(Go: >> BACK << -|- >> HOME <<)
SlideShare a Scribd company logo

Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Security Day

Amazon Web Services
Amazon Web Services

The document discusses securing serverless applications using Amazon API Gateway, AWS Lambda, and Amazon Cognito. It describes how to build a basic 3-tier web app that is fully serverless, add authentication with Amazon Cognito by integrating with Cognito user pools, and implement authorization using AWS Identity and Access Management (IAM) by leveraging Cognito. Key benefits mentioned are that AWS Lambda and API Gateway provide automatic scaling with no infrastructure to manage, while security is improved by making use of IAM through Cognito.

Technology
1 of 41
Download to read offline
Securing Serverless Applications Part 1 Karthi Thyagarajan Enterprise Solutions Architect Using Amazon API Gateway, AWS Lambda and Amazon Cognito
Imagine for a minute… Being able to develop a mobile backend API that: • Requires no infrastructure • Scales automatically to meet demand • Has granular costs that grow with usage
The services we are going to use Amazon API GatewayAWS Lambda Amazon Cognito Amazon DynamoDB Host the API and route API calls Execute our app’s business logic Generate temporary AWS credentials Data store
What to Expect from the Session 1. Start with a basic 3-tier web app • Pure serverless 2. Add authentication with Amazon Cognito • Integrate with Cognito • Login by leveraging BYOI (bring your own identity) 3. Authorization with AWS IAM 4. Segue to part 2
Key takeaways AWS Lambda + Amazon API Gateway means no infrastructure to manage – we scale for you Security is important, and complex – make the most of AWS Identity and Access Management by leveraging Cognito Flexibility – API Gateway, Lambda and Cognito give you choices for authentication and authorization
First building block: AWS Lambda
High performance at any scale; Cost-effective and efficient No Infrastructure to manage Pay only for what you use: Lambda automatically matches capacity to your request rate. Purchase compute in 100ms increments. Bring Your Own Code Lambda functions: Stateless, trigger-based code execution Run code in a choice of standard languages. Use threads, processes, files, and shell scripts normally. Focus on business logic, not infrastructure. You upload code; AWS Lambda handles everything else. AWS Lambda Overview
AWS Lambda Console Develop, test and publish your Lambda functions either by the AWS Management Console, AWS CLI or our SDKs. Or use community frameworks such as serverless.com, gosparta.io and more…
Second building block: Amazon API Gateway
Amazon API Gateway overview Manage deployments to multiple versions and environments Define and host APIs Leverage Identity and Access Management to authorize access to your cloud resources Leverage AWS Auth DDoS protection and request throttling to safeguard your back end Manage network traffic
Your Feedback Managing multiple versions and stages of an API is difficult Monitoring 3rd party developers’ access is time consuming Access authorization is a challenge Traffic spikes create operational burden What if I don’t want servers at all?
Host multiple versions and stages of your APIs Create and distribute API Keys to developers Authenticate and authorise API consumers Throttle and monitor requests to protect your backend Utilizes AWS Lambda Introducing Amazon API Gateway
Introducing Amazon API Gateway Managed cache to store API responses Reduced latency and DDoS protection through CloudFront SDK Generation for iOS, Android and JavaScript Swagger import and export support Request / Response data transformation and API mocking
Serverless 3-tier Web Architecture Amazon API Gateway AWS Lambda Amazon DynamoDB Data tier App tier Presentation tier Amazon S3 Amazon CloudFront
Demo – notes app
Third building block: Amazon Cognito
Amazon Cognito overview Manage authenticated and guest users across identity providers Identity management Synchronize users’ data across devices and platforms via the cloud Data synchronization Securely access AWS services from mobile devices and platforms Secure AWS access
The notes API
