Serverless.com Security

Reading time: 19 minutes

Basic Information

Organization

An Organization is the highest-level entity within the Serverless Framework ecosystem. It represents a kikundi cha pamoja, such as a company, department, or any large entity, that encompasses multiple projects, teams, and applications.

Team

The Team are the users with access inside the organization. Teams help in organizing members based on roles. Collaborators can view and deploy existing apps, while Admins can create new apps and manage organization settings.

Application

An App is a logical grouping of related services within an Organization. It represents a complete application composed of multiple serverless services that work together to provide a cohesive functionality.

Services

A Service is the core component of a Serverless application. It represents your entire serverless project, encapsulating all the functions, configurations, and resources needed. It's typically defined in a serverless.yml file, a service includes metadata like the service name, provider configurations, functions, events, resources, plugins, and custom variables.

service: my-service
provider:
name: aws
runtime: nodejs14.x
functions:
hello:
handler: handler.hello

functions:
hello:
handler: handler.hello
events:
- http:
path: hello
method: get

functions:
hello:
handler: handler.hello
events:
- http:
path: hello
method: get
- schedule:
rate: rate(10 minutes)

resources:
Resources:
MyDynamoDBTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: my-table
AttributeDefinitions:
- AttributeName: id
AttributeType: S
KeySchema:
- AttributeName: id
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: 1
WriteCapacityUnits: 1

yamlCopy codeprovider:
name: aws
runtime: nodejs14.x
region: us-east-1
stage: dev

provider:
stage: dev

provider:
region: us-west-2

plugins:
- serverless-offline
- serverless-webpack

layers:
commonLibs:
path: layer-common
functions:
hello:
handler: handler.hello
layers:
- { Ref: CommonLibsLambdaLayer }

functions:
hello:
handler: handler.hello
environment:
TABLE_NAME: ${self:custom.tableName}

custom:
tableName: my-dynamodb-table
stage: ${opt:stage, 'dev'}

¡outputs:
ApiEndpoint:
Description: "API Gateway endpoint URL"
Value:
Fn::Join:
- ""
- - "https://"
- Ref: ApiGatewayRestApi
- ".execute-api."
- Ref: AWS::Region
- ".amazonaws.com/"
- Ref: AWS::Stage

provider:
[...]
iam:
role:
statements:
- Effect: 'Allow'
Action:
- 'dynamodb:PutItem'
- 'dynamodb:Get*'
- 'dynamodb:Scan*'
- 'dynamodb:UpdateItem'
- 'dynamodb:DeleteItem'
Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}

provider:
environment:
STAGE: ${self:provider.stage}
functions:
hello:
handler: handler.hello
environment:
TABLE_NAME: ${self:custom.tableName}

plugins:
- serverless-webpack

custom:
hooks:
before:deploy:deploy: echo "Starting deployment..."

Tutorial

Hii ni muhtasari wa mafunzo rasmi kutoka kwenye nyaraka:

1. Unda akaunti ya AWS (Serverless.com inaanza katika miundombinu ya AWS)
2. Unda akaunti katika serverless.com
3. Unda programu:

# Create temp folder for the tutorial
mkdir /tmp/serverless-tutorial
cd /tmp/serverless-tutorial

# Install Serverless cli
npm install -g serverless

# Generate template
serverless #Choose first one (AWS / Node.js / HTTP API)
## Indicate a name like "Tutorial"
## Login/Register
## Create A New App
## Indicate a name like "tutorialapp)

Hii inapaswa kuwa imeunda app inayoitwa tutorialapp ambayo unaweza kuangalia katika serverless.com na folda inayoitwa Tutorial yenye faili handler.js inayokuwa na baadhi ya msimbo wa JS wenye msimbo wa helloworld na faili serverless.yml ikitangaza kazi hiyo:

exports.hello = async (event) => {
return {
statusCode: 200,
body: JSON.stringify({
message: "Go Serverless v4! Your function executed successfully!",
}),
}
}

