Identity Token Access Token Refresh Token

S V S 3 1 0 - R Securing enterprise-grade serverless apps

Gerardo Estaba Senior Partner Solutions Architect Amazon Web Services

Amazon Route 53

Users Amazon Amazon API AWS Lambda Amazon DynamoDB CloudFront Gateway

Amazon S3 Amazon Aurora Serverless Serverless architecture

Amazon Route 53

Users Amazon Amazon API AWS Lambda Amazon DynamoDB CloudFront Gateway

Amazon S3 Amazon Aurora Security: where to start? Serverless Identity

Amazon Route 53

Users Amazon Amazon API AWS Lambda Amazon DynamoDB CloudFront Gateway

User credentials?

Amazon S3 Amazon Aurora Serverless DIY user identity store

username email password gerardo123 [email protected] Password$123 saanvi_sarkar [email protected] I_love_brad12 martha111 [email protected] 0pemSesame! DIY user identity store

username email password gerardo123 [email protected] Password$123 saanvi_sarkar [email protected] I_love_brad12 martha111 [email protected] 0pemSesame!

Vulnerable to rogue employees ! A compromise would expose ALL passwords DIY user identity store

username email hashed password gerardo123 [email protected] 12645d5779937344919e91c9 saanvi_sarkar [email protected] b16c7b46d7b05995d8472781 martha111 [email protected] 9db6aae212beb3feebc2856cd DIY user identity store

username email hashed password gerardo123 [email protected] 12645d5779937344919e91c9 saanvi_sarkar [email protected] b16c7b46d7b05995d8472781 martha111 [email protected] 9db6aae212beb3feebc2856cd

MD5/SHA1 collisions Rainbow tables ! Dictionary attacks, brute-force DIY user identity store

username email salt hashed password gerardo123 [email protected] 44919e912645d577993731… saanvi_sarkar [email protected] 05995d8472b16c7b46d7b7… martha111 [email protected] ebc2856c9db6aae212beb3f…

Incorporate app-specific salt + random user- specific salt ! Use algorithm with configurable # of iterations (bcrypt, PBKDF2) DIY user identity store

username email SRP verifier function gerardo123 [email protected] saanvi_sarkar [email protected] martha111 [email protected]

Secure Remote Password protocol (SRP) Verifier-based protocol ✓ Passwords never travel over the wire Resistant to several attack vectors Perfect forward secrecy Identity

☐ Secure password handling (SRP) ☐ Scalable to 100s of millions of users ☐ MFA and password policies ☐ Encrypt all data server-side Amazon ☐ HIPAA, PCI-DSS, ISO, SOC ☐ OAuth 2.0, SAML 2.0, OpenID Connect Cognito ☐ Built-in, customizable web UI Identity Managed User Directory

Hosted UI Amazon Cognito User Pools Standard Tokens

Amazon Delegation\Federation Cognito AWS Credentials Amazon Cognito Identity Pools Serverless architecture

Amazon Route 53

Users Amazon Amazon API AWS Lambda Amazon DynamoDB CloudFront Gateway

Identity

Amazon Cognito Amazon S3 Amazon Aurora Serverless Managing multiple identities Managing multiple identities Managing multiple identities

✓Centralize identity management and privilege management

Delegation: Federation: No long-term RBAC OIDC + OAuth SAML credentials Amazon Cognito Amazon Cognito Delegation (1) User Pool Identity Pool

Login GetOpenIDTokenForDeveloperIdentity AWS Security Token JWT Service (AWS STS) JWT Amazon Cognito Amazon Cognito Delegation (1) User Pool Identity Pool

AssumeRoleWithWebIdentity JWT

JWT Valid?

Temporary IAM Creds

Call IAM-aware services Amazon Cognito Amazon Cognito Delegation (2) User Pool Identity Pool

JWT JWT

Call JWT-aware services

Simpler on serverless JSON web token (JWT)

eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVBO VNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJzdW IiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2OWYzYzM 4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoMXF0bnR2ajAx MiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ0b2tlbl91c2UiO iJpZCIsImF1dGhfdGltZSI6MTQ3ODQ0OTA2MCwiaXNzIjoiaH R0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25 hd3MuY29tXC91cy1lYXN0LTFfWE1sVVc5c1V5IiwiY29nbml0 bzp1c2VybmFtZSI6InRlc3QxMjMiLCJleHAiOjE0Nzg0NTI2N jAsImdpdmVuX25hbWUiOiJUZXN0IiwiaWF0IjoxNDc4NDQ5MD YwLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFpbCI6InRyYW5 qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9 K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8ym jH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMHtj dfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ18_ yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs4Cuk moYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ Header JSON web token (JWT) { "kid":"9errtDKltq8YwaJy2GZtObykRDEA9SB4iDT6vWmTeQE=", "alg":"RS256” } eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVBO VNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJzdW IiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2OWYzYzM 4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoMXF0bnR2ajAx MiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ0b2tlbl91c2UiO iJpZCIsImF1dGhfdGltZSI6MTQ3ODQ0OTA2MCwiaXNzIjoiaH R0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25 hd3MuY29tXC91cy1lYXN0LTFfWE1sVVc5c1V5IiwiY29nbml0 bzp1c2VybmFtZSI6InRlc3QxMjMiLCJleHAiOjE0Nzg0NTI2N jAsImdpdmVuX25hbWUiOiJUZXN0IiwiaWF0IjoxNDc4NDQ5MD YwLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFpbCI6InRyYW5 qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9 K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8ym jH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMHtj dfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ18_ yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs4Cuk moYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ Header JSON web token (JWT) { "kid":"9errtDKltq8YwaJy2GZtObykRDEA9SB4iDT6vWmTeQE=", "alg":"RS256” } eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVBO Payload VNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJzdW { IiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2OWYzYzM "sub":"6f557368-a884-484e-b662-9fc69f3c3802", 4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoMXF0bnR2ajAx MiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ0b2tlbl91c2UiO "aud":"6lkfs70rovkubirh1qtntvj012", iJpZCIsImF1dGhfdGltZSI6MTQ3ODQ0OTA2MCwiaXNzIjoiaH "email_verified":true, R0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25 "token_use":"id", hd3MuY29tXC91cy1lYXN0LTFfWE1sVVc5c1V5IiwiY29nbml0 "auth_time":1478449060, bzp1c2VybmFtZSI6InRlc3QxMjMiLCJleHAiOjE0Nzg0NTI2N "iss":"https:\/\/cognito-idp.us-east-1.amazonaws.com jAsImdpdmVuX25hbWUiOiJUZXN0IiwiaWF0IjoxNDc4NDQ5MD \/us-east-1_XMlUW9sUy", YwLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFpbCI6InRyYW5 "cognito:username":"test123", qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t "exp":1478452660, YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9 "given_name”:"Test", K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8ym "iat":1478449060, jH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMHtj "family_name":"Test", dfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ18_ "email":”[email protected]" yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs4Cuk } moYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ Header JSON web token (JWT) { "kid":"9errtDKltq8YwaJy2GZtObykRDEA9SB4iDT6vWmTeQE=", "alg":"RS256” } eyJraWQiOiI5ZXJydERLbHRxOFl3YUp5MkdadE9ieWtSREVBO Payload VNCNGlEVDZ2V21UZVFFPSIsImFsZyI6IlJTMjU2In0.eyJzdW { IiOiI2ZjU1NzM2OC1hODg0LTQ4NGUtYjY2Mi05ZmM2OWYzYzM "sub":"6f557368-a884-484e-b662-9fc69f3c3802", 4MDIiLCJhdWQiOiI2bGtmczcwcm92a3ViaXJoMXF0bnR2ajAx MiIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJ0b2tlbl91c2UiO "aud":"6lkfs70rovkubirh1qtntvj012", iJpZCIsImF1dGhfdGltZSI6MTQ3ODQ0OTA2MCwiaXNzIjoiaH "email_verified":true, R0cHM6XC9cL2NvZ25pdG8taWRwLnVzLWVhc3QtMS5hbWF6b25 "token_use":"id", hd3MuY29tXC91cy1lYXN0LTFfWE1sVVc5c1V5IiwiY29nbml0 "auth_time":1478449060, bzp1c2VybmFtZSI6InRlc3QxMjMiLCJleHAiOjE0Nzg0NTI2N "iss":"https:\/\/cognito-idp.us-east-1.amazonaws.com jAsImdpdmVuX25hbWUiOiJUZXN0IiwiaWF0IjoxNDc4NDQ5MD \/us-east-1_XMlUW9sUy", YwLCJmYW1pbHlfbmFtZSI6IlRlc3QiLCJlbWFpbCI6InRyYW5 "cognito:username":"test123", qaW1AYW1hem9uLmNvbSJ9.atQO0SJg9V97d6t "exp":1478452660, YonHNx0q7Zuof8-d-q0u69zNnuSJtmzGvOAW97tP2e3GydY9 "given_name”:"Test", K8q_2kG2IzkpEMUEdaeWjz2qG5dS328Scm6pRDPpC5pOkU8ym "iat":1478449060, jH7DBPfVXhtgS3iOhyleFhtmaTaYb_lYLpaaV10m8sVFOMHtj "family_name":"Test", dfrAm26Fq7zyjWYTSfzhqud29Ti4zn9PhcE7aL3s7BB8CJ18_ "email":”[email protected]" yFXSoG5CYCpLszvHazx1cbmPoXFrlFlPvZ07Oy8EbOaGs4Cuk } moYiV-5RnZsA9JXj405Kp50k-v8HCL6ZACDw3OYMV87P e6PuEqbzQLlc8BufKThm0xBiO6NJtvI7iC2sEIQ Signature HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), {secret}); JSON web token (JWT)