Unauthenticated API call flows Clients AWS Lambda lambdaHandler Register Login API Gateway Authenticated Clients AWS Lambda lambdaHandler ListNotes CreateNote API Gateway Assume Role Etc.. Sigv4 Invoke with caller credentials Authorized by IAM
Retrieving AWS credentials
The API definition • POST • Receives a user name and password • Encrypts the password and creates the user account in DynamoDB • Calls Amazon Cognito to generate credentials • Returns the user + its credentials /users • POST • Receives a user name and password • Authenticates the user against the DynamoDB database • Calls Amazon Cognito to generate credentials • Returns a set of temporary credentials /login
Retrieving temporary AWS credentials Call Login API, no auth required Client API Gateway Backend /login Login action User accounts database Credentials verified Get OpenID token for developer identity Receives credentials to sign API calls Identity ID + token Get credentials for identity Access key + secret key + session token /login 1. 2. 3.
Demo – login with Cognito
Authorizing API calls
The Pets resources require authorization • POST • Receives a Pet model • Saves it in DynamoDB • Returns the new Pet ID • GET • Returns the list of Pets stored in DynamoDB /pets • GET • Receives a Pet ID from the path • Uses mapping templates to pass the path parameter to the Lambda function • Loads the Pet from DynamoDB • Returns a Pet model /pets/{petId}
Using the caller credentials credentials: arn:aws:iam::*:user/* Using the console Using Swagger
The IAM role defines access permissions { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Scan", "lambda:InvokeFunction", "execute-api:invoke" ], "Resource": [ "arn:aws:dynamodb:us-east-1:xxxxxx:table/notes", "arn:aws:lambda:us-east-1:xxxxx:function:NotesGet”, "arn:aws:execute-api:us-east-1:xxxx:API_ID/*/POST/notes" ] } ] } The role allows calls to: • DynamoDB • API Gateway • Lambda The role can access specific resources in these services
One step further: Fine-grained access permissions Internet Client API Gateway AWS Lambda functions Amazon CloudFront DynamoDB CognitoId2 … "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [”${cognito- identity.amazonaws.com:sub}"], "dynamodb:Attributes": [ "UserId","GameTitle","Wins","Losses", "TopScore","TopScoreDateTime” ] }, "StringEqualsIfExists": { "dynamodb:Select": "SPECIFIC_ATTRIBUTES” } } … Executes with this role UserID Wins Losses cognitoId1 3 2 cognitoId2 5 8 cognitoId3 2 3 The credentials and context (Cognito ID) are passed along Both AWS Lambda & DynamoDB will follow the access policy
Authenticated flow in depth Clients AWS Lambda lambdaHandler API Gateway Sigv4 Invoke with caller credentials Service calls are authorized using the IAM role Learn more about fine-grained access permissions http://amzn.to/1YkxcjR DynamoDB
Demo – Authorization
Benefits of using AWS auth & IAM • Separation of concerns – our authorization strategy is delegated to a dedicated service • We have centralized access management to a single set of policies • Roles and credentials can be disabled with a single API call
AWS credentials on the client
1-click SDK generation from the console
The client SDK declares all methods
The AWSCredentialsProvider We implement the AWSCredentialsProvider interface The refresh() method is called whenever the SDK needs new credentials
Generated SDK benefits The generated client SDK knows how to: • Sign API calls using AWS signature version 4 • Handle-throttled responses with exponential back-off • Marshal and unmarshal requests and responses to model objects
Options for authentication and authorization
Options • Cognito facilitates BYOI • Google, FB, etc… • Roll your own • Cognito User Pools • Authorization options – facilitated by API Gateway • AWS IAM • Custom Authorizer
Manage authenticated and guest users’ access to your AWS resources Federated Identities Add sign-up and sign- in with a fully managed user directory Your User Pool GuestYour own auth Amazon Cognito Identity Amazon Cognito Identity
What have we learned? AWS Lambda + Amazon API Gateway means no infrastructure to manage – we scale for you Security is important, and complex – make the most of AWS Identity and Access Management by leveraging Cognito Flexibility – API Gateway, Lambda and Cognito give you choices for authentication and authorization
Questions?

Recommended

Become an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaBecome an AWS IAM Policy Ninja
Become an AWS IAM Policy Ninja
Amazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon Web Services
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc Version
Ernest Chiang
 
AWS IAM
AWS IAMAWS IAM
AWS IAM
Diego Pacheco
 
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Amazon Web Services
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
Amazon Web Services
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
Amazon Web Services
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
Amazon Web Services
 

Recommended

Become an AWS IAM Policy Ninja
Become an AWS IAM Policy NinjaBecome an AWS IAM Policy Ninja
Become an AWS IAM Policy Ninja
Amazon Web Services
 
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon GuardDuty: Intelligent Threat Detection and Continuous Monitoring to P...
Amazon Web Services
 
AWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc VersionAWS IAM -- Notes of 20130403 Doc Version
AWS IAM -- Notes of 20130403 Doc Version
Ernest Chiang
 
AWS IAM
AWS IAMAWS IAM
AWS IAM
Diego Pacheco
 
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Securing Serverless Workloads with Cognito and API Gateway Part II - AWS Secu...
Amazon Web Services
 
IAM Introduction and Best Practices
IAM Introduction and Best PracticesIAM Introduction and Best Practices
IAM Introduction and Best Practices
Amazon Web Services
 
AWS IAM Introduction
AWS IAM IntroductionAWS IAM Introduction
AWS IAM Introduction
Amazon Web Services
 
Data Protection in Transit and at Rest
Data Protection in Transit and at RestData Protection in Transit and at Rest
Data Protection in Transit and at Rest
Amazon Web Services
 
Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAM
Knoldus Inc.
 
SID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CASID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CA
Amazon Web Services
 
DataPower Restful API Security
DataPower Restful API SecurityDataPower Restful API Security
DataPower Restful API Security
Jagadish Vemugunta
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
Amazon Web Services
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trail
zekeLabs Technologies
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
Amazon Web Services
 
Aws IAM
Aws IAMAws IAM
Aws IAM
Chamali Liyanage
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Amazon Web Services
 
Amazon Cognito
Amazon CognitoAmazon Cognito
Amazon Cognito
Amazon Web Services
 
AWS SQS SNS
AWS SQS SNSAWS SQS SNS
AWS SQS SNS
Durgesh Vaishnav
 
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
Amazon Web Services Korea
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
Amazon Web Services
 
(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF
Amazon Web Services
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
Mike Felch
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
Amazon Web Services
 
AWS networking fundamentals
AWS networking fundamentalsAWS networking fundamentals
AWS networking fundamentals
Amazon Web Services
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting Started
Taswar Bhatti
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep Dive
Amazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Amazon Web Services
 
Building Secure Mobile APIs
Building Secure Mobile APIsBuilding Secure Mobile APIs
Building Secure Mobile APIs
Amazon Web Services
 
Workshop: We love APIs
Workshop: We love APIsWorkshop: We love APIs
Workshop: We love APIs
Amazon Web Services
 

More Related Content

What's hot

Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAM
Knoldus Inc.
 
SID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CASID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CA
Amazon Web Services
 
DataPower Restful API Security
DataPower Restful API SecurityDataPower Restful API Security
DataPower Restful API Security
Jagadish Vemugunta
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
Amazon Web Services
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trail
zekeLabs Technologies
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
Amazon Web Services
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
Amazon Web Services
 
Aws IAM
Aws IAMAws IAM
Aws IAM
Chamali Liyanage
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Amazon Web Services
 
Amazon Cognito
Amazon CognitoAmazon Cognito
Amazon Cognito
Amazon Web Services
 
AWS SQS SNS
AWS SQS SNSAWS SQS SNS
AWS SQS SNS
Durgesh Vaishnav
 
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
Amazon Web Services Korea
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
Amazon Web Services
 
(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF
Amazon Web Services
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
Mike Felch
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
Amazon Web Services
 
AWS networking fundamentals
AWS networking fundamentalsAWS networking fundamentals
AWS networking fundamentals
Amazon Web Services
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting Started
Taswar Bhatti
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep Dive
Amazon Web Services
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Amazon Web Services
 

What's hot (20)

Introduction to AWS IAM
Introduction to AWS IAMIntroduction to AWS IAM
Introduction to AWS IAM
 
SID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CASID305 AWS Certificate Manager Private CA
SID305 AWS Certificate Manager Private CA
 
DataPower Restful API Security
DataPower Restful API SecurityDataPower Restful API Security
DataPower Restful API Security
 
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
(DEV203) Amazon API Gateway & AWS Lambda to Build Secure APIs
 
AWS Cloud trail
AWS Cloud trailAWS Cloud trail
AWS Cloud trail
 
Identity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS SecurityIdentity and Access Management: The First Step in AWS Security
Identity and Access Management: The First Step in AWS Security
 
Security Architectures on AWS
Security Architectures on AWSSecurity Architectures on AWS
Security Architectures on AWS
 
Aws IAM
Aws IAMAws IAM
Aws IAM
 
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
Add End User Sign-in, User Management, and Security to Your Mobile and Web Ap...
 
Amazon Cognito
Amazon CognitoAmazon Cognito
Amazon Cognito
 
AWS SQS SNS
AWS SQS SNSAWS SQS SNS
AWS SQS SNS
 
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
AWS Control Tower를 통한 클라우드 보안 및 거버넌스 설계 - 김학민 :: AWS 클라우드 마이그레이션 온라인
 
AWS Secrets Manager
AWS Secrets ManagerAWS Secrets Manager
AWS Secrets Manager
 
(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF
 
Welcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWSWelcome to the Jungle: Pentesting AWS
Welcome to the Jungle: Pentesting AWS
 
IAM Best Practices
IAM Best PracticesIAM Best Practices
IAM Best Practices
 
AWS networking fundamentals
AWS networking fundamentalsAWS networking fundamentals
AWS networking fundamentals
 
Azure Key Vault - Getting Started
Azure Key Vault - Getting StartedAzure Key Vault - Getting Started
Azure Key Vault - Getting Started
 
Amazon Cognito Deep Dive
Amazon Cognito Deep DiveAmazon Cognito Deep Dive
Amazon Cognito Deep Dive
 
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
Threat detection on AWS: An introduction to Amazon GuardDuty - FND216 - AWS r...
 

Similar to Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Security Day

Building Secure Mobile APIs
Building Secure Mobile APIsBuilding Secure Mobile APIs
Building Secure Mobile APIs
Amazon Web Services
 
Workshop: We love APIs
Workshop: We love APIsWorkshop: We love APIs
Workshop: We love APIs
Amazon Web Services
 
amazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesamazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutes
Vladimir Budilov
 
Security Best Practices for Serverless Applications - July 2017 AWS Online T...
Security Best Practices for Serverless Applications - July 2017 AWS Online T...Security Best Practices for Serverless Applications - July 2017 AWS Online T...
Security Best Practices for Serverless Applications - July 2017 AWS Online T...
Amazon Web Services
 
Building Serverless Backends with AWS Lambda and Amazon API Gateway
Building Serverless Backends with AWS Lambda and Amazon API GatewayBuilding Serverless Backends with AWS Lambda and Amazon API Gateway
Building Serverless Backends with AWS Lambda and Amazon API Gateway
Amazon Web Services
 
Cloud Security-how to create serverless applications
Cloud Security-how to create serverless applicationsCloud Security-how to create serverless applications
Cloud Security-how to create serverless applications
Amazon Web Services
 
Building Scalable Services with Amazon API Gateway - Technical 201
Building Scalable Services with Amazon API Gateway - Technical 201Building Scalable Services with Amazon API Gateway - Technical 201
Building Scalable Services with Amazon API Gateway - Technical 201
Amazon Web Services
 
Rapid Application Development on AWS
Rapid Application Development on AWSRapid Application Development on AWS
Rapid Application Development on AWS
Amazon Web Services
 
Zombie Apocalypse Workshop by Warren Santer and Kyle Somers, Solutions Archit...
Zombie Apocalypse Workshop by Warren Santer and Kyle Somers, Solutions Archit...Zombie Apocalypse Workshop by Warren Santer and Kyle Somers, Solutions Archit...
Zombie Apocalypse Workshop by Warren Santer and Kyle Somers, Solutions Archit...
Amazon Web Services
 
AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)
AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)
AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)
Amazon Web Services
 
Federation
FederationFederation
Federation
Amazon Web Services
 
AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview
Amazon Web Services
 
AWS August Webinar Series - Building Serverless Backends with AWS Lambda and ...
AWS August Webinar Series - Building Serverless Backends with AWS Lambda and ...AWS August Webinar Series - Building Serverless Backends with AWS Lambda and ...
AWS August Webinar Series - Building Serverless Backends with AWS Lambda and ...
Amazon Web Services
 
Federation
FederationFederation
Federation
Amazon Web Services
 
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
Amazon Web Services
 
SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services
Amazon Web Services
 
Ovations AWS pop-up loft 2019 Technical presentation
Ovations AWS pop-up loft 2019 Technical presentationOvations AWS pop-up loft 2019 Technical presentation
Ovations AWS pop-up loft 2019 Technical presentation
GeanBoegman
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017
Amazon Web Services
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
Amazon Web Services
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Amazon Web Services
 

Similar to Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Security Day (20)

Building Secure Mobile APIs
Building Secure Mobile APIsBuilding Secure Mobile APIs
Building Secure Mobile APIs
 
Workshop: We love APIs
Workshop: We love APIsWorkshop: We love APIs
Workshop: We love APIs
 
amazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutesamazon-cognito-auth-in-minutes
amazon-cognito-auth-in-minutes
 
Security Best Practices for Serverless Applications - July 2017 AWS Online T...
Security Best Practices for Serverless Applications - July 2017 AWS Online T...Security Best Practices for Serverless Applications - July 2017 AWS Online T...
Security Best Practices for Serverless Applications - July 2017 AWS Online T...
 
Building Serverless Backends with AWS Lambda and Amazon API Gateway
Building Serverless Backends with AWS Lambda and Amazon API GatewayBuilding Serverless Backends with AWS Lambda and Amazon API Gateway
Building Serverless Backends with AWS Lambda and Amazon API Gateway
 
Cloud Security-how to create serverless applications
Cloud Security-how to create serverless applicationsCloud Security-how to create serverless applications
Cloud Security-how to create serverless applications
 
Building Scalable Services with Amazon API Gateway - Technical 201
Building Scalable Services with Amazon API Gateway - Technical 201Building Scalable Services with Amazon API Gateway - Technical 201
Building Scalable Services with Amazon API Gateway - Technical 201
 
Rapid Application Development on AWS
Rapid Application Development on AWSRapid Application Development on AWS
Rapid Application Development on AWS
 
Zombie Apocalypse Workshop by Warren Santer and Kyle Somers, Solutions Archit...
Zombie Apocalypse Workshop by Warren Santer and Kyle Somers, Solutions Archit...Zombie Apocalypse Workshop by Warren Santer and Kyle Somers, Solutions Archit...
Zombie Apocalypse Workshop by Warren Santer and Kyle Somers, Solutions Archit...
 
AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)
AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)
AWS re:Invent 2016: Building Complex Serverless Applications (GPST404)
 
Federation
FederationFederation
Federation
 
AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview AWS Identity, Directory, and Access Services: An Overview
AWS Identity, Directory, and Access Services: An Overview
 
AWS August Webinar Series - Building Serverless Backends with AWS Lambda and ...
AWS August Webinar Series - Building Serverless Backends with AWS Lambda and ...AWS August Webinar Series - Building Serverless Backends with AWS Lambda and ...
AWS August Webinar Series - Building Serverless Backends with AWS Lambda and ...
 
Federation
FederationFederation
Federation
 
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
AWS Identity, Directory, and Access Services: An Overview - SID201 - Chicago ...
 
SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services SID201 Overview of AWS Identity, Directory, and Access Services
SID201 Overview of AWS Identity, Directory, and Access Services
 
Ovations AWS pop-up loft 2019 Technical presentation
Ovations AWS pop-up loft 2019 Technical presentationOvations AWS pop-up loft 2019 Technical presentation
Ovations AWS pop-up loft 2019 Technical presentation
 
Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017Deep Dive on Amazon Cognito - DevDay Austin 2017
Deep Dive on Amazon Cognito - DevDay Austin 2017
 
Getting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless CloudGetting Started with AWS Lambda and the Serverless Cloud
Getting Started with AWS Lambda and the Serverless Cloud
 
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
Security & Compliance for Modern Serverless Applications (SRV319-R1) - AWS re...
 

More from Amazon Web Services

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Amazon Web Services
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Amazon Web Services
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
Amazon Web Services
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
Amazon Web Services
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
Amazon Web Services
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
Amazon Web Services
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Amazon Web Services
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
Amazon Web Services
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Amazon Web Services
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
Amazon Web Services
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
Amazon Web Services
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Amazon Web Services
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
Amazon Web Services
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Amazon Web Services
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
Amazon Web Services
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
Amazon Web Services
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
Amazon Web Services
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
Amazon Web Services
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
Amazon Web Services
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
Amazon Web Services
 

More from Amazon Web Services (20)

Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
Come costruire servizi di Forecasting sfruttando algoritmi di ML e deep learn...
 
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
Big Data per le Startup: come creare applicazioni Big Data in modalità Server...
 
Esegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS FargateEsegui pod serverless con Amazon EKS e AWS Fargate
Esegui pod serverless con Amazon EKS e AWS Fargate
 
Costruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWSCostruire Applicazioni Moderne con AWS
Costruire Applicazioni Moderne con AWS
 
Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot Come spendere fino al 90% in meno con i container e le istanze spot
Come spendere fino al 90% in meno con i container e le istanze spot
 
Open banking as a service
Open banking as a serviceOpen banking as a service
Open banking as a service
 
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
Rendi unica l’offerta della tua startup sul mercato con i servizi Machine Lea...
 
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...OpsWorks Configuration Management: automatizza la gestione e i deployment del...
OpsWorks Configuration Management: automatizza la gestione e i deployment del...
 
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows WorkloadsMicrosoft Active Directory su AWS per supportare i tuoi Windows Workloads
Microsoft Active Directory su AWS per supportare i tuoi Windows Workloads
 
Computer Vision con AWS
Computer Vision con AWSComputer Vision con AWS
Computer Vision con AWS
 
Database Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatareDatabase Oracle e VMware Cloud on AWS i miti da sfatare
Database Oracle e VMware Cloud on AWS i miti da sfatare
 
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJSCrea la tua prima serverless ledger-based app con QLDB e NodeJS
Crea la tua prima serverless ledger-based app con QLDB e NodeJS
 
API moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e webAPI moderne real-time per applicazioni mobili e web
API moderne real-time per applicazioni mobili e web
 
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatareDatabase Oracle e VMware Cloud™ on AWS: i miti da sfatare
Database Oracle e VMware Cloud™ on AWS: i miti da sfatare
 
Tools for building your MVP on AWS
Tools for building your MVP on AWSTools for building your MVP on AWS
Tools for building your MVP on AWS
 
How to Build a Winning Pitch Deck
How to Build a Winning Pitch DeckHow to Build a Winning Pitch Deck
How to Build a Winning Pitch Deck
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
Fundraising Essentials
Fundraising EssentialsFundraising Essentials
Fundraising Essentials
 
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
AWS_HK_StartupDay_Building Interactive websites while automating for efficien...
 
Introduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container ServiceIntroduzione a Amazon Elastic Container Service
Introduzione a Amazon Elastic Container Service
 

Recently uploaded

APJC Introduction to ThousandEyes Webinar
APJC Introduction to ThousandEyes WebinarAPJC Introduction to ThousandEyes Webinar
APJC Introduction to ThousandEyes Webinar
ThousandEyes
 
Multimodal Retrieval Augmented Generation (RAG) with Milvus
Multimodal Retrieval Augmented Generation (RAG) with MilvusMultimodal Retrieval Augmented Generation (RAG) with Milvus
Multimodal Retrieval Augmented Generation (RAG) with Milvus
Zilliz
 
Building an Agentic RAG locally with Ollama and Milvus
Building an Agentic RAG locally with Ollama and MilvusBuilding an Agentic RAG locally with Ollama and Milvus
Building an Agentic RAG locally with Ollama and Milvus
Zilliz
 
STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1
Dr. Jimmy Schwarzkopf
 
Coordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar SlidesCoordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar Slides
Safe Software
 
From NCSA to the National Research Platform
From NCSA to the National Research PlatformFrom NCSA to the National Research Platform
From NCSA to the National Research Platform
Larry Smarr
 
Quantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLMQuantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLM
Vijayananda Mohire
 
Transcript: Details of description part II: Describing images in practice - T...
Transcript: Details of description part II: Describing images in practice - T...Transcript: Details of description part II: Describing images in practice - T...
Transcript: Details of description part II: Describing images in practice - T...
BookNet Canada
 
Pigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdfPigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdf
Pigging Solutions
 
What’s New in Teams Calling, Meetings and Devices May 2024
What’s New in Teams Calling, Meetings and Devices May 2024What’s New in Teams Calling, Meetings and Devices May 2024
What’s New in Teams Calling, Meetings and Devices May 2024
Stephanie Beckett
 
Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0
Neeraj Kumar Singh
 
Leveraging AI for Software Developer Productivity.pptx
Leveraging AI for Software Developer Productivity.pptxLeveraging AI for Software Developer Productivity.pptx
Leveraging AI for Software Developer Productivity.pptx
petabridge
 
From 1M to 1B Features Per Second: Scaling ShareChat's ML Feature Store
From 1M to 1B Features Per Second: Scaling ShareChat's ML Feature StoreFrom 1M to 1B Features Per Second: Scaling ShareChat's ML Feature Store
From 1M to 1B Features Per Second: Scaling ShareChat's ML Feature Store
ScyllaDB
 
Metadata Lakes for Next-Gen AI/ML - Datastrato
Metadata Lakes for Next-Gen AI/ML - DatastratoMetadata Lakes for Next-Gen AI/ML - Datastrato
Metadata Lakes for Next-Gen AI/ML - Datastrato
Zilliz
 
Summer24-ReleaseOverviewDeck - Stephen Stanley 27 June 2024.pdf
Summer24-ReleaseOverviewDeck - Stephen Stanley 27 June 2024.pdfSummer24-ReleaseOverviewDeck - Stephen Stanley 27 June 2024.pdf
Summer24-ReleaseOverviewDeck - Stephen Stanley 27 June 2024.pdf
Anna Loughnan Colquhoun
 
this resume for sadika shaikh bca student
this resume for sadika shaikh bca studentthis resume for sadika shaikh bca student
this resume for sadika shaikh bca student
SadikaShaikh7
 
Product Listing Optimization Presentation - Gay De La Cruz.pdf
Product Listing Optimization Presentation - Gay De La Cruz.pdfProduct Listing Optimization Presentation - Gay De La Cruz.pdf
Product Listing Optimization Presentation - Gay De La Cruz.pdf
gaydlc2513
 
Supplier Sourcing Presentation - Gay De La Cruz.pdf
Supplier Sourcing Presentation - Gay De La Cruz.pdfSupplier Sourcing Presentation - Gay De La Cruz.pdf
Supplier Sourcing Presentation - Gay De La Cruz.pdf
gaydlc2513
 
Research Directions for Cross Reality Interfaces
Research Directions for Cross Reality InterfacesResearch Directions for Cross Reality Interfaces
Research Directions for Cross Reality Interfaces
Mark Billinghurst
 
Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024
BookNet Canada
 

Recently uploaded (20)

APJC Introduction to ThousandEyes Webinar
APJC Introduction to ThousandEyes WebinarAPJC Introduction to ThousandEyes Webinar
APJC Introduction to ThousandEyes Webinar
 
Multimodal Retrieval Augmented Generation (RAG) with Milvus
Multimodal Retrieval Augmented Generation (RAG) with MilvusMultimodal Retrieval Augmented Generation (RAG) with Milvus
Multimodal Retrieval Augmented Generation (RAG) with Milvus
 
Building an Agentic RAG locally with Ollama and Milvus
Building an Agentic RAG locally with Ollama and MilvusBuilding an Agentic RAG locally with Ollama and Milvus
Building an Agentic RAG locally with Ollama and Milvus
 
STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1STKI Israeli Market Study 2024 final v1
STKI Israeli Market Study 2024 final v1
 
Coordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar SlidesCoordinate Systems in FME 101 - Webinar Slides
Coordinate Systems in FME 101 - Webinar Slides
 
From NCSA to the National Research Platform
From NCSA to the National Research PlatformFrom NCSA to the National Research Platform
From NCSA to the National Research Platform
 
Quantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLMQuantum Communications Q&A with Gemini LLM
Quantum Communications Q&A with Gemini LLM
 
Transcript: Details of description part II: Describing images in practice - T...
Transcript: Details of description part II: Describing images in practice - T...Transcript: Details of description part II: Describing images in practice - T...
Transcript: Details of description part II: Describing images in practice - T...
 
Pigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdfPigging Solutions Sustainability brochure.pdf
Pigging Solutions Sustainability brochure.pdf
 
What’s New in Teams Calling, Meetings and Devices May 2024
What’s New in Teams Calling, Meetings and Devices May 2024What’s New in Teams Calling, Meetings and Devices May 2024
What’s New in Teams Calling, Meetings and Devices May 2024
 
Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0Chapter 5 - Managing Test Activities V4.0
Chapter 5 - Managing Test Activities V4.0
 
Leveraging AI for Software Developer Productivity.pptx
Leveraging AI for Software Developer Productivity.pptxLeveraging AI for Software Developer Productivity.pptx
Leveraging AI for Software Developer Productivity.pptx
 
From 1M to 1B Features Per Second: Scaling ShareChat's ML Feature Store
From 1M to 1B Features Per Second: Scaling ShareChat's ML Feature StoreFrom 1M to 1B Features Per Second: Scaling ShareChat's ML Feature Store
From 1M to 1B Features Per Second: Scaling ShareChat's ML Feature Store
 
Metadata Lakes for Next-Gen AI/ML - Datastrato
Metadata Lakes for Next-Gen AI/ML - DatastratoMetadata Lakes for Next-Gen AI/ML - Datastrato
Metadata Lakes for Next-Gen AI/ML - Datastrato
 
Summer24-ReleaseOverviewDeck - Stephen Stanley 27 June 2024.pdf
Summer24-ReleaseOverviewDeck - Stephen Stanley 27 June 2024.pdfSummer24-ReleaseOverviewDeck - Stephen Stanley 27 