• Home
  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms & Conditions
Flyy Tech
  • Home
  • Apple
  • Applications
    • Computers
    • Laptop
    • Microsoft
  • Security
  • Smartphone
  • Gaming
  • Entertainment
    • Literature
    • Cooking
    • Fitness
    • lifestyle
    • Music
    • Nature
    • Podcasts
    • Travel
    • Vlogs
  • Camera
  • Audio
No Result
View All Result
  • Home
  • Apple
  • Applications
    • Computers
    • Laptop
    • Microsoft
  • Security
  • Smartphone
  • Gaming
  • Entertainment
    • Literature
    • Cooking
    • Fitness
    • lifestyle
    • Music
    • Nature
    • Podcasts
    • Travel
    • Vlogs
  • Camera
  • Audio
No Result
View All Result
Flyy Tech
No Result
View All Result

AWS Lambda and Batch jobs for Steps in a Process | by Teri Radichel | Cloud Security | Aug, 2022

flyytech by flyytech
August 31, 2022
Home Security
Share on FacebookShare on Twitter


ACM.39 Serverless components to construct secure architectures

This is a continuation of my series on Automating Cybersecurity Metrics.

Breaking it down

I’ve always like to break systems down into pieces and make sure each piece can run independently from others where possible. I like to have separate, testable components for different functions and and clean separation of concerns.

We’ll definitely be using that approach in the architecture I’m building now — to the extreme. And AWS Serverless components should make this much, much easier than running our own Kubernetes deployment or other complicated infrastructure. At the same time we can still lock down our networking and IAM Permissions and encryption — maybe even better than if we tried to run our own infrastructure.

Is serverless secure?

We may lose a bit of control with serverless technologies, But your legal team should be reviewing the contract to ensure the cloud provider is held responsible for securing their parts of the system and any related data breach or security incident costs. Your security team should review the security information provided by the cloud provider to ensure it is sufficient and perform security assessments, as much as is possible within the realm of the access the cloud provider offers. Never assume an environment is secure just because it is a big company (think Solar Winds).

These assessments need to continue over time as things change. Recently AWS got a new CEO, for example, and with that could come different decisions related to security and how systems get rolled out. Policies enforced in the past may change. (I have absolutely no insight into this nor am I saying they have).

One thing I have noticed over time is that one of my favorite white papers on AWS security processes has been archived. That was one of the resources that convinced me AWS took security seriously. It’s hard to find concrete answers to the current implementation of the fundamental aspects of security as were published in the past. The security documentation seems to be more scattered. I wonder about the integrity of the underlying architecture with all the disparate moving parts and new software developers and architects at the company who might not understand the fundamentals on which the platform was initially based.

For my purposes, I have a small company and have reviewed the AWS documentation over time and continue to test the platform as I’m doing now. I also test and teach security for other cloud providers (GCP and Azure). I don’t have a lot of leverage like large companies do, but for my purposes and with the research I’ve done, AWS seems reasonably secure. I find issues here and there but recent experiences with another cloud provider concerned me much more. Hopefully the other provider is improving as they are also under new leadership. New leadership can go either way, but I suspect the new leadership at the other cloud provider will tighten things up a bit.

If you want to know more about serverless security, I gave a talk on that at RSA 2020. You can find the link here:

I like serverless because I can lock down individual components with zero-trust policies and focus on the functionality I am building (with the exception of bugs and cryptic error messages that slow me down). I’d rather spend less time on architecture and more time on getting the system working. As you can see, the policies are tricky enough without having to add managing Kubernetes on top of that to coordinate and maintain container infrastructure.

Microservices

If you’re familiar with micro-services you know that they are used to break a part a larger system into smaller pieces. Some of my students in the past have mistakenly equated micro-services with containers but they are not one and the same. Micro-services are often implemented with containers, but the point of micro-services is really about splitting up a larger system into smaller components. Sam Newman wrote one of my favorite books on the topic if you want to dive deeper.

People like to debate the definition of terms all the time but for my purposes, I want to break my system into separate tasks. I want to make it such that an attacker would need to get access to more than one component to authenticate or kick off a batch job process, or access sensitive data. We’ll see how successful I am as me move along.

AWS Lambda

AWS Lambda functions came about after I read that book on microservices but are an offshoot of that movement. They are surely built on containers under the hood, but they function a bit differently than a container operating a long running service. An AWS Lambda function often responds to an event and executes long enough to complete a task. Then it stops.

Lambda has some limitations which make it less-than-ideal for long running processes. But they are great for code that responds to an event and executes quickly.

We could run a batch job in a Lambda function, it would just have to be a short lived process or a restartable process completed by multiple lambda functions.

AWS Batch

AWS Batch is similar to AWS Lambda in that it can execute a process, but you can implement longer running processes. The batch job will run until the process is complete, rather than placing some arbitrary time or memory limit on a process. Of course there are always limits:

Batch jobs are often processes that execute without human interaction on a schedule, though they can also be run in response to an event or triggered. One of the benefits of AWS Batch is the ability to use spot instances to process data, and I want to see if that can save some money over how I currently process some data. TBD

Constructing a serverless architecture

We can leverage AWS Lambda and Batch to construct a larger process broken into smaller steps. Breaking up the system this way has some benefits:

  • We can give each part of the process a smaller set of permissions.
  • We can independently test each step of the process.
  • We can log each step and give it a name to pinpoint errors in the process more easily.
  • We can independently re-deploy each step if we have a bug.
  • We can independently re-run each step if we have a problem with the input data.
  • We can optimize our infrastructure for each step — for example more memory or more CPU.

