Layered Approach to Security, Serverless backends @ Toronto AWS Meetup
Serverless Backends w/AWS Lambda & API Gateway
Frank and Jay from Anomaly Innovations talked about their experiences with serverless APIs running on AWS Lambda. Check their site Serverless Stack for detailed tutorial on setting up AWS Lambda functions.
- check out the serverless framework to make using AWS Lambda easier
- look out for ServerlessCD project from the presenters
- keeping infrastructure deployments with Cloud Formation separate from code deployments with AWS Lamda, or your deployments will get slooow and you will not be able to run/fix things as quickly.
I wanted to compare this to Firebase Cloud Functions
- function signatures are very similar
- Firebase has a nice CLI tool for deploying code to Google’s servers. AWS users will use 3rd party open source tools for this
- like Firebase Cloud Functions, using AWS Lambda will force you into using a more microservicey architecture
AWS Layered Approach to Security
4 tenets of security
- trust nothing and no one
- nothing is secure until you turn it off
- security is a tradeoff with usability
- embrace your paranoia
6 layers of security
- descope, limit, block
- store less data so there is less to steal
- do less work on a server or service so there is less surface area to attack
- block access by default and use whitelists
- Know your touch points, the boundaries of your application/product
- where does your application interact with other applications from other organizations?
- where does your application interact with infrastructure from other applications?
- where does you application interact with people vulnerable to social engineering
- didn’t write it down
- something else about touchpoints?
- make access difficult
- trade-off between usability and security e.g. 2 factor auth
- didn’t write it down
- wish I wrote it down
- Keep up-to-date
Words I had to look up
Maybe it was this? Federated Architecture. A group of distinct services or databases working together
demilitarized zone – exposing part of a network to the public (e.g. DNS, FTP, email sending/receiving), and hiding the rest behind a firewall (e.g. file storage, computing)
Also from chatting with people
- AWS Green Grass for running Lambda on your own hardware, offline or online
- AWS Snowball Edge is a physical AWS server you can borrow and put on-site to fill up with 100TB of data and do work offline, and then ship back to Amazon put your data in the cloud