site-logo

JAWS PANKRATION 2024

site-logo
HomeNewsTimetableCfPCommitteePromotionFollow UpPrivacy Policy

How Serverless Security Shifts to the Left

Lv200

Lv200

8/25/2024 02:20 (UTC)

Session Info

In this compelling session, we will explore the transformative shift in security dynamics within serverless architectures, focusing on the AWS Shared Responsibility Model.

This talk will provide an in-depth look at the critical practices and tools necessary to “shift security to the left,” ensuring vulnerabilities are addressed earlier in the development lifecycle.

Attendees will learn about practical strategies for enhancing security in serverless environments, backed by insights and examples from real-world applications.

Ideal for DevOps professionals, security engineers, and cloud architects, this session will equip you with the knowledge to strengthen your serverless security posture effectively.

Ike Gabriel Gomez Yuson

Ike Gabriel Gomez Yuson

- AWS User Community Leaders -



Session Category
Computing
Security
Identity and compliance


AWS Services
Amazon EC2
AWS Lambda
and other serverless services.

Session Materials


    Session Summary (by Amazon Bedrock)
      The presentation discusses how serverless security "shifts to the left" in cloud computing. Key points include: 1. Serverless computing abstracts server management, with AWS handling the heavy lifting. 2. The main appeal of serverless is pay-per-request pricing, reducing barriers to entry for startups. 3. The AWS shared responsibility model differs for serverless services, with AWS taking on more responsibility for security. 4. Serverless security shifts focus to developers and early integration in the development process. 5. Main security concerns in serverless: - Function code and libraries - Identity and Access Management (IAM) - Some overlap with traditional perimeter security for internet-exposed resources 6. Common serverless attacks: - Remote code execution - SQL injection - IAM privilege escalation - Denial of Wallet (similar to Denial of Service, but affecting costs) 7. Mitigation strategies: - Careful IAM role configuration - Implementing AWS WAF for API protection - Using AWS Shield for DDoS protection 8. Security in serverless architectures: - Must be implemented early in the software development lifecycle - Involves every layer from code to configuration - Is a shared responsibility across development and operations teams 9. Conclusion: Serverless is not secure out of the box, and still requires vigilant protection and security measures. The presentation emphasizes the importance of understanding the unique security challenges in serverless environments and implementing appropriate measures throughout the development process.

    ©JAWS-UG (AWS User Group - Japan). All rights reserved.