DOCSLIB.ORG

AWS Prescriptive Guidance Backup and Recovery Approaches on AWS AWS Prescriptive Guidance Backup and Recovery Approaches on AWS

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
AWS Prescriptive Guidance Backup and Recovery Approaches on AWS AWS Prescriptive Guidance Backup and Recovery Approaches on AWS AWS Prescriptive Guidance Backup and recovery approaches on AWS AWS Prescriptive Guidance Backup and recovery approaches on AWS AWS Prescriptive Guidance: Backup and recovery approaches on AWS Copyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. AWS Prescriptive Guidance Backup and recovery approaches on AWS Table of Contents Introduction ...................................................................................................................................... 1 Why use AWS as a data-protection platform? ................................................................................ 1 Targeted business outcomes ................................................................................................................ 3 Choosing AWS services ....................................................................................................................... 4 Designing a backup and recovery solution ............................................................................................. 6 Amazon S3 and Amazon S3 Glacier ...................................................................................................... 7 Amazon S3 ................................................................................................................................ 7 Standard S3 buckets ........................................................................................................... 8 Maintain rollback history ..................................................................................................... 8 Customized configuration files ............................................................................................. 8 Custom backup and restore ................................................................................................. 8 Amazon S3 Glacier ..................................................................................................................... 9 Using Amazon S3 Lifecycle object transition .......................................................................... 9 Securing backup data ............................................................................................................... 10 Backup and recovery for Amazon EC2 with EBS volumes ....................................................................... 11 Amazon EC2 backup and recovery .............................................................................................. 12 Separate server volumes ................................................................................................... 12 AMIs or snapshots ............................................................................................................ 13 Instance store volumes ..................................................................................................... 13 Tagging and enforcing standards ....................................................................................... 14 Create EBS volume backups ....................................................................................................... 14 Preparing an EBS volume .................................................................................................. 15 Creating snapshots from the console .................................................................................. 16 Creating AMIs .................................................................................................................. 16 Amazon Data Lifecycle Manager ......................................................................................... 17 AWS Backup .................................................................................................................... 17 Multi-volume backups ....................................................................................................... 18 Automating snapshot and AMI creation ............................................................................... 19 Restoring from a snapshot or AMI .............................................................................................. 19 Restoring from a snapshot ................................................................................................ 20 Restoring from an AMI ...................................................................................................... 21 Backup and recovery from on-premises infrastructure to AWS ................................................................ 22 File gateway ............................................................................................................................ 22 Volume gateway ...................................................................................................................... 23 Tape gateway .......................................................................................................................... 23 Backup and recovery of applications ................................................................................................... 25 Cloud-native AWS services ................................................................................................................. 26 Amazon RDS ............................................................................................................................ 26 Using DNS CNAME ........................................................................................................... 27 DynamoDB .............................................................................................................................. 27 Hybrid architectures ......................................................................................................................... 29 Moving centralized backup management solutions ....................................................................... 29 Disaster recovery with AWS ............................................................................................................... 31 On-premises DR to AWS ........................................................................................................... 31 DR for cloud-native workloads ................................................................................................... 32 DR in a single Availability Zone .......................................................................................... 33 DR in a regional failure ..................................................................................................... 33 Cleaning up backups ......................................................................................................................... 34 Backup and recovery FAQ .................................................................................................................. 35 What backup schedule should I select? ....................................................................................... 