Identity token Access token Refresh token

• JSON web token • JSON web token • Opaque blob • Can be used for • Used to authorize • Used to get new ID authentication requests including and access tokens • Includes user Amazon Cognito without re- profile information APIs authenticating o Attributes • Includes • Expiration o Amazon Cognito o OAuth scopes configurable from groups o Amazon Cognito 1 day to 10 years • Expires in 1 hour groups • Expires in 1 hour Least privilege

“Granting only those privileges which are essential to perform the intended function”

{ "Effect": "Allow", "Action": "dynamodb:*", "Resource": "*" } { "Effect": "Allow", "Action": "dynamodb:PutItem", "Resource": ”arn:…/ContactsTable" } Securing your apps with IAM conditions { "Effect": "Allow", "Action": [ “s3:ListBucket", ”s3:GetObject", ] "Resource": ”arn:aws:s3:::example_bucket”, ”Conditions": { ”IpAddress” : { Predefined “aws:SourceIp”: “172.0.0.0/16” condition keys } } } ✓Least privilege ✓Centralize identity management and privilege management using a serverless standards-based identity service

Delegation: Federation: OIDC + OAuth SAML

Amazon Route 53

Users Amazon Amazon API AWS Lambda Amazon DynamoDB CloudFront Gateway

Amazon Cognito Amazon S3 Amazon Aurora Serverless Access control to Amazon API Gateway

Amazon Route 53

Users Amazon Amazon API AWS Lambda Amazon DynamoDB CloudFront Gateway

Amazon Cognito Amazon S3 Amazon Aurora Serverless …with Amazon Cognito JWT valid? or OAuth custom scope for resource server? Amazon Cognito Amazon DynamoDB

JWT Request

Client Amazon AWS Lambda API Gateway

Amazon Aurora Serverless …with Amazon Cognito JWT valid? or OAuth custom scope for resource server? Amazon Cognito Amazon DynamoDB

JWT Request

Client Amazon API Gateway AWS Lambda

Denied

Amazon Aurora Serverless …with Amazon Cognito JWT valid? or OAuth custom scope for resource server Amazon Cognito Amazon DynamoDB

JWT Allowed Request + Context Client Amazon API Gateway JWT AWS Lambda

Denied $context.identity.[xyz]

principalOrgId accountId Amazon Aurora Serverless sourceIp … …with AWS Lambda authorizer

Your own logic

Lambda authorizer Amazon DynamoDB

JWT Request

Client Amazon Policy evaluated AWS Lambda API Gateway

Amazon Aurora Serverless …with AWS Lambda authorizer

Your own logic

Lambda authorizer Amazon DynamoDB

JWT Allowed Request Tokens + Context

Client Amazon API Gateway Policy evaluated AWS Lambda

Denied

Amazon Aurora Serverless Policy cached Basic request validations on Amazon API Gateway

The required request parameters in the URI, query string, and headers of an incoming request are included and non- blank. Amazon API Gateway The applicable request payload adheres to the configured JSON schema request model of the method. Cross-origin resource sharing (CORS)

API OPTIONS METHOD

Amazon API Gateway CORS on Amazon API Gateway

MOCK ResponseParameters: API OPTIONS method.response.header.Access-Control-Allow-Headers: ”..." METHOD method.response.header.Access-Control-Allow-Methods: ”..." method.response.header.Access-Control-Allow-Origin: ”..."

