Security
Reader small image

You're reading from  Mastering AWS Security - Second Edition

Product typeBook
Published inApr 2024
PublisherPackt
ISBN-139781805125440
Edition2nd Edition
Concepts
Cloud Security
Right arrow
Author (1)
Laurent Mathieu
Laurent Mathieu
author image
Laurent Mathieu

Laurent Mathieu is a seasoned Cybersecurity & AWS Cloud Consultant and Instructor with a rich history spanning two decades in cybersecurity across various domains and regions. He holds several professional qualifications, including ISC2 CISSP, ISACA CISM, CSA CCSK, as well as 6 AWS certifications. Over the past decade, he has developed a keen interest in cloud computing, particularly AWS cloud security. As an active member of the AWS Community Builder program since 2020, Laurent is at the forefront of AWS developments. He has developed various training materials and led multiple webinars and bootcamps on AWS and security. Besides his instructional work, Laurent provides AWS consulting services to various startups and SaaS providers.
Read more about Laurent Mathieu

Right arrow

Implementing Security for Serverless Deployments

Welcome to the seventh chapter of our comprehensive guide on AWS security. In this chapter, we will focus on serverless computing and its unique impact on security within AWS environments. We aim to equip you with the knowledge and skills needed to navigate the distinct security landscape presented by serverless architectures. we will begin by demystifying serverless computing, exploring its benefits, challenges, and how it compares to traditional microservices. Next, we will delve into the function-based design paradigm, focusing on the granularity and composition of serverless functions, along with their inherent stateless nature.

As we progress, we will bring the concept of event-driven communication into sharp focus. Understanding this is crucial as we transition into a detailed discussion on event-driven security mechanisms, covering topics from event sources and schema validation to data encryption.

We will then proceed to...

Introduction to serverless security

As we transition from the concept of microservices, which we discussed in the previous chapter, it is essential to understand that serverless architectures are not just an evolution but a specialized form of microservices. While microservices have their own set of security challenges, serverless introduces a new landscape of security considerations that are both unique and complex. This section aims to delve into these aspects before getting more in-depth into specific areas of serverless security.

What is serverless?

First, let’s demystify things around serverless. Serverless is a cloud computing execution model where cloud providers automatically manage the infrastructure. In serverless computing, developers write code that is executed in response to events, such as HTTP requests, database modifications, or even changes in system state or periodical execution. Behind the scenes, the cloud provider dynamically allocates resources to...

Event-driven security

Event-driven architectures have emerged as the bedrock of contemporary cloud-native applications, especially those leveraging serverless platforms. While these architectures offer many benefits, such as scalability and decoupling, they also present unique security challenges. This section aims to offer an in-depth exploration of these challenges, focusing on strategies for mitigation, with a specific emphasis on EventBridge.

Event sources

First and foremost, it is essential to identify and secure the event sources. These could range from API requests and message queues to cloud storage and databases. Ensuring that only authorized entities can generate events is the first line of defense in event-driven security. This often involves implementing proper authentication and authorization mechanisms, both at the event source and destination levels.

Event schema validation

EventBridge’s schema registry allows event schemas to be defined, which serve...

Securing Lambda functions

Securing Lambda functions is a critical aspect of cloud-native applications running in serverless architectures. Lambda functions can be triggered by various services and external sources. This makes them a potential entry point for malicious activities. This section aims to provide a comprehensive guide to securing Lambda functions, focusing on best practices and AWS-specific features.

Code integrity

Code integrity is the foundation of any secure application. Ensuring that the code running in your Lambda functions is exactly what you expect it to be is crucial for preventing unauthorized modifications and injections. Here, we will delve into several methods to ensure the integrity of your Lambda function code.

Code signing

Code signing is a crucial method for verifying the integrity of your Lambda function code. By attaching a digital signature, Lambda ensures that only signed and authorized code packages are deployed. This process adds a robust...

Summary

In this chapter, we delved into the world of serverless computing, a paradigm shift that brings both opportunities and challenges to cloud architecture. We kicked things off by introducing the concept of serverless, its benefits and challenges, and how it compares to traditional microservices. We then discussed the security considerations that are unique to serverless architectures, covering a wide range of topics from responsibility domains and zero-trust architecture to data encryption and compliance. We also explored event-driven security mechanisms, diving into event sources, schema validation, and data encryption. This chapter concluded with a deep dive into securing Lambda functions, discussing code integrity, environment variables, runtime protection, and monitoring, among other key security aspects.

As we move on to the next chapter, we will explore the complex yet crucial topic of multi-tenancy in shared environments, focusing on secure design patterns and techniques...

Questions

Answer the following questions to test your knowledge of this chapter:

  1. What is event sourcing and how does it bolster security?
  2. How does code signing enhance Lambda security?
  3. How does versioning contribute to Lambda security?
  4. What are the risks and limitations of the default Lambda network configuration?

Answers

Here are the answers to this chapter’s questions:

  1. Event sourcing involves capturing a series of events that represent state changes in an application, creating an immutable audit trail. This is invaluable for security analysts who may need to rewind the system state to analyze past security incidents.
  2. Code signing verifies the integrity of your Lambda function code by attaching a digital signature. AWS Signer is used to create a signing profile, and Lambda validates the signature during deployment. This ensures that only authorized and unaltered code is deployed.
  3. Versioning allows you to publish immutable versions of your Lambda function, providing a clear history of what code was running at any given time. This is crucial for auditing and compliance.
  4. The default network settings for Lambda functions come with certain limitations, such as the absence of network isolation and limited access control options. They also lack support for advanced networking...

Further reading

The following resources offer further insights and best practices for serverless security:

lock icon
The rest of the chapter is locked
Previous Chapter
Chapter 10 of 20
Next Chapter
You have been reading a chapter from
Mastering AWS Security - Second Edition
Published in: Apr 2024Publisher: PacktISBN-13: 9781805125440
© 2024 Packt Publishing Limited All Rights Reserved
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Sign up now
undefined
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Start free trial
Renews at €14.99/month. Cancel anytime

Author (1)

author image
Laurent Mathieu

Laurent Mathieu is a seasoned Cybersecurity & AWS Cloud Consultant and Instructor with a rich history spanning two decades in cybersecurity across various domains and regions. He holds several professional qualifications, including ISC2 CISSP, ISACA CISM, CSA CCSK, as well as 6 AWS certifications. Over the past decade, he has developed a keen interest in cloud computing, particularly AWS cloud security. As an active member of the AWS Community Builder program since 2020, Laurent is at the forefront of AWS developments. He has developed various training materials and led multiple webinars and bootcamps on AWS and security. Besides his instructional work, Laurent provides AWS consulting services to various startups and SaaS providers.
Read more about Laurent Mathieu

Personalised recommendations for you

Based on your interests and search pattern

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Applications

Attacking and Exploiting Modern Web Attacks will help you understand how to identify attack surfaces and detect vulnerabilities. This book takes a hands-on approach to implementation and associated methodologies and equips you with the knowledge and skills needed to effectively combat web attacks.

BookAug 2023338 pages
Automotive Cybersecurity Engineering Handbook

Automotive Cybersecurity Engineering Handbook

This Automotive Cybersecurity Engineering Handbook untangles the complexities of building secure automotive products and helps you to comply with cybersecurity standards. It provides practical tools, tips, and techniques coupled with real-world examples to enable you to create cyber-resilient automotive products with ease.

BookOct 2023392 pages
Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

Official Google Cloud Certified Professional Cloud Security Engineer Exam Guide

This book will help you to design, develop, and operate security controls on Google Cloud as well as discover best practices for relevant security domains, including identity and access management, network, and data.

BookAug 2023496 pages
Cloud Penetration Testing for Red Teamers

Cloud Penetration Testing for Red Teamers

The advent of cloud networks and the AWS, Azure, and GCP platforms has revolutionized how companies of all sizes in all industries do business online. This book will help you meet the emerging demand for pentesting as it guides you through the tools, techniques, and security measures used by pentesters and red teamers in the 2020s and beyond.

BookNov 2023298 pages
ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Exam Guide

ISACA Certified in Risk and Information Systems Control (CRISC®) Certification Guide is an enterprise IT risk management professional’s dream. With its in-depth approach and various self-assessment exercises, this book arms you with knowledge of every single aspect of the certification, and is a fantastic career companion after you’re certified.

BookSep 2023316 pages5
Burp Suite Cookbook

Burp Suite Cookbook

Burp Suite is an immensely powerful and popular tool for web application security testing. This book provides a collection of recipes that address vulnerabilities in web applications and APIs. It offers guidance on how to configure Burp Suite, make the most of its tools, and explore into its extensions.

BookOct 2023450 pages
Building and Automating Penetration Testing Labs in the Cloud

Building and Automating Penetration Testing Labs in the Cloud

This hands-on guide will help you design and build a variety of penetration testing labs that mimic modern cloud environments running on AWS, Azure, and GCP. In addition to these, you will explore a number of practical strategies on how to manage the complexity, cost, and security risks involved when setting up vulnerable cloud lab environments.

BookOct 2023562 pages
Ethical Hacking Workshop

Ethical Hacking Workshop

As cyber-attacks grow and APT groups advance their skillset, you need to be able to protect your enterprise against cyber-attacks. In order to limit your attack surface, you need to ensure that you leverage the same skills and tools that an adversary may use to hack your environment and discover the security gaps. This book will teach you how to think like a hacker, use state-of-the-art hacking tools, and protect yourself and your organizaiton.

BookOct 2023220 pages
Windows Forensics Analyst Field Guide

Windows Forensics Analyst Field Guide

This book contains step-by-step processes to guide you in any investigation related to Windows OS. You’ll find out how to acquire evidence using multiple tools as well as examine and analyze the collected artifacts, while discovering multiple techniques used in real-world forensic incidents.

BookOct 2023318 pages
Implementing DevSecOps Practices

Implementing DevSecOps Practices

This book is a comprehensive, hands-on guide for individuals new to DevSecOps who want to implement DevSecOps practices successfully and efficiently. With its help, you’ll be able to shift security toward the left, enabling you to merge security into coding in no time.

BookDec 2023258 pages