# "org" ensures this Service is used with the correct Serverless Framework Access Key.
org: testing12342
# "app" enables Serverless Framework Dashboard features and sharing them with other Services.
app: tutorialapp
# "service" is the name of this project. This will also be added to your AWS resource names.
service: Tutorial

provider:
name: aws
runtime: nodejs20.x

functions:
hello:
handler: handler.hello
events:
- httpApi:
path: /
method: get

4. Unda mtoa huduma wa AWS, ukitembea kwenye dashboard katika https://app.serverless.com/<org name>/settings/providers?providerId=new&provider=aws.
5. Ili kutoa serverless.com ufikiaji wa AWS itahitaji kuendesha cloudformation stack ikitumia faili hii ya usanidi (wakati wa kuandika hii): https://serverless-framework-template.s3.amazonaws.com/roleTemplate.yml
6. Hii template inazalisha jukumu linaloitwa SFRole-<ID> lenye arn:aws:iam::aws:policy/AdministratorAccess juu ya akaunti yenye Kitambulisho cha Kuamini kinachoruhusu akaunti ya Serverless.com ya AWS kufikia jukumu hilo.

Description: This stack creates an IAM role that can be used by Serverless Framework for use in deployments.
Resources:
SFRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
AWS: arn:aws:iam::486128539022:root
Action:
- sts:AssumeRole
Condition:
StringEquals:
sts:ExternalId: !Sub "ServerlessFramework-${OrgUid}"
Path: /
RoleName: !Ref RoleName
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AdministratorAccess
ReporterFunction:
Type: Custom::ServerlessFrameworkReporter
Properties:
ServiceToken: "arn:aws:lambda:us-east-1:486128539022:function:sp-providers-stack-reporter-custom-resource-prod-tmen2ec"
OrgUid: !Ref OrgUid
RoleArn: !GetAtt SFRole.Arn
Alias: !Ref Alias
Outputs:
SFRoleArn:
Description: "ARN for the IAM Role used by Serverless Framework"
Value: !GetAtt SFRole.Arn
Parameters:
OrgUid:
Description: Serverless Framework Org Uid
Type: String
Alias:
Description: Serverless Framework Provider Alias
Type: String
RoleName:
Description: Serverless Framework Role Name
Type: String

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::486128539022:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "ServerlessFramework-7bf7ddef-e1bf-43eb-a111-4d43e0894ccb"
}
}
}
]
}

5. Mafunzo yanahitaji kuunda faili createCustomer.js ambayo kimsingi itaunda kiunganishi kipya cha API kinachoshughulikiwa na faili mpya ya JS na yanahitaji kubadilisha faili serverless.yml ili kuifanya izalisha meza mpya ya DynamoDB, kufafanua kigezo cha mazingira, jukumu ambalo litakuwa likitumia lambdas zilizozalishwa.

"use strict"
const AWS = require("aws-sdk")
module.exports.createCustomer = async (event) => {
const body = JSON.parse(Buffer.from(event.body, "base64").toString())
const dynamoDb = new AWS.DynamoDB.DocumentClient()
const putParams = {
TableName: process.env.DYNAMODB_CUSTOMER_TABLE,
Item: {
primary_key: body.name,
email: body.email,
},
}
await dynamoDb.put(putParams).promise()
return {
statusCode: 201,
}
}