Amazon API Gateway Access control to Amazon DynamoDB

Amazon Route 53

Users Amazon Amazon API AWS Lambda Amazon DynamoDB CloudFront Gateway

Amazon Cognito Amazon S3 Amazon Aurora Serverless Access control to Amazon DynamoDB { "Effect": "Allow", "Action": "dynamodb:GetItem", "Resource": ”arn:…/InventoryTable" }

Amazon DynamoDB table Access control to Amazon DynamoDB

{ "Effect": "Allow", "Action": "dynamodb:GetItem", "Resource": "arn:…/InventoryTable”, "Condition": { … "ForAllValues:StringLike": { "dynamodb:LeadingKeys": ”${cognito-identity.amazonaws.com:sub}*" } } } Access control to Amazon S3

Amazon Route 53

Users Amazon Amazon API AWS Lambda Amazon DynamoDB CloudFront Gateway

Amazon Cognito Amazon S3 Amazon Aurora Serverless Access control to Amazon S3

IAM User, Amazon S3 Group, or Role bucket or object

User policies Resource policies (Bucket Policies) AWS Lambda security

Amazon Route 53

Users Amazon Amazon API AWS Lambda Amazon DynamoDB CloudFront Gateway

Amazon Cognito Amazon S3 Amazon Aurora Serverless

Shared responsibility model for AWS Lambda Customer

Platform Code Network Management Encryption Protection (Data At rest) (Data in transit) AWS Lambda Operating System & Network Configuration

Compute Storage Database Network AWS

Regions AWS Global Edge Infrastructure Locations AWS Identity and Access ManagementAccess Identity AWS and Availability Zones IAM for AWS Lambda

Access policy Allowed actions for the function

Resource policy IAM role (Execution role) What can invoke AWS Lambda the function? function Trust policy Can the function assume this role? Common vulnerabilities DDoS

CORS Amazon Route 53

Users Amazon Amazon API AWS Lambda Amazon DynamoDB CloudFront Gateway DDoS XSS DDoS SQLi

Amazon Cognito Amazon S3 Amazon Aurora Serverless Common vulnerabilities: DDoS DDoS

Amazon Route 53

Users Amazon Amazon API AWS Lambda Amazon DynamoDB CloudFront Gateway DDoS DDoS

Amazon Cognito Amazon S3 Amazon Aurora Serverless Common vulnerabilities: DDoS DDoS

Amazon Route 53

Users Amazon Amazon API AWS Lambda Amazon DynamoDB CloudFront Gateway DDoS

Amazon Cognito Amazon S3 Amazon Aurora Serverless AWS Shield AWS Shield Standard: Network and transport: SYN floods, UDP floods, other reflection attacks, etc.

AWS Shield Advanced: Application: HTTP floods, traffic engineering via response team Amazon Route 53

Users AWS Shield Amazon Amazon API AWS Lambda Amazon DynamoDB CloudFront Gateway

Amazon Cognito Amazon S3 Amazon Aurora Serverless OWASP top risks to web apps: XSS

Inject JS into a website that some other user’s browser executes

OWASP top risks to web apps: XSS

Inject JS into a website that some other user’s browser executes

OWASP top risks to web apps: XSS AWS WAF: Web application firewall

Amazon Route 53

Users AWS Shield AWS WAF Amazon Amazon API AWS Lambda Amazon DynamoDB filtering rules CloudFront Gateway

Amazon Cognito Amazon S3 Amazon Aurora Serverless AWS WAF: Web application firewall OWASP top risks to web apps: SQL injection

Attacker adds *extra* SQL that the backend executes

SELECT * FROM Contacts WHERE email = ‘[email protected]’;

Attacker input -> [email protected]’; drop Table Contacts; -- OWASP top risks to web apps: SQL injection

Attacker adds *extra* SQL that the backend executes

SELECT * FROM Contacts WHERE email = ‘[email protected]’;

Attacker input -> [email protected]’; drop Table Contacts; --

SELECT * FROM Contacts WHERE email = ‘[email protected]’; drop Table Contacts; OWASP top risks to web apps: SQL injection

Attacker adds *extra* SQL that the backend executes

SELECT * FROM Employees WHERE fname=‘somename’

Attacker input -> -> ‘ OR ‘1’ = ‘1 OWASP top risks to web apps: SQL injection

Attacker adds *extra* SQL that the backend executes

SELECT * FROM Employees WHERE fname=‘somename’

Attacker input -> -> ‘ OR ‘1’ = ‘1

SELECT * FROM Employees WHERE fname=‘ ‘ OR ’1’ = ‘1’

TRUE OWASP top risks to web apps: SQL injection

public String handleRequest(Event input, Context context) { Connection connection = getRemoteConnection(); Statement stmt = connection.CreateStatement(); query = ""SELECT * from Employees WHERE fname='" + input.getFname() +"’" " ResultSet rs = stmt.executeQuery(query); } OWASP top risks to web apps: SQL injection OWASP top risks to web apps: SQL injection

