AWS re:Invent 2022
Architecting Secure Serverless Applications Svs302 R

Title

AWS re:Invent 2022 - Architecting secure serverless applications (SVS302-R)

Summary

  • Josh Kahn, the tech leader for serverless at AWS, discusses architecting secure serverless applications, focusing on AWS services like Lambda, API Gateway, EventBridge, Step Functions, SQS, and SNS.
  • The talk covers two shifts in security: shifting security responsibility to AWS and shifting security control to developers (shifting left).
  • AWS services are ephemeral, have a diffused perimeter, and rely on IAM for fine-grained access control.
  • Security principles that remain constant include securing data, writing quality code, practicing least privilege, and monitoring (though monitoring is not covered in the talk).
  • AWS services like Lambda are designed with security in mind, including encryption in transit and at rest, and use micro VMs for isolation.
  • Developers should implement least privilege, defense in depth, validate inputs, and handle secrets properly using services like Secrets Manager.
  • IAM features like permission boundaries and attribute-based access control (ABAC) can help manage developer permissions and prevent privilege escalation.
  • Networking considerations for Lambda functions include when to attach to a VPC and using AWS Network Firewall for egress filtering.
  • The talk concludes with recommendations for further learning and sessions related to serverless security at re:Invent.

Insights

  • Shifting security responsibility to AWS allows developers to focus on building applications rather than managing infrastructure security.
  • IAM is a critical component for managing access to AWS services, and understanding its use is essential for securing serverless applications.
  • The use of ephemeral services and a diffused perimeter in serverless architecture requires a different approach to security, emphasizing fine-grained access control and defense in depth.
  • Least privilege is a key security principle, and tools like SAM and CDK can help implement it by generating specific IAM policies for serverless applications.
  • Attribute-based access control (ABAC) and permission boundaries are advanced IAM features that can empower developers while maintaining security controls.
  • Networking for serverless functions can be complex, and decisions around attaching functions to a VPC should be made based on access needs and security controls.
  • AWS provides various resources and learning paths for developers to improve their understanding and implementation of serverless security.
Application Networking Foundations Net204Architecting Sustainably and Reducing Your Aws Carbon Footprint Sus205