Cooke, Eduardo Laureano, Colby Tresness, Mark

2.05k views • 39 slides
FaaS You Like It! @ewanslater Serverless CNCF Definition Serverless computing refers to

FaaS You Like It! @ewanslater Serverless CNCF Definition Serverless computing refers to

FaaS You Like It! @ewanslater Serverless CNCF Definition Serverless computing refers to the concept of building and running applications that do not require server management . It describes a finer-grained deployment model where

613 views • 45 slides
Baltic Container Terminal (BCT) Gdynia, Poland International Container Terminal Services Inc. 1

Baltic Container Terminal (BCT) Gdynia, Poland International Container Terminal Services Inc. 1

Baltic Container Terminal (BCT) Gdynia, Poland International Container Terminal Services Inc. 1 BCT Value Proposition 1 Strategic Location Gdynia is located within the Baltic-Adriatic Corridor (corridor VI), one of the most important

494 views • 11 slides
The Hitchhikers Guide to Serverless JavaScript Steve Faulkner @southpolesteve

The Hitchhikers Guide to Serverless JavaScript Steve Faulkner @southpolesteve

The Hitchhikers Guide to Serverless JavaScript Steve Faulkner @southpolesteve Director of Engineering Serverless Serverless there are still servers servers platforms! * as a Service Database-aaS Caching-aaS

1.12k views • 87 slides
Internet censorship is everywhere Source:

Internet censorship is everywhere Source:

Internet censorship is everywhere Source: https://freedomhouse.org/report/freedom-net/freedom-net-2016 Commonly censored content Unapproved news (Fake News!!111) Wikipedia (usually partially) Facebook Google (all services), YouTube

539 views • 37 slides
Encryption at Scale on AWS Matt Campagna campagna@amazon.com Agenda Describe the AWS Key

Encryption at Scale on AWS Matt Campagna campagna@amazon.com Agenda Describe the AWS Key

Encryption at Scale on AWS Matt Campagna campagna@amazon.com Agenda Describe the AWS Key Management Service Client Side Encryption AWS Encryption SDK Server Side Encryption S3 Object Encryption Amazon Simple Storage Service

387 views • 22 slides
Experience of so-ware engineers using TLA+, PlusCal and TLC

Experience of so-ware engineers using TLA+, PlusCal and TLC

Experience of so-ware engineers using TLA+, PlusCal and TLC Chris Newcombe Principal Engineer, Amazon Web Services 1 Amazon Web Services 30+

588 views • 30 slides
Amazon Elastic Compute Cloud (EC2) vs. in-House HPC Platform a Cost Analysis J. Emeras, S.

Amazon Elastic Compute Cloud (EC2) vs. in-House HPC Platform a Cost Analysis J. Emeras, S.

Amazon Elastic Compute Cloud (EC2) vs. in-House HPC Platform a Cost Analysis J. Emeras, S. Varrette, P. Bouvry Parallel Computing and Optimization Group (PCOG), University of Luxembourg (UL), Luxembourg S. Varrette (PCOG Research unit)

670 views • 38 slides
Scalable Gaussian Processes Zhenwen Dai Amazon 9 September 2019 @GPSS 2019 Zhenwen Dai (Amazon)

Scalable Gaussian Processes Zhenwen Dai Amazon 9 September 2019 @GPSS 2019 Zhenwen Dai (Amazon)

Scalable Gaussian Processes Zhenwen Dai Amazon 9 September 2019 @GPSS 2019 Zhenwen Dai (Amazon) Scalable Gaussian Processes 9 September 2019 @GPSS 2019 1 / 46 Gaussian process Input and Output Data: X = ( x 1 , . . . , x N ) y = ( y 1 ,

516 views • 47 slides
Library2Go for Kindle - Instructions Kindle Fire, Smartphone and Tablet users: You must have

Library2Go for Kindle - Instructions Kindle Fire, Smartphone and Tablet users: You must have

Library2Go for Kindle - Instructions Kindle Fire, Smartphone and Tablet users: You must have access to the Library2Go full site (not the mobile site) to access Kindle eBooks directly from your device. Click the link on the E-book help page

384 views • 24 slides
StarCluster - NumPy/SciPy Computing on Amazons Elastic Compute Cloud (EC2) Justin Riley

StarCluster - NumPy/SciPy Computing on Amazons Elastic Compute Cloud (EC2) Justin Riley

Outline Introduction Amazon EC2 Basics StarCluster Overview Conclusions StarCluster - NumPy/SciPy Computing on Amazons Elastic Compute Cloud (EC2) Justin Riley Software Tools for Academics and Researchers Office of Educational Innovation

941 views • 74 slides
Basheer Al-Duwairi Jordan University of Science & Technology United-States/Middle-East

Basheer Al-Duwairi Jordan University of Science & Technology United-States/Middle-East

Basheer Al-Duwairi Jordan University of Science & Technology United-States/Middle-East Workshop On Trustworthiness in Emerging Distributed Systems and Networks, Istanbul- Turkey, 4-6 June 2012 Outline Examples of using network

301 views • 12 slides

More recommend