35 Do I need to create backups in my development accounts? ............................................................ 35 Next steps ....................................................................................................................................... 36 Additional resources ......................................................................................................................... 37 Document history ............................................................................................................................. 38 iii AWS Prescriptive Guidance Backup and recovery approaches on AWS Why use AWS as a data-protection platform? Backup and recovery approaches on AWS Khurram Nizami, Consultant, AWS Professional Services July 2020 (last update (p. 38): September 2021) This guide discusses how to implement backup and recovery approaches using Amazon Web Services (AWS) services for on-premises, cloud-native, and hybrid architectures. These approaches offer lower costs, higher scalability, and more durability to meet recovery time objective (RTO), recovery point objective (RPO), and compliance requirements. This guide is intended for technical leaders who are responsible for protecting data in their corporate IT and cloud environments. This guide covers different backup architectures (cloud-native applications, hybrid, and on-premises environments). It also covers associated Amazon Web Services (AWS) services that can be used to build scalable and reliable data-protection solutions for the non-immutable components of your architecture. Another approach is to modernize your workloads to use immutable architectures, reducing the need for backup and recovery of components. AWS provides a number of services to implement immutable architectures and reduce the need for backup and recovery, including: • Serverless with AWS Lambda • Containers with Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Kubernetes Service (Amazon EKS), and AWS Fargate • Amazon Machine Images (AMIs) with Amazon Elastic Compute Cloud (Amazon EC2) As the growth of enterprise data accelerates, the task of protecting it becomes more challenging. Questions about the durability and
Load more

Recommended publications
  • Amazon Documentdb Deep Dive
    DAT326 Amazon DocumentDB deep dive Joseph Idziorek Antra Grover Principal Product Manager Software Development Engineer Amazon Web Services Fulfillment By Amazon © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Agenda What is the purpose of a document database? What customer problems does Amazon DocumentDB (with MongoDB compatibility) solve and how? Customer use case and learnings: Fulfillment by Amazon What did we deliver for customers this year? What’s next? © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Purpose-built databases Relational Key value Document In-memory Graph Search Time series Ledger Why document databases? Denormalized data Normalized data model model { 'name': 'Bat City Gelato', 'price': '$', 'rating': 5.0, 'review_count': 46, 'categories': ['gelato', 'ice cream'], 'location': { 'address': '6301 W Parmer Ln', 'city': 'Austin', 'country': 'US', 'state': 'TX', 'zip_code': '78729'} } Why document databases? GET https://api.yelp.com/v3/businesses/{id} { 'name': 'Bat City Gelato', 'price': '$', 'rating': 5.0, 'review_count': 46, 'categories': ['gelato', 'ice cream'], 'location': { 'address': '6301 W Parmer Ln', 'city': 'Austin', 'country': 'US', 'state': 'TX', 'zip_code': '78729'} } Why document databases? response = yelp_api.search_query(term='ice cream', location='austin, tx', sort_by='rating', limit=5) Why document databases? for i in response['businesses']: col.insert_one(i) db.businesses.aggregate([ { $group: { _id: "$price", ratingAvg: { $avg: "$rating"}} } ]) db.businesses.find({
    [Show full text]
  • AWS Certified Developer – Associate (DVA-C01) Sample Exam Questions
    AWS Certified Developer – Associate (DVA-C01) Sample Exam Questions 1) A company is migrating a legacy application to Amazon EC2. The application uses a user name and password stored in the source code to connect to a MySQL database. The database will be migrated to an Amazon RDS for MySQL DB instance. As part of the migration, the company wants to implement a secure way to store and automatically rotate the database credentials. Which approach meets these requirements? A) Store the database credentials in environment variables in an Amazon Machine Image (AMI). Rotate the credentials by replacing the AMI. B) Store the database credentials in AWS Systems Manager Parameter Store. Configure Parameter Store to automatically rotate the credentials. C) Store the database credentials in environment variables on the EC2 instances. Rotate the credentials by relaunching the EC2 instances. D) Store the database credentials in AWS Secrets Manager. Configure Secrets Manager to automatically rotate the credentials. 2) A Developer is designing a web application that allows the users to post comments and receive near- real-time feedback. Which architectures meet these requirements? (Select TWO.) A) Create an AWS AppSync schema and corresponding APIs. Use an Amazon DynamoDB table as the data store. B) Create a WebSocket API in Amazon API Gateway. Use an AWS Lambda function as the backend and an Amazon DynamoDB table as the data store. C) Create an AWS Elastic Beanstalk application backed by an Amazon RDS database. Configure the application to allow long-lived TCP/IP sockets. D) Create a GraphQL endpoint in Amazon API Gateway. Use an Amazon DynamoDB table as the data store.
    [Show full text]
  • A Serverless Journey: Under the Hood of AWS Lambda
    S V S 4 0 5 - R A Serverless Journey: Under the Hood of AWS Lambda Holly Mesrobian Marc Brooker Director of Engineering Senior Principal Engineer Amazon AWS Lambda Amazon AWS Serverless Amazon Web Services Amazon Web Services © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. SERVERLESS AT SCALE IS THE NEW NORM processes 4,000 requests executes 16 million per second requests a month processes half a trillion validations of stock trades daily ingests, analyzes and processes tens of stores 17+ petabytes of billions of data data per season points monthly API traffic to register and license more than 47 million driver records in Great Britain, © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Load Balancing Scaling Up and Down Handling Failures Predictable Low Latency AWS Lambda Handles Event Processing Stream Processing Predictable Performance Innovations in Isolation © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Cloud Region Availability Zone 1 Worker Mgr Worker Claim Worker Invoke Placement Front End Invoke Reserve Sandbox Worker Mgr Init Lambda customer Worker (New Function or Scaling Up) Invoke Front End Worker Availability Zone 2 AWS Cloud Region Availability Zone 1 Worker Mgr Worker Invoke Front End Invoke Reserve Sandbox Lambda customer Worker Mgr Worker (Existing Worker, Existing Sandbox) Invoke Front End Worker Availability Zone 2 Poller Consumes events and ensures they are processed State Manager or Stream Tracker Handles scaling by managing Pollers and event or stream source resources Leasing Service Assigns Pollers to work on a specific event or streaming source © 2019, Amazon Web Services, Inc.
