Amazon API
Gateway
Amazon
DynamoDB
AWS KMS
Get data
encryption
key
Audit, Inspect & Encrypt
Input Event Data
Lambda
Execution Role
Invoke Business
Function
Amazon SQS
Security
Wrapper
least privilege
access ensured
through assigned
only the required
permissions
Lambda
function
Logs &
Metrics
Get
credentials
Sanitize Output
S3 Buckets
& Objects
CloudTrail
Other Event
Sources
Amazon
CloudWatch
AWS
Secrets
Manager
credentials
and other
secrets are
stored and
managed in a
secure facility
Figure 7: Design patterns example
• Before entering a business function, the event is han- • A Lambda function is assigned an execution role with
dled by a security module, implemented using one of
these methods: a minimal set of permissions required for its function-
ality. This follows the security principle of least privi-
lege, and mitigates risks related to access control
(OWASP A5, A6; CSA SAS-3, SAS-4).
• Wrapper function
• Lambda layer
• Annotation decorator (language/runtime
dependent)
• The security module ensures that upon entry onto
the system, all the inputs are inspected, recorded and
encrypted.
• Proper inspection and validation of the input
payload will provide mitigation for the top risks
related to injection and event data manipulation
(OWASP A1, A4, A7, A8; CSA SAS-1, SAS-8,
SAS-9).
• Tracking invocations in CloudTrail and capturing
event data through CloudWatch addresses the
risk of insufficient logging and monitoring
(OWASP A10; CSA SAS-5).
• The security module encrypts data using a key
obtained from KMS, thus preventing the expo-
sure of sensitive data (OWASP A3, CSA SAS-3,
SAS-7).
82 | THE DOPPLER |
SUMMER 2019
• Secrets, such as credentials, are stored in a Secrets
Manager. This mitigates the risks of leaked and com-
promized credentials (OWASP A3, A6; CSA SAS-7,
SAS-12).
• The security module sanitizes outputs generated by
the business function before it gets stored or
returned to the client, thus addressing the risks of
reflecting or storing malicious data (OWASP A7; CSA
SAS-1).
To manage the execution of the serverless model, we inte-
grate each component into a design artifact, showing the
integration and how to position the technological controls
into a serverless implementation, as illustrated in Figure 8.
This chart includes Data Protection and Identity and Access
Management, as well as a DevSecOps component.
To illustrate, we laid out the appropriate controls that sat-
isfy each risk area. Under Threat and Vulnerability Manage-
ment, we grouped risks, such as Run Time Protection,
Behavioral Analysis and Vulnerability Management, and
positioned the appropriate control.