Use prepared / pre-compiled SQL statements

String selectString = "SELECT * FROM EMPLOYEES WHERE fname = ?";

PreparedStatement getEmployee = connection.prepareStatement(selectString); getEmployee.setString(1, "george"); getEmployee.executeQuery(); Apply security at all layers

Input validation

DDoS protection Access control Access control Access control Amazon Route 53 CORS

Users AWS Shield AWS WAF Amazon Amazon API AWS Lambda Amazon DynamoDB CloudFront Gateway

Filtering rules: Pre-compiled SQL XSS, content, etc. Centralized Access control identity

Amazon Route 53

Users AWS Shield AWS WAF Amazon Amazon API AWS Lambda Amazon DynamoDB Filtering rules CloudFront Gateway

Amazon Cognito Amazon S3 Amazon Aurora Serverless Accessing relational databases

Connection string over port 3306 Uid=Username; Pwd=Password; anyone NodeJS: var connection = mysql.createConnection({ host: myServerAddress, port: 3306, user : 'Username’, password : 'Password’, database : 'my_db' //ssl : { // ca : fs.readFileSync('./rds-combined-ca-bundle.pem’) //} }); Accessing relational databases

1. Hard coded Accessing relational databases

1. Hard coded 2. Environment variable ! 3. Config file ! Accessing relational databases

1. Hard coded 2. Environment Variable ! 3. Config File ! 4. Secrets manager (AWS Secrets Manager) ✓ AWS Secrets Manager

Retrieve secret Rotate secrets Rotate

AWS Secrets Manager

☐ Store secrets securely ☐ Retrieve easily with SDK method ☐ Control access with IAM ☐ Rotate secrets: Amazon Redshift, Amazon RDS, DynamoDB Accessing relational databases

1. Hard coded 2. Environment variable ! 3. Config file ! 4. Secrets manager (AWS Secrets Manager) ✓ IAM Authentication for Amazon RDS

Request authentication token

Amazon RDS

☐ No DB user and password ☐ Control access with IAM ☐ AWS Signature Version 4 ☐ Token per user and valid for 15 minutes Data API for Amazon Aurora Serverless

Standard API call to AWS using CLI, SDK Temporary creds IAM Role

{ "Effect": "Allow", ExecuteStatement BatchExecuteStatement "Action": [ BeginTransaction "secretsmanager:...", CommitTransaction ”rds-data:...", AWS SDK RollbackTransaction "Resource": ”arn:…/database" } https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/data-api.html Accessing relational databases

1. Hard coded 2. Environment variable ! 3. Config file ! 4. Secrets manager (AWS Secrets Manager) ✓ 5. IAM authentication for Amazon RDS ✓ Simple & Secure 6. Data API for Amazon Aurora Serverless ✓ Monolithic functions

Customers table

API monolithic function Orders table

Queue

Monolithic Microservices + event-driven architectures

Customers table Small function Customers table

API monolithic function Orders table API Small function Orders table

Queue Queue Small function Monolithic ✓ Microservices OWASP secure coding practices

Input validation Data protection Output encoding Communication security Auth + password mgmt System configuration Session management Database security Access control File management Cryptographic practices Memory management Error handling and logging General coding practices

https://www.owasp.org/images/0/08/ OWASP_SCP_Quick_Reference_Guide_v2.pdf Homework

Security considerations for software release

Protect data in transit and at rest

Security operations Learn serverless with AWS Training and Certification Resources created by the experts at AWS to help you learn modern application development

Free, on-demand courses on serverless, including • Introduction to Serverless • Amazon API Gateway for Development Serverless Applications • Getting into the Serverless • Amazon DynamoDB for Serverless Mindset Architectures • AWS Lambda Foundations

Additional digital and classroom trainings cover modern application development and computing

Visit the Learning Library at https://aws.training

Some approaches and tools change. Summary Implement a strong identity foundation Serverless directory supporting Oauth, OIDC, SAML Centralized identity & privilege management Eliminate reliance on long-term credentials -> RBAC Least privilege (granular + conditions) Apply security at all layers Access control at each layer Input validation, CORS DDoS -> AWS Shield App vulnerabilities -> AWS WAF + secure coding Secure coding practices Functions are concise, short, and single purpose Share nothing on runtime environment -> use external services for integration, e.g., SQS, SNS Never trust user input. Validate. Encode. Precompiled SQL. No keys in code -> use external secrets manager, IAM auth or Data API Speed + Security Thank you!

Gerardo Estaba linkedin.com/in/estaba