    [Show full text]
  • AWS Autotech Forum 2020 Online #1
    AWS Autotech Forum 2020 Online #1 2020/08/07 © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ) ( ( AWS Glue Amazon Kinesis Amazon S3 © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • • • • AWS • Next Action © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • • • ü ü • Next Step • © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark LIDAR Camera Telematics Control Unit GPS/HD Maps Accelerometer/Gyroscope Odometry Cellular/DSRC Radar Infrared Ultrasonic © 2020,© 2018, Amazon Amazon Web Web Services, Services, Inc. Inc.or its or Affiliates. its Affiliates. All rightsAll rights reserved. reserved. , ), (, :, { “trip_id”: “00000001”, “timestamp”: “202008071000”, “x_value”: “0.342264”, “y_value”: “0.011724”, ”z_value”: “0.924651”, } / : , etc. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. / { “trip_id”: “00000001”, “timestamp”: “202008071000”, “x_value”: “0.342264”, “y_value”: “0.011724”, ”z_value”: “0.924651”, ( ( )/.,( ( ( } : c c e © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. ) • • • ( • © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Amazon Confidential and Trademark What is Data Lake? • • • © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 1 A B © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. 2. C D © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. .. 3Hadoop 3 Amazon Simples Storage Service(S3) © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. • RDBMS • • • )API( API © 2020, Amazon Web Services, Inc.
    [Show full text]
  • Optimizing Lambda Performance for Your Serverless Applications
    Optimizing Lambda performance for your serverless applications James Beswick Senior Developer Advocate, AWS Serverless @jbesw © 2020, Amazon Web Services, Inc. or its Affiliates. About me • James Beswick • Email: [email protected] • Twitter: @jbesw • Senior Developer Advocate – AWS Serverless • Self-confessed serverless geek • Software Developer • Product Manager • Previously: • Multiple start-up tech guy • Rackspace, USAA, Morgan Stanley, J P Morgan © 2020, Amazon Web Services, Inc. or its Affiliates. Agenda Memory and profiling © 2020, Amazon Web Services, Inc. or its Affiliates. How does Lambda work? © 2020, Amazon Web Services, Inc. or its Affiliates. Anatomy of an AWS Lambda function Your function Language runtime Execution environment Lambda service Compute substrate © 2020, Amazon Web Services, Inc. or its Affiliates. Where you can impact performance… Your function Language runtime Execution environment Lambda service Compute substrate © 2020, Amazon Web Services, Inc. or its Affiliates. Anatomy of an AWS Lambda function Handler () function Event object Context object Function to be executed Data sent during Lambda Methods available to upon invocation function Invocation interact with runtime information (request ID, log group, more) // Python // Node.js import json const MyLib = require(‘my-package’) import mylib const myLib = new MyLib() def lambda_handler(event, context): exports.handler = async (event, context) => { # TODO implement # TODO implement return { return { 'statusCode': 200, statusCode: 200, 'body': json.dumps('Hello World!') body: JSON.stringify('Hello from Lambda!') } } } © 2020, Amazon Web Services, Inc. or its Affiliates. Function lifecycle – worker host Start new Download Execution Execute Execute your code environment INIT code handler code Full Partial Warm cold start cold start start AWS optimization Your optimization © 2020, Amazon Web Services, Inc.