# "org" ensures this Service is used with the correct Serverless Framework Access Key.
org: testing12342
# "app" enables Serverless Framework Dashboard features and sharing them with other Services.
app: tutorialapp
# "service" is the name of this project. This will also be added to your AWS resource names.
service: Tutorial

provider:
name: aws
runtime: nodejs20.x
environment:
DYNAMODB_CUSTOMER_TABLE: ${self:service}-customerTable-${sls:stage}
iam:
role:
statements:
- Effect: "Allow"
Action:
- "dynamodb:PutItem"
- "dynamodb:Get*"
- "dynamodb:Scan*"
- "dynamodb:UpdateItem"
- "dynamodb:DeleteItem"
Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}

functions:
hello:
handler: handler.hello
events:
- httpApi:
path: /
method: get
createCustomer:
handler: createCustomer.createCustomer
events:
- httpApi:
path: /
method: post

resources:
Resources:
CustomerTable:
Type: AWS::DynamoDB::Table
Properties:
AttributeDefinitions:
- AttributeName: primary_key
AttributeType: S
BillingMode: PAY_PER_REQUEST
KeySchema:
- AttributeName: primary_key
KeyType: HASH
TableName: ${self:service}-customerTable-${sls:stage}

6. Tumia serverless deploy kupeleka
7. Upelekaji utafanywa kupitia CloudFormation Stack
8. Kumbuka kwamba lambdas zinapatikana kupitia API gateway na si kupitia URLs za moja kwa moja
9. Jaribu
10. Hatua ya awali itachapisha URLs ambapo kazi za lambda za mwisho wa API zako zimepelekwa

Mapitio ya Usalama wa Serverless.com

Mifumo na Ruhusa za IAM Zilizokosewa

Mifumo ya IAM yenye ruhusa nyingi sana inaweza kutoa ufikiaji usioidhinishwa kwa rasilimali za wingu, na kusababisha uvujaji wa data au upotoshaji wa rasilimali.

Wakati hakuna ruhusa zilizotajwa kwa kazi ya Lambda, mfumo utaundwa na ruhusa za kuzalisha tu kumbukumbu, kama:

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:CreateLogGroup",
"logs:TagResource"
],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*"
],
"Effect": "Allow"
},
{
"Action": ["logs:PutLogEvents"],
"Resource": [
"arn:aws:logs:us-east-1:123456789012:log-group:/aws/lambda/jito-cranker-scripts-dev*:*:*"
],
"Effect": "Allow"
}
]
}

Mikakati ya Kupunguza Hatari

• Kanuni ya Haki Ndogo: Panga ruhusa zinazohitajika tu kwa kila kazi.

provider:
[...]
iam:
role:
statements:
- Effect: 'Allow'
Action:
- 'dynamodb:PutItem'
- 'dynamodb:Get*'
- 'dynamodb:Scan*'
- 'dynamodb:UpdateItem'
- 'dynamodb:DeleteItem'
Resource: arn:aws:dynamodb:${aws:region}:${aws:accountId}:table/${self:service}-customerTable-${sls:stage}

• Tumia Majukumu Tofauti: Tofautisha majukumu kulingana na mahitaji ya kazi.

Siri na Usimamizi wa Mipangilio Usio Salama

Kuhifadhi taarifa nyeti (k.m., funguo za API, akidi za database) moja kwa moja katika serverless.yml au msimbo kunaweza kusababisha kufichuliwa ikiwa hifadhi za data zitashambuliwa.

Njia iliyopendekezwa ya kuhifadhi mabadiliko ya mazingira katika faili ya serverless.yml kutoka serverless.com (wakati wa kuandika hii) ni kutumia watoa huduma wa ssm au s3, ambao unaruhusu kupata maadili ya mazingira kutoka vyanzo hivi wakati wa kupeleka na kuunda mabadiliko ya mazingira ya lambdas na maandishi yasiyo na maadili!

Kwa mfano, mfano ufuatao utatumia SSM kupata mabadiliko ya mazingira:

provider:
environment:
DB_PASSWORD: ${ssm:/aws/reference/secretsmanager/my-db-password~true}

Na hata hii inazuia kuweka thamani ya mabadiliko ya mazingira katika faili ya serverless.yml, thamani itapatikana wakati wa kutekeleza na itakuwa imeongezwa kwa maandiko wazi ndani ya mabadiliko ya mazingira ya lambda.

Mikakati ya Kupunguza

• Ushirikiano wa Meneja wa Siri: Tumia huduma kama AWS Secrets Manager.
• Mabadiliko Yaliyosimbwa: Tumia vipengele vya usimbaji vya Serverless Framework kwa data nyeti.
• Udhibiti wa Ufikiaji: Punguza ufikiaji wa siri kulingana na majukumu.

Msimbo na Mtegemeo Wenye Ukatili

Mtegemeo wa zamani au usio salama unaweza kuleta udhaifu, wakati usimamizi mbaya wa ingizo unaweza kusababisha mashambulizi ya kuingiza msimbo.

Mikakati ya Kupunguza

• Usimamizi wa Mtegemeo: Sasisha mara kwa mara mtegemeo na scan kwa udhaifu.

plugins:
- serverless-webpack
- serverless-plugin-snyk

• Uthibitishaji wa Ingizo: Tekeleza uthibitishaji mkali na usafi wa ingizo zote.
• Mapitio ya Msimbo: Fanya mapitio ya kina ili kubaini kasoro za usalama.
• Analizi ya Kijamii: Tumia zana kugundua udhaifu katika msingi wa msimbo.

Kukosekana kwa Usajili na Ufuatiliaji Sahihi

Bila usajili na ufuatiliaji sahihi, shughuli za uhalifu zinaweza kukosa kugunduliwa, kuchelewesha majibu ya tukio.

Mikakati ya Kupunguza

• Usajili wa Kati: Punguza kumbukumbu kwa kutumia huduma kama AWS CloudWatch au Datadog.

plugins:
- serverless-plugin-datadog

• Washa Usajili wa Kina: Pata taarifa muhimu bila kufichua data nyeti.
• Weka Arifa: Sanidi arifa kwa shughuli za kushangaza au tofauti.
• Ufuatiliaji wa Mara kwa Mara: Fuata mara kwa mara kumbukumbu na vipimo kwa matukio ya usalama yanayoweza kutokea.

Mikakati ya API Gateway Isiyo Salama

APIs zilizo wazi au zisizo salama zinaweza kutumika kwa ufikiaji usioidhinishwa, mashambulizi ya Denial of Service (DoS), au mashambulizi ya cross-site.

Mikakati ya Kupunguza

• Uthibitishaji na Uidhinishaji: Tekeleza mifumo thabiti kama OAuth, funguo za API, au JWT.

functions:
hello:
handler: handler.hello
events:
- http:
path: hello
method: get
authorizer: aws_iam

• Kikomo cha Kiwango na Throttling: Zuia matumizi mabaya kwa kupunguza viwango vya maombi.

provider:
apiGateway:
throttle:
burstLimit: 200
rateLimit: 100

• Usanidi wa CORS Salama: Punguza asili, mbinu, na vichwa vinavyoruhusiwa.

functions:
hello:
handler: handler.hello
events:
- http:
path: hello
method: get
cors:
origin: https://yourdomain.com
headers:
- Content-Type

• Tumia Firewalls za Programu za Mtandao (WAF): Chuja na ufuatilie maombi ya HTTP kwa mifumo ya uhalifu.

Kukosekana kwa Kutengwa kwa Kazi

Rasilimali zinazoshirikiwa na kutengwa kwa kutosha kunaweza kusababisha kupanda kwa mamlaka au mwingiliano usio na makusudi kati ya kazi.

Mikakati ya Kupunguza

• Tenga Kazi: Panga rasilimali tofauti na majukumu ya IAM ili kuhakikisha uendeshaji huru.
• Kugawanya Rasilimali: Tumia hifadhidata tofauti au ndoo za kuhifadhi kwa kazi tofauti.
• Tumia VPCs: Weka kazi ndani ya Mifumo ya Kibinafsi ya Wingu kwa kutengwa kwa mtandao iliyoimarishwa.

provider:
vpc:
securityGroupIds:
- sg-xxxxxxxx
subnetIds:
- subnet-xxxxxx

• Punguza Mamlaka ya Kazi: Hakikisha kazi haziwezi kufikia au kuingilia rasilimali za kila mmoja isipokuwa inahitajika wazi.

Kukosekana kwa Ulinzi wa Data

Data isiyosimbwa iliyohifadhiwa au katika usafirishaji inaweza kufichuliwa, ikisababisha uvunjaji wa data au kubadilishwa.

Mikakati ya Kupunguza

• Simbua Data iliyohifadhiwa: Tumia vipengele vya usimbaji wa huduma za wingu.

resources:
Resources:
MyDynamoDBTable:
Type: AWS::DynamoDB::Table
Properties:
SSESpecification:
SSEEnabled: true

• Simbua Data katika Usafirishaji: Tumia HTTPS/TLS kwa usafirishaji wote wa data.
• Wasiliana kwa API Salama: Lazimisha itifaki za usimbaji na kuthibitisha vyeti.
• Simamisha Funguo za Usimbaji kwa Usalama: Tumia huduma za funguo zinazodhibitiwa na kubadilisha funguo mara kwa mara.

Kukosekana kwa Usimamizi Sahihi wa Makosa

Ujumbe wa makosa wa kina unaweza kufichua taarifa nyeti kuhusu miundombinu au msingi wa msimbo, wakati makosa yasiyoshughulikiwa yanaweza kusababisha kuanguka kwa programu.

Mikakati ya Kupunguza

• Ujumbe wa Makosa wa Kijeni: Epuka kufichua maelezo ya ndani katika majibu ya makosa.

javascriptCopy code// Mfano katika Node.js
exports.hello = async (event) => {
try {
// Mantiki ya kazi
} catch (error) {
console.error(error);
return {
statusCode: 500,
body: JSON.stringify({ message: 'Internal Server Error' }),
};
}
};

• Usimamizi wa Kati wa Makosa: Simamia na safisha makosa kwa njia ya kawaida katika kazi zote.
• Fuata na Weka Kumbukumbu za Makosa: Fuata na kuchambua makosa ndani bila kufichua maelezo kwa watumiaji wa mwisho.

Mikakati Isiyo Salama ya Kutekeleza

Mikakati ya kutekeleza iliyofichuliwa au ufikiaji usioidhinishwa kwa mabomba ya CI/CD inaweza kusababisha kutekelezwa kwa msimbo wa uhalifu au mipangilio isiyo sahihi.

Mikakati ya Kupunguza

• Hifadhi Mabomba ya CI/CD kwa Usalama: Tekeleza udhibiti mkali wa ufikiaji, uthibitishaji wa hatua nyingi (MFA), na ukaguzi wa mara kwa mara.
• Hifadhi Mipangilio kwa Usalama: Hifadhi faili za kutekeleza bila siri zilizowekwa na data nyeti.
• Tumia Zana za Usalama za Miundombinu kama Msimbo (IaC): Tumia zana kama Checkov au Terraform Sentinel kutekeleza sera za usalama.
• Mikakati Isiyobadilika: Zuia mabadiliko yasiyoidhinishwa baada ya kutekeleza kwa kupitisha mbinu za miundombinu isiyobadilika.

Udhaifu katika Plugins na Nyongeza

Kutumia plugins za tatu zisizopitiwa au zenye uhalifu kunaweza kuleta udhaifu katika programu zako za serverless.

Mikakati ya Kupunguza

• Pitia Plugins kwa Kina: Kadiria usalama wa plugins kabla ya kuingizwa, ukipendelea zile kutoka vyanzo vinavyoaminika.
• Punguza Matumizi ya Plugins: Tumia tu plugins zinazohitajika ili kupunguza uso wa shambulio.
• Fuata Sasisho za Plugins: Hifadhi plugins zikiwa za kisasa ili kufaidika na patches za usalama.
• Tenga Mazingira ya Plugins: Endesha plugins katika mazingira yaliyotengwa ili kudhibiti makosa yanayoweza kutokea.

