Puresec Notes

References

My google doc: https://docs.google.com/document/d/14c6Abs993XZPkvFMcxPPxNK1NLyrRCaeBbvM0f_VhHw/edit?usp=sharing
SAS - Serverless architectures Security Top 10 Vulnerabilities (146 stars) https://github.com/puresec/sas-top-10
OWASP - Open Web Application Security Project Top 10 Risks https://www.owasp.org/index.php/Top_10-2017_Top_10
sls puresec gen-roles source code (13 stars) https://github.com/puresec/serverles s-puresec-cli
Awesome serverless security (125 stars) https://github.com/puresec/awesome-serverless-security
AWS Lambda best practices security E-Book
Puresec recommended course: https://www.manning.com/livevideo/production-ready-serverless https://github.com/theburningmonk/manning-aws-lambda-in-motion
AWS Security Best Practices by Amazon: https://aws.amazon.com/whitepapers/aws-security-best-practices/
AWS Well architected white papaers: https://aws.amazon.com/architecture/well-architected/
Serverless Applications Lens by Amazon: https://d1.awsstatic.com/whitepapers/architecture/AWS-Serverless-Applications-Lens.pdf
Blog on using function shield: https://www.jeremydaly.com/serverless-security-with-functionshield/
https://github.com/toniblyx/my-arsenal-of-aws-security-tools

Lambda Best Practices Book

Two logging facilities:
- Cloud Watch :
  - Application error logs;
  - For Lambda security watch out for some metrics such as
    1. concurrent execution,
    2. throttling and
    3. error metrics (indicating DoS attack).
- Cloud Trail :
  - Cloud Trail Service is enabled by default (but no trails created yet)
  - Provides global event history without event payloads.
  - To persist history, you must create a "Trail" and record it in S3 bucket.
  - S3 logs data can be queried by SQL using AWS Athena.
  - Trail applies to all regions by default.
  - By default only important Lambda events are logged in Trail such as function creation and deletion. To record function invocation, you must turn on 'Data Event Logging'. Still payload is not logged, you need cloud watch application logs.
  - Cloud Trail can setup notifications based on Cloud Watch events such as triggering an alert based on S3 bucket event.

Question: How to enable ... Auto shutdown of services ?

Throttled Lambda Function returns 429 error. Calling service must retry. The reason code explains if throttling done on function level or account level.
Async lambda invocation auto-retried for 6 hours.
You can configure a Dead Letter Queue (DLQ) to investigate why your function was throttled. ???
Make sure your application does not hang or crash with faulty input such as "big payload".

Puresec Application Platform

PureSec Serverless Security Platform provides:
- behavioral runtime protection against a wide range of attacks,
- and can reduce the risk of application layer DoS and unauthorized malicious behavior.
- The platform also provides unparalleled forensic-level visibility.
The serverless application firewall will enable:
- try to detect event data injection and block such events at first
- continue to monitor function execution and block unauthorized operations in realtime based on machine-learning based behaviour algorithm.
- Note: We need a deterministic algorithm
- Puresec SSP Serverless Security Platform will provide: + Protection against SQL Injection, Cross-Site Scripting, Command Injection, Runtime Code Injection
  - Inspection of all types of serverless event triggers
  - Prevention of event input encoding attacks
  - Protection against Event-Data Injection attacks
  - Serverless runtime environment hardening
  - Outbound network access controls
PureSec SSP provides simple integrations with existing SIEM solutions, so your DevSecOps teams can receive event information and notifications in the tools of their choice.
Vulnerability Code Scanner:
- Granular function-based security policy
- Detection of over-permissive security policies
- Detection of vulnerable 3rd party dependencies
- Full CI/CD integration
Dev-Ops Tools :
- Seamless integration with cloud-native logging facilities, Splunk and other SIEMs
- Visibility into function operations, security posture and security events

Architectural Design Considerations

Design for retry - Can you make your Lambda function harmless if you invoke it twice when retried ?
Apply function level throttling in addition to account level throttling. This will reduce the blast radius.
For Lambda functions with asynchronous event triggers (in SQS integrations - for the queue itself), set up a Dead Letter Queue. After retrying the event twice, Lambda will forward it to the DLQ destination (SQS Queue or SNS Topic) for further investigation.
Set up monitoring & alerts on your AWS charges & billing

AWS Config Service

Lets you easily monitor changes to account configuration and generate alerts.
Example 4 configuration rules available here: https://github.com/puresec/lambda-config-rules
Rule 1 - Detect Lambda functions created through console. (Dont do it for production)
Rule 2 - Try to have different IAM Roles for different functions.
Rule 3 - Detect Lambda functions with multiple event triggers (sources).
Rule 4 - Lambda functions with Wildcard IAM permissions.

API Gateway Security

You have public API
Authenticated user API
Internal API (typically used to manage a set of shared resources)

Vunerability Examples

Using child exec process

const child_process = require('child_process');  // Built-in module.

let txt = child_process.execSync(`curl --silent -L ${documentUrl} `).toString();