    [Show full text]
  • Serverless Bot Framework Implementation Guide Serverless Bot Framework Implementation Guide
    Serverless Bot Framework Implementation Guide Serverless Bot Framework Implementation Guide Serverless Bot Framework: Implementation Guide Copyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. Serverless Bot Framework Implementation Guide Table of Contents Welcome ........................................................................................................................................... 1 Overview ........................................................................................................................................... 2 Cost .......................................................................................................................................... 2 Example cost table ............................................................................................................. 2 Architecture ............................................................................................................................... 3 Solution Features ............................................................................................................................... 5 Supported Languages
    [Show full text]
  • Best Practices for Building Multi-Region, Active- Active Serverless Applications
    S V S 3 3 7 - R Best practices for building multi-region, active- active serverless applications Adrian Hornsby Principal Evangelist Amazon Web Services © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Why build a global architecture? Once upon a time … Origin And now . Origin ~300 ms Improve latency for end users Origin Origin Improve availability and disaster recovery Service 1 Service 1 Service 2 Applications in Applications in Service 2 US West US East Service 3 Service 3 Service 4 Service 4 Users from Users from San Francisco New York Amazon global network Cross-region VPC peering Origin Origin Amazon S3 cross-region replication Bucket with Bucket with objects objects Amazon DynamoDB global table https://aws.amazon.com/blogs/aws/new-convert-your-single-region-amazon-dynamodb-tables-to-global-tables/ Active-Active | Active-Passive | What to do? Serverless cost model is a huge advantage here! © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Amazon Route 53 > Amazon API Gateway > AWS Lambda > Amazon DynamoDB © 2019, Amazon Web Services, Inc. or its affiliates. All rights reserved. Region Amazon API Gateway AWS Lambda Amazon DynamoDB Region us-east-1 Global Table Amazon Route 53 Region https://global.adhorn.me Amazon API Gateway AWS Lambda Amazon DynamoDB Region us-west-2 Multi-region with Route 53 Amazon Route 53 Latency-based routing Amazon Route 53 Region Region Application Application Geo-based routing Amazon Route 53 Region Region Application Application Weighted round-robin routing
    [Show full text]
  • AWS Lambda Security Best Practices Building and Deploying Secure AWS Lambda Serverless Applications Table of Contents
    AWS Lambda Security Best Practices Building and Deploying Secure AWS Lambda Serverless Applications Table of Contents 3 Preface 4 An Overview of AWS Lambda 5 Serverless Security 7 Serverless Security’s Top Risks 12 Preventing Cloud Lateral Movement with AWS IAM 14 Logging and Audit Trails for AWS Lambda 18 Scalability and How to Avoid DoS Attacks in AWS Lambda 25 Compliance and Governance with AWS Config 29 API Gateway Security 35 Securing Serverless with Prisma Cloud 2 Prisma by Palo Alto Networks | AWS Lambda Security Best Practices Preface This e-book is meant to serve as a security awareness and education guide for organizations developing serverless applications on AWS Lambda. With many organizations still exploring serverless architecture or just taking their first steps in the serverless world, we believe this information is critical for their success in building robust, secure, and reliable AWS Lambda-based applications. We hope you adopt and use the best practices outlined herein during the process of designing, developing, and testing AWS Lambda serverless applications to minimize your security risk. 3 Prisma by Palo Alto Networks | AWS Lambda Security Best Practices An Overview of AWS Lambda AWS Lambda is an event-driven, serverless computing platform provided as part of Amazon Web Services (AWS®). It is a computing service that runs code in response to events and automatically manages the computing resources that code requires. AWS Lambda lets organizations run code without provisioning or managing servers, and bill- ing applies only when compute time consumed, with no charge when code is not running. With AWS Lambda, organizations can run code for virtually any type of application or backend service, all with zero administration.
    [Show full text]
  • Caching Techniques to Improve Latency in Serverless Architectures
    Caching Techniques to Improve Latency in Serverless Architectures Bishakh Chandra Ghosh§, Sourav Kanti Addya§, Nishant Baranwal Somy, Shubha Brata Nath, Sandip Chakraborty, and Soumya K Ghosh Department of Computer Science and Engineering Indian Institute of Technology Kharagpur, India Email: {ghoshbishakh, kanti.sourav, somy1997, nath.shubha}@gmail.com, {sandipc, skg}@cse.iitkgp.ac.in Abstract—Serverless computing has gained a significant trac- the following benefits over traditional cloud virtual machine tion in recent times because of its simplicity of development, de- (VM) based setups – i) No server management, ii) Flexible ployment and fine-grained billing. However, while implementing scaling, iii) High availability, iv) No idle capacity, and v) Fine- complex services comprising databases, file stores, or more than one serverless function, the performance in terms of latency of grained billing. serving requests often degrades severely. In this work, we analyze Presently, maximum adopters of this technology are star- different serverless architectures with AWS Lambda services and tups, who seek to quickly develop their services and scale compare their performance in terms of latency with a traditional their resources efficiently. Serverless architecture is also a virtual machine (VM) based approach. We observe that database perfect candidate for a wide range of applications, ranging access latency in serverless architecture is almost 14 times than that in VM based setup. Further, we introduce some caching from a simple database application to complex data analytics strategies which can improve the response time significantly, and pipelines [5]. However, everything comes at a price. Our compare their performance. analysis in this work shows that by using serverless computing Index Terms—FaaS, Serverless Computing, Cloud Computing, although we are gaining in terms of ease of use, scalability Response Time and pricing, there is a significant trade-off with the service quality, especially in terms of response time.
    [Show full text]
  • Leveraging Serverless in Fullstack
    Leveraging serverless in full-stack development Eric Johnson – Sr. Developer Advocate – Serverless, AWS @edjgeek © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Who am I? • @edjgeek • Husband and father of 5 • Senior Developer Advocate – Serverless, AWS • Serverless tooling and automation nerd • Solutions & software architect (> 25 years) • Music lover • Pizza lover (without pineapple) • Pusher of #ServerlessForEveryone © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Application architecture journey © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The single server architecture Proxy/Firewall: NGINX, Apache, F5, Zeus Server: IIS, Apache, Tomcat Many application architectures Code: Node, .Net, Ruby, Java, start here. Go, Python Database: SQL, MySQL, PostgreSQL, Mongo, Cassandra © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The tiered architecture Proxy/Firewall We then break applications into tiers based Server on functionality. Database © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The tiered architecture Proxy/Firewall Even Client separating the client and backend. Backend Database © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The redundant tiered architecture Proxy/Firewall Client load balancer As applications Client scale, we build in redundancy. Backend load balancer Backend Database © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The “more” redundant tiered architecture © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The “more” redundant tiered architecture More redundant, more infrastructure, more management, more cost. © 2020, Amazon Web Services, Inc. or its Affiliates. All rights reserved. The containers architecture Proxy/Firewall But what about containers? Client Backend Database © 2020, Amazon Web Services, Inc.
    [Show full text]
  • Connect Bluetooth Sensors to the Amazon Web Services Cloud with AWS Iot Greengrass
    Connect Bluetooth Sensors to the Amazon Web Services Cloud with AWS IoT Greengrass Presented by: Paul Elvikis, Laird Connectivity Ian Tracy, Laird Connectivity Tim Mattison, AWS 1 Laird Confidential Paul Elvikis is a Strategic Business Development Director at Laird Connectivity. With more than 10 years of experience, he is an industrial and wireless IoT expert that specializes in helping equipment manufacturers connect to the cloud. Ian Tracy is an IoT Solutions Architect at Laird Connectivity. About the He is a technical expert in industrial device communication, specializing in IoT applications for Industrial devices, real-time Presenters networks, safety networks, and open-standard protocols. Tim Mattison is a principal IoT partner solutions architect at AWS. He started his career 20 years ago as a real-time firmware engineer and today leverages that experience to help partners architect edge-to-cloud systems on AWS. He works on edge applications, cloud infrastructure, security, and back-haul communications. 2 01 Why Bluetooth as a wireless sensor technology? 02 Bluetooth sensor-to-cloud application examples 03 Edge Intelligence with AWS IoT Greengrass Agenda 04 Laird Connectivity Bluetooth IoT Gateways 05 Live Demo 06 Q&A 3 Poll Question #1 Laird Confidential Why Bluetooth Low Energy (BLE) for IoT? Low power, multi-year battery life Architected for sensor applications Mobile app connectivity comes free 5 Laird Conf idential New Bluetooth sensor capabilities BT 5 Feature Improvement LE Coded 4 x Range Advertising 8 x Increase broadcast
    [Show full text]
  • Monitoring Serverless Architectures in AWS White Paper Cisco Public
    White Paper Cisco Public Monitoring Serverless Architectures in AWS White Paper Cisco Public Table of Contents Lambda security topics 3 Auditing 3 Monitoring 4 Extending monitoring with VPC Flow Logs 4 Secure Cloud Analytics integration 5 Conclusions and recommendations 7 © 2020 Cisco and/or its affiliates. All rights reserved. Secure Cloud Analytics - Monitoring Serverless Architectures | 2 White Paper Cisco Public The introduction of serverless architectures is a positive development from a security perspective. Splitting up services into single-purpose functions with well-defined inputs and outputs helps reduce exposure to many types of threats. However, the security of serverless architectures is an under-studied topic. Many practices and tools available in more traditional architectures don’t apply. This document will discuss methods of auditing and monitoring of AWS Lambda functions—a key component of serverless architectures in AWS — and how Cisco Secure Cloud Analytics (formerly Stealthwatch Cloud) puts these methods into practice. Lambda security topics • Access to the function: Who or what can modify or invoke a function? • Access from the function: What can the function access when it is running? • Unintended behavior: Can the function be made to do something unexpected? For each area, there is a question of auditing, or looking to see whether configurations match expectations, and monitoring, or keeping track of activities on an ongoing basis. Auditing The AWS Lambda documents describe how to use the AWS Identity and Access Management (IAM) API and Lambda API for auditing policies related to function access. It’s important to audit policies periodically to check: • Whether some policies are outdated.
    [Show full text]