Kufichuliwa kwa Mipangilio Nyeti

Kazi zinazopatikana hadharani au APIs zisizo na kikomo zinaweza kutumika kwa shughuli zisizoidhinishwa.

Mikakati ya Kupunguza

• Punguza Ufikiaji wa Kazi: Tumia VPCs, vikundi vya usalama, na sheria za moto ili kupunguza ufikiaji kwa vyanzo vinavyoaminika.
• Tekeleza Uthibitishaji Thabiti: Hakikisha kwamba mipangilio yote iliyofichuliwa inahitaji uthibitishaji na uidhinishaji sahihi.
• Tumia API Gateways kwa Usalama: Sanidi API Gateways kutekeleza sera za usalama, ikiwa ni pamoja na uthibitishaji wa ingizo na kikomo cha kiwango.
• Zima Mipangilio Isiyotumika: Pitia mara kwa mara na zima mipangilio yoyote ambayo haitumiki tena.

Mamlaka Mengi kwa Wajumbe wa Timu na Washirikishi wa Nje

Kutoa mamlaka mengi kwa wajumbe wa timu na washirikishi wa nje kunaweza kusababisha ufikiaji usioidhinishwa, uvunjaji wa data, na matumizi mabaya ya rasilimali. Hatari hii inaongezeka katika mazingira ambapo watu wengi wana viwango tofauti vya ufikiaji, ikiongeza uso wa shambulio na uwezekano wa vitisho vya ndani.

Mikakati ya Kupunguza

• Kanuni ya Mamlaka ya Chini: Hakikisha kwamba wajumbe wa timu na washirikishi wana mamlaka tu yanayohitajika kutekeleza majukumu yao.

Usalama wa Funguo za Ufikiaji na Funguo za Leseni

Funguo za Ufikiaji na Funguo za Leseni ni ithibati muhimu zinazotumika kuthibitisha na kuidhinisha mwingiliano na Serverless Framework CLI.

• Funguo za Leseni: Ni vitambulisho vya kipekee vinavyohitajika kwa uthibitishaji wa ufikiaji wa Serverless Framework Toleo la 4 ambalo linaruhusu kuingia kupitia CLI.
• Funguo za Ufikiaji: Ithibati zinazoruhusu Serverless Framework CLI kuthibitisha na Dashibodi ya Serverless Framework. Wakati wa kuingia na serverless cli funguo ya ufikiaji itakuwa imeundwa na kuhifadhiwa kwenye laptop. Unaweza pia kuipanga kama mabadiliko ya mazingira yanayoitwa SERVERLESS_ACCESS_KEY.

Hatari za Usalama

1. Kufichuliwa Kupitia Hifadhi za Msimbo:

• Kuweka au kwa bahati mbaya kupeleka Funguo za Ufikiaji na Funguo za Leseni kwenye mifumo ya udhibiti wa toleo kunaweza kusababisha ufikiaji usioidhinishwa.

2. Hifadhi Isiyo Salama:

• Kuhifadhi funguo katika maandiko wazi ndani ya mabadiliko ya mazingira au faili za mipangilio bila usimbaji sahihi kunaongeza uwezekano wa kufichuliwa.

3. Usambazaji Mbaya:

• Kushiriki funguo kupitia njia zisizo salama (k.m., barua pepe, mazungumzo) kunaweza kusababisha kukamatwa na wahalifu.

4. Kukosa Kubadilisha:

• Kutobadilisha funguo mara kwa mara kunapanua kipindi cha kufichuliwa ikiwa funguo zitakamatwa.

5. Mamlaka Mengi:

• Funguo zenye mamlaka pana zinaweza kutumika kufanya vitendo visivyoidhinishwa katika rasilimali nyingi.