Securing Serverless and Container Services Marc Schröter AWS DevOps Engineer @ globaldatanet Community Day 2019 Sponsors
Serverless DevOps Automation Continuous Delivery Highly scalable and Infrastructure as Code fault-tolerant solutions Cloud Security Container Security and Managing the full Compliance Controls container life cycle
What is serverless, and how does it impact your approach to security?
What is serverless? Shift operational responsibilities to AWS Increasing your agility and innovation
No infrastructure provisioning, Automatic scaling no management Pay for value Highly available and secure
COMPUTE AWS AWS Lambda Fargate DATA STORES Amazon Amazon Aurora AWS S3 Serverless DynamoDB INTEGRATION Amazon Amazon Amazon Amazon API Gateway SQS SNS Step Functions
Serverless Risks - OWASP A1: Injection A2: Broken Authentication A3: Sensitive Data Exposure A4: XML External Entities (XXE) A5: Broken Access Control A6: Security Misconfiguration A7: Cross-Site Scripting (XSS) A8: Insecure Deserialization A9: Using Components with Known Vulnerabilities A10: Insufficient Logging and Monitoring
Serverless Risks - CSA SAS-1: Function Event Data Injection SAS-2: Broken Authentication SAS-3: Insecure Serverless Deployment Configuration SAS-4: Over-Privileged Function Permissions & Roles SAS-5: Inadequate Function Monitoring and Logging SAS-6: Insecure Third-Party Dependencies SAS-7: Insecure Application Secrets Storage SAS-8: Denial of Service & Financial Resource Exhaustion SAS-9: Serverless Business Logic Manipulation SAS-10: Improper Exception Handling and Verbose Error Messages SAS-11: Obsolete Functions, Cloud Resources and Event Triggers SAS-12: Cross-Execution Data Persistency
Serverless Risk Categorization Application Code & Deployment Serverless Platform Misc.Risks App Logic Risks Configurations Risks Risks DoS Injection Security misconfiguration Broken access control Unused functions Broken Authentication Overprivileged permission Inadequate Monitoring Data Persistency Sensitive data exposure Insecure secrets storage XSS, XXE Insecure deserialization Known vulnerabilities Improper exception handling
A1: Injection
Injection
Injection ● Use Web Application Firewall ● Validate data based on schemas and data transfer objects ● Always use an ORM ● Escape special characters ● Use least privileges ● Consider all event types and entry points into the system ● Use a commercial runtime defense solution
A2: Broken Authentication
Broken Authentication ● AWS Cognito or Single Sign-On ● API Gateway Access control ○ API keys ○ Usage plans ○ AWS IAM roles and policies ○ Amazon Cognito user pools ○ Lambda authorizer functions ● Service authentication between internal resources ○ SAML, OAuth2, Security Tokens ○ Encrypted channels ○ Password and key management ○ Client certificate ○ OTA/2FA
A3: Sensitive Data Exposure
Sensitive Data Exposure ● Identify and classify sensitive data ● Minimize storage of sensitive data ● Protect data at rest and in transit ● Use HTTPS only endpoints for APIs ● Key management ● Encryption of stored data ● Secret Management ● Environment variables encryption
A5: Broken Access Control
Broken Access Control Fine grained access control POST customers table GET orders table DELETE Amazon API Gateway queue
Broken Access Control Follow least-privilege
Broken Access Control Automate permission configuration
Broken Access Control Automate permission configuration
Broken Access Control Automate security testing of IaC CF Script Pull CF Script from S3 S3 Event for stack CREATE/UPDATE Notify on failure CloudFormation Lambda CloudWatch SES
Broken Access Control Analyze IAM access patterns programmatically
Broken Access Control Analyze IAM access patterns programmatically
Broken Access Control Follow AWS IAM Best Practices
A7: Security Misconfiguration
Security Misconfiguration ● Enforce access control ● Providers security best practices ● Check for functions with unlinked triggers ● Resources that appear in policies but are not linked back to the function ● Set timeouts to the minimum required by the function ● Use automatic tools that detect security misconfigurations
A7: Known Vulnerabilities
Known Vulnerabilities ● Continuously monitor dependencies and their versions ● Only obtain components from official sources ● Continuously monitor sources like CVE and NVD ● Platform based advisories like NodeSecurity, PyUp, OWASP SafeNuGet, etc. ● Scan dependencies for known vulnerabilities ○ OWASP Dependency Check ○ GitHub Security Alerts ○ Gitlab Dependency Scanning ○ WhiteSource
Serverless Security Demo
Serverless Security Demo 1. Information Gathering 2. Function Reverse Engineering 3. Digging For Gold Inside Environment Variables 4. Exploiting Over-Privileged IAM Roles 5. Abusing Insecure Cloud Configurations 6. Finding Known Vulnerabilities In Open Source Packages
Security for Amazon Kubernetes Cluster
Encrypt communication ● Between web clients and your loadbalancer ○ Use the application loadbalancer (ALB) ○ Can be achieved with the ALB-Ingress-Controller ○ ALB provides routing and security options for the application layer ● Between your loadbalancer and pod ○ Encryptions support of your application or application server ○ Run a sidecar on your pod which performs encryption ○ Run a complete service mesh like Istio ● Between your pod and your AWS RDS database
Encrypt storage ● Databases ● Persistent Volume Claims (PVC)
Restrict inbound and outbound traffic ● Use network policies ● Network Policy engine (Calico)
More EKS Security Tips ● Use a firewall to block known web attacks ● Protect yourself from DDos attacks ● Secure your AWS account ● Use namespaces and secrets ● Cyber attack detection ● Review your security setup ● Scan your container images ○ Aqua Security Microscanner ○ CoresOS Clair ○ Anchore engine
Container DevSecOps
AWS Cloud9 7. Adds feedback to 6. Triggers Lambda 1.Pull Request Pull Request Function Amazon CloudWatch AWS CodeCommit AWS Lambda Developer Event Rule (Application Repo) Function 2. Triggers 5. CodeBuild Success/Failure CodePipeline triggers Rule AWS CodePipeline VULNERABILITY PUBLISH IMAGE PULL REQUEST DOCKER LINTING SECRETS SCANNING SCANNING Configs Development AWS CodeBuild AWS CodeBuild AWS CodeBuild AWS CodeBuild 4. Builds and pushes 3. Pushes vulnerabilities Image to ECR to Security Hub AWS Security Hub Amazon ECR
Build with services not servers Ahhhh and we are hiring globaldatanet mail@globaldatanet.com globaldatanet globaldatanet.com
Recommend
More recommend