In fact, Lambda has the concept of building systems in steps built right into it. Lambda Step Functions.

The core point from the page above:

The workflows you build with Step Functions are called state machines, and each step of your workflow is called a state.

However, when I take a look at the CloudFormation template it already looks like I won’t be using this for my initial use case. Based on the template structure it appears that you can only assign a single role to the whole process and that doesn’t meet my requirements. One of my purposes for using distinct components is so that I can apply different permissions to different components.

We can also combine Lambda and AWS Batch, along with other AWS services to construct our architecture to be triggered by humans, a schedule, or events. I was planning to build this part of the system with AWS Lambda to trigger AWS Batch and just discovered this blog post which may help out as we implement the design.

Security Through Separation of Concerns

If we break our system up into small components, we can give each component just enough permission to do what it needs to do. That way if a particular component gets compromised, hopefully it will have a limited blast radius and potential damage.

As already demonstrated in prior posts, we can:

  • Require MFA credentials to assume roles.
  • Place restrictions on who can assume which roles.
  • Give limited permission to each role.
  • Used a separate role and policy for each job.
  • Encrypt data with a specific KMS key for a specific process.
  • Limit who can encrypt or decrypt a value related to a process.
  • Limit who can create credentials for a process.

In the upcoming posts, I’ll show you how we can limit who can retrieve and use the credentials we stored. Our batch job will have permission to assume the appropriate role, but it will not be able to directly access the credentials if all goes according to plan.

Serverless components in our architecture

We’re going to make use of a series of Lambda functions to handle authentication for our batch jobs. The lambda functions will make it easier to interact with a user to retrieve an MFA code. Then we can instantiate a session and kick off a batch job. Hopefully!

Follow for updates.

Teri Radichel

If you liked this story please clap and follow:

Medium: Teri Radichel or Email List: Teri Radichel
Twitter: @teriradichel or @2ndSightLab
Requests services via LinkedIn: Teri Radichel or IANS Research

© 2nd Sight Lab 2022

All the posts in this series:

____________________________________________

Author:

Cybersecurity for Executives in the Age of Cloud on Amazon

Need Cloud Security Training? 2nd Sight Lab Cloud Security Training

Is your cloud secure? Hire 2nd Sight Lab for a penetration test or security assessment.

Have a Cybersecurity or Cloud Security Question? Ask Teri Radichel by scheduling a call with IANS Research.

Cybersecurity & Cloud Security Resources by Teri Radichel: Cybersecurity and Cloud security classes, articles, white papers, presentations, and podcasts





Source_link

flyytech

flyytech

Next Post
The Best Mechanical Keyboards | Reviews

The Best Mechanical Keyboards | Reviews

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Recommended.

2022 in review: The 15 most important stories of the year

2022 in review: The 15 most important stories of the year

December 31, 2022
Russian 48-Core Baikal-S CPU Powers First Storage Device

Russian 48-Core Baikal-S CPU Powers First Storage Device

January 17, 2023

Trending.

Image Creator now live in select countries for Microsoft Bing and coming soon in Microsoft Edge

Image Creator now live in select countries for Microsoft Bing and coming soon in Microsoft Edge

October 23, 2022
Elden Ring best spells 1.08: Tier lists, sorceries, incantations, and locations

Elden Ring best spells 1.08: Tier lists, sorceries, incantations, and locations

January 14, 2023
How to View Ring Doorbell on a Roku TV

How to View Ring Doorbell on a Roku TV

December 20, 2022
Allen Parr’s false teaching examined. Why you should unfollow him.

Allen Parr’s false teaching examined. Why you should unfollow him.

September 24, 2022
Review: Zoom ZPC-1

Review: Zoom ZPC-1

January 28, 2023

Flyy Tech

Welcome to Flyy Tech The goal of Flyy Tech is to give you the absolute best news sources for any topic! Our topics are carefully curated and constantly updated as we know the web moves fast so we try to as well.

Follow Us

Categories

  • Apple
  • Applications
  • Audio
  • Camera
  • Computers
  • Cooking
  • Entertainment
  • Fitness
  • Gaming
  • Laptop
  • lifestyle
  • Literature
  • Microsoft
  • Music
  • Podcasts
  • Review
  • Security
  • Smartphone
  • Travel
  • Uncategorized
  • Vlogs

Site Links

  • Home
  • About Us
  • Contact Us
  • Disclaimer
  • Privacy Policy
  • Terms & Conditions

Recent News

New Android Banking Trojan ‘Nexus’ Promoted As MaaS

New Android Banking Trojan ‘Nexus’ Promoted As MaaS

March 23, 2023
Could we Get a OnePlus 11 Special Edition Soon? – Phandroid

Could we Get a OnePlus 11 Special Edition Soon? – Phandroid

March 23, 2023

Copyright © 2022 Flyytech.com | All Rights Reserved.

No Result
View All Result
  • Home
  • Apple
  • Applications
    • Computers
    • Laptop
    • Microsoft
  • Security
  • Smartphone
  • Gaming
  • Entertainment
    • Literature
    • Cooking
    • Fitness
    • lifestyle
    • Music
    • Nature
    • Podcasts
    • Travel
    • Vlogs

Copyright © 2022 Flyytech.com | All Rights Reserved.

What Are Cookies
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
Cookie SettingsAccept All
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checkbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT