Security Aspekts on Services for Serverless Architectures Bertram Dorn EMEA Specialized Solutions Architect Security and Compliance
Agenda: Security in General Services in Scope Aspects of Services for Serverless Architectures API Endpoint Concept API Calls Some Service Details
What is? Deployment & Administration Application Services Compute Storage Database Networking Global Infrastructure
Service in Scope I Architect should not care about AZ setup Architect should not care about scaling Architect should not care about availability Architect should not care about sizing Architect should not care about serivce side communication Architect should not take action on service side security
TECHNICAL & BUSINESS SUPPORT Support Professional Services Partner Ecosystem Training & Certification Solutions Architects HYBRID ARCHITECTURE Integrated Networking Direct Connect Identity Federation Integrated App Deployments Business Apps ANALYTICS Data Warehousing Business Intelligence Hadoop/ Spark Streaming Data Analysis Streaming Data Collection Machine Learning Elastic Search Identity Business Intelligence APP SERVICES Access Control Queuing & Notifications Workflow Search Email Transcoding DevOps Tools Key & Storage MOBILE SERVICES API Gateway Identity Sync Mobile Analytics Single Integrated Console Push Notifications MARKETPLACE Security DEVELOPMENT & OPERATIONS One-click App Deployment DevOps Resource Application Lifecycle Containers Triggers SECURITY & COMPLIANCE Monitoring & Logs Resource Templates Configuration Compliance Networking Web application firewall Databases IoT Rules Engine Device Shadows Device SDKs Device Gateway Registry Assessment and reporting Storage ENTERPRISE APPS Virtual Desktops Sharing & Collaboration Corporate Email Backup Resource & Usage Auditing Account Data Backups Compute VMs, Auto-scaling, & Load Balancing Storage Object, Blocks, Archival, Import/Export CORE SERVICES CDN Databases Relational, NoSQL, Caching, Migration Networking VPC, DX, DNS Security & Pricing Reports Integrated Resource Regions INFRASTRUCTURE Availability Zones Points of Presence
TECHNICAL & BUSINESS SUPPORT Support Professional Services Partner Ecosystem Training & Certification Solutions Architects HYBRID ARCHITECTURE Integrated Networking Direct Connect Identity Federation Integrated App Deployments Business Apps ANALYTICS Data Warehousing Business Intelligence Hadoop/ Spark Streaming Data Analysis Streaming Data Collection Machine Learning Elastic Search Identity Business Intelligence APP SERVICES Access Control Queuing & Notifications Workflow Search Email Transcoding DevOps Tools Key & Storage MOBILE SERVICES API Gateway Identity Sync Mobile Analytics Single Integrated Console Push Notifications MARKETPLACE Security DEVELOPMENT & OPERATIONS One-click App Deployment DevOps Resource Application Lifecycle Containers Triggers SECURITY & COMPLIANCE Monitoring & Logs Resource Templates Configuration Compliance Networking Web application firewall Databases IoT Rules Engine Device Shadows Device SDKs Device Gateway Registry Assessment and reporting Storage ENTERPRISE APPS Virtual Desktops Sharing & Collaboration Corporate Email Backup Resource & Usage Auditing Account Data Backups Compute VMs, Auto-scaling, & Load Balancing Storage Object, Blocks, Archival, Import/Export CORE SERVICES CDN Databases Relational, NoSQL, Caching, Migration Networking VPC, DX, DNS Security & Pricing Reports Integrated Resource Regions INFRASTRUCTURE Availability Zones Points of Presence
Global Footprint US West (Oregon) GovCloud EU West (Ireland) EU Central (Frankfurt) China (Beijing) Korea (Seul) Asia Pacific (Tokyo) US East (Virginia) Region US West (N.California) An independent collection of resources in a defined geography A solid foundation for meeting locationdependent privacy and compliance requirements Asia Pacific (Sydney) São Paulo Asia Pacific (Singapore)
Global Footprint Availability Zone Designed as independent failure zones Physically separated within a typical metropolitan region
Shared Responsibility Managed by Customer Optimized Network/OS/App Controls Service-specific Controls Cross-service Controls Security in the Cloud Managed by Cloud Service Provider Controls ISO 27000 ISO 9001 Security of the Cloud Request reports at: aws.amazon.com/compliance/#contact
Service in Scope II Architect needs to care about IAM Architect must secuire his access keys Architect should be aware of service features Architect should cross check service against compliance setup Architect must take care of encryption Knowledge of the service features Know how to work his own encryption into the architecture
TECHNICAL & BUSINESS SUPPORT Support Professional Services Partner Ecosystem Training & Certification Solutions Architects HYBRID ARCHITECTURE Integrated Networking Direct Connect Identity Federation Integrated App Deployments Business Apps ANALYTICS Data Warehousing Business Intelligence Hadoop/ Spark Streaming Data Analysis Streaming Data Collection Machine Learning Elastic Search Identity Business Intelligence APP SERVICES Access Control Queuing & Notifications Workflow Search Email Transcoding DevOps Tools Key & Storage MOBILE SERVICES API Gateway Identity Sync Mobile Analytics Single Integrated Console Push Notifications MARKETPLACE Security DEVELOPMENT & OPERATIONS One-click App Deployment DevOps Resource Application Lifecycle Containers Triggers SECURITY & COMPLIANCE Monitoring & Logs Resource Templates Configuration Compliance Networking Web application firewall Databases IoT Rules Engine Device Shadows Device SDKs Device Gateway Registry Assessment and reporting Storage ENTERPRISE APPS Virtual Desktops Sharing & Collaboration Corporate Email Backup Resource & Usage Auditing Account Data Backups Compute VMs, Auto-scaling, & Load Balancing Storage Object, Blocks, Archival, Import/Export CORE SERVICES CDN Databases Relational, NoSQL, Caching, Migration Networking VPC, DX, DNS Security & Pricing Reports Integrated Resource Regions INFRASTRUCTURE Availability Zones Points of Presence
API API Features DDoS Protected Architect WebInterface CLI SDK API IAM Amazon SQS Amazon S3 MultiAZ Available Encryption in Transport Authenticated Logging Amazon DynamoDB Resource / Application User Application Amazon API Gateway Amazon SES
Services for Serverless Architectures Full Flexible Sizing Needed Sizing/Communication Route53 CloudFront Lambda API Gateway S3 SNS SQS KMS SWF ELB Kinesis DynamoDB Elasticsearch Redshift RDS
Aws Shared Responsibility Secure Infrastructure (Physics/Logic/Certification) Tennant Isolation Availability Platform Scaling In some services: Crypto Options
Security related features which need to be instrumented by the Architect Amazon S3 Secure Transport Sever Side Encryption Individual Vector for each object Re-Encryption through copy and versioning KMS Integration Customer Managed KEYs IAM integration Versioning MFA Delete Storage Class S3 Logging
A view on S3 Amazon S3 Datapath HTTP(s) Command PATH IAM S3 Endpoints Region S3 Bucket Policy Object Policy User Policy S3 Logging WebInterface CLI SDK API Admin For instrumentation Bucket with Objects Bucket with Objects
Security related features which need to be instrumented by the Architect Amazon API Gateway Secure Transport Setup of Paths Secure coding inside the Lambda functions Client Certificates CloudWatchLogs Logging
A view on API Gateway Amazon API Gateway Datapath HTTP(s) Command PATH IAM APP GW Endpoints Region CloudWatch Logs WebInterface CLI SDK API Admin For instrumentation Mockups Proxy
Possibilities which need to be instrumented by the Architect Lambda IAM Role needs to be focussed Secure Coding CloudWatchLogs Logging Well choosen triggers
A view on Lambda Lambda Datapath HTTP(s) Command PATH IAM APP GW Endpoints Region CloudWatch Logs WebInterface CLI SDK API Admin For instrumentation Other Services
Amazon SQS Amazon SES IAM Role needs to be focussed What data dou you send Subscribers Take care of logging
A view on Messaging Amazon SQS Amazon SES Datapath HTTP(s) Command PATH IAM APP GW Endpoints Region CloudTrail WebInterface CLI SDK API Admin For instrumentation Other Services
Thank You Bertram Dorn