Transcript

Hello and welcome to this lecture where I just want to highlight and cover the main points taken from the previous lectures. I started this course by discussing some of the security benefits that are to be had with FaaS solutions, and here I covered that using serverless compute, you no longer have the responsibility of managing the instance, as that is performed by AWS. Patch management of your infrastructure is no longer required by the customer. And AWS Lambda is PCI compliant. In a denial of service attack, the resources are automatically scaled out to handle additional load with ease, so it's much harder to disrupt the service. However, this does cause an adverse negative effect, as you would need to pay for any resource consumed during the attack. When using the 512 temporary storage for Lambda invocations, it should only be used for non-sensitive data. This is often used as a cache if your Lambda's RAM is not enough. 

Next I looked at some of the downfalls of serverless security, and these included functions that needed to be managed efficiently due to the associated permissions. It's best practice to remove any unused and unwanted AWS Lambda functions. And for each function you can check the invocatioins count over time and the currently active triggers. If you have zero invocations, or zero active triggers, it's likely it's unused. Third parties can cause a weak link in data transmission, authentication, and encryption. And the number of toolsets to manage, track, monitor, and log serverless environments in detail is still relatively low. 

I then looked at some of the security concerns that exist for both infrastructure as a service and function as a service solutions, and these included the following; data encryption mechanisms should be used for when data is in transit and at rest, especially when working with sensitive data, management of access control to your resources is key, you should work on the least privileged role when assigning permissions to reduce attack service and exposure, ensure you are sanitizing your code, especially when using third party libraries and dependencies, and security best practices should be followed at all times when writing your code to minimize risk and exposure. Your code should be written to only perform that function that it needs to perform, nothing more, nothing less. And application level security is very much a vulnerability in function as a service. 

Following this lecture, I then focused more on the point of application level security, and in this lecture I discussed the following points; FaaS solutions incur the same security threats and exposures for application security when compared to infrastructure as a service solutions, the OWASP top 10 list represents the most critical web application security risks that exist, Amazon API Gateway, and Amazon Cognito can go some way into protecting against injection attacks, Amazon Cognito can help to prevent against broken authentication vulnerabilities, multi-factor authentication should be used where possible for authentication, remove any unused dependencies within your code, use official sources when obtaining your libraries, perform code review and use static analysis tools, and sanitize your inputs to avoid vulnerabilities relating to the OWASP top 10 list. 

That now brings me to the end of this lecture, and to the end of this course. You should now have a greater understanding of some of the security differences between IaaS and FaaS solutions, allowing you to gain a deeper insight into some of the positives and negatives of serverless security. 

If you have any feedback on this course, positive or negative, please do contact us at Support@CloudAcademy.com, your feedback is greatly appreciated. Thank you for your time, and good luck with your continued learning of cloud computing. Thank you.