Securing Serverless and Container ServicesMarc SchröterAWS DevOps Engineer @ globaldatanet

Community Day 2019 Sponsors

DevOps Automation

Continuous DeliveryInfrastructure as Code

Cloud Security

Security and Compliance Controls

Container

Managing the full container life cycle

Serverless

Highly scalable and fault-tolerant solutions

What is serverless, and howdoes it impact your approachto security?

What is serverless?

Shift operational responsibilities to AWS

Increasing your agility and innovation

No infrastructure provisioning, no management Automatic scaling

Pay for value Highly available and secure

COMPUTE

INTEGRATION

DATA STORES

AWS Lambda

AWS Fargate

AmazonS3

Amazon Aurora Serverless

AWS DynamoDB

AmazonAPI Gateway

AmazonSQS

AmazonSNS

AmazonStep Functions

Serverless Risks - OWASPA1: InjectionA2: Broken AuthenticationA3: Sensitive Data Exposure A4: XML External Entities (XXE) A5: Broken Access ControlA6: Security MisconfigurationA7: Cross-Site Scripting (XSS) A8: Insecure DeserializationA9: Using Components with Known Vulnerabilities A10: Insufficient Logging and Monitoring

Serverless Risks - CSASAS-1: Function Event Data InjectionSAS-2: Broken AuthenticationSAS-3: Insecure Serverless Deployment ConfigurationSAS-4: Over-Privileged Function Permissions & RolesSAS-5: Inadequate Function Monitoring and LoggingSAS-6: Insecure Third-Party DependenciesSAS-7: Insecure Application Secrets StorageSAS-8: Denial of Service & Financial Resource ExhaustionSAS-9: Serverless Business Logic ManipulationSAS-10: Improper Exception Handling and Verbose Error MessagesSAS-11: Obsolete Functions, Cloud Resources and Event TriggersSAS-12: Cross-Execution Data Persistency

Serverless Risk Categorization

Application Code & App Logic Risks

DeploymentConfigurations Risks

Serverless Platform Risks

Misc.Risks

InjectionBroken AuthenticationSensitive data exposureInsecure deserializationKnown vulnerabilitiesImproper exception handling

Security misconfigurationOverprivileged permissionInsecure secrets storage

Broken access controlInadequate Monitoring

DoSUnused functionsData PersistencyXSS, XXE

A1: Injection

Injection

Injection● Use Web Application Firewall● Validate data based on schemas and data transfer objects● Always use an ORM● Escape special characters● Use least privileges● Consider all event types and entry points into the system● Use a commercial runtime defense solution

A2: Broken Authentication

Broken Authentication● AWS Cognito or Single Sign-On● API Gateway Access control

○ API keys○ Usage plans○ AWS IAM roles and policies○ Amazon Cognito user pools○ Lambda authorizer functions

● Service authentication between internal resources○ SAML, OAuth2, Security Tokens○ Encrypted channels○ Password and key management○ Client certificate○ OTA/2FA

A3: Sensitive Data Exposure

Sensitive Data Exposure● Identify and classify sensitive data● Minimize storage of sensitive data● Protect data at rest and in transit● Use HTTPS only endpoints for APIs● Key management● Encryption of stored data● Secret Management● Environment variables encryption

A5: Broken Access Control

Broken Access ControlFine grained access control

POST

GET

DELETE

customers table

orders table

queue

Amazon API Gateway

Broken Access ControlFollow least-privilege

Broken Access ControlAutomate permission configuration

Broken Access ControlAutomate permission configuration

Broken Access ControlAutomate security testing of IaC

CloudFormation CloudWatch Lambda

Event for stack CREATE/UPDATE

Pull CF Script from S3

S3

Notify on failure

SES

CF Script

Broken Access ControlAnalyze IAM access patterns programmatically

Broken Access ControlAnalyze IAM access patterns programmatically

Broken Access ControlFollow AWS IAM Best Practices

A7: Security Misconfiguration

Security Misconfiguration● Enforce access control● Providers security best practices● Check for functions with unlinked triggers ● Resources that appear in policies but are not linked back to the function● Set timeouts to the minimum required by the function● Use automatic tools that detect security misconfigurations

A7: Known Vulnerabilities

Known Vulnerabilities● Continuously monitor dependencies and their versions ● Only obtain components from official sources ● Continuously monitor sources like CVE and NVD ● Platform based advisories like NodeSecurity, PyUp, OWASP SafeNuGet, etc.● Scan dependencies for known vulnerabilities

○ OWASP Dependency Check○ GitHub Security Alerts○ Gitlab Dependency Scanning○ WhiteSource

Serverless Security Demo

Serverless Security Demo1. Information Gathering2. Function Reverse Engineering3. Digging For Gold Inside Environment Variables4. Exploiting Over-Privileged IAM Roles5. Abusing Insecure Cloud Configurations6. Finding Known Vulnerabilities In Open Source Packages

Security for Amazon Kubernetes Cluster

Encrypt communication● Between web clients and your loadbalancer

○ Use the application loadbalancer (ALB)○ Can be achieved with the ALB-Ingress-Controller○ ALB provides routing and security options for the application layer

● Between your loadbalancer and pod○ Encryptions support of your application or application server○ Run a sidecar on your pod which performs encryption○ Run a complete service mesh like Istio

● Between your pod and your AWS RDS database

Encrypt storage● Databases● Persistent Volume Claims (PVC)

Restrict inbound and outbound traffic● Use network policies ● Network Policy engine (Calico)

More EKS Security Tips● Use a firewall to block known web attacks● Protect yourself from DDos attacks● Secure your AWS account● Use namespaces and secrets● Cyber attack detection● Review your security setup● Scan your container images

○ Aqua Security Microscanner○ CoresOS Clair○ Anchore engine

Container DevSecOps

Developer

AWS Cloud9

1.Pull Request

AWS CodeCommit(Application Repo)

AWS Lambda Function

Amazon CloudWatch Event Rule

7. Adds feedback to Pull Request

6. Triggers Lambda Function

5. CodeBuild Success/Failure triggers Rule

AWS CodePipeline

AWS CodeBuild AWS CodeBuild AWS CodeBuild AWS CodeBuild

DOCKER LINTING PUBLISH IMAGEVULNERABILITY SCANNINGSECRETS SCANNING

Configs

Development

PULL REQUEST

AWS Security Hub Amazon ECR

3. Pushes vulnerabilities to Security Hub

4. Builds and pushes Image to ECR

2. Triggers CodePipeline

Build with services not serversAhhhh and we are hiring

globaldatanet

globaldatanet globaldatanet.com

mail@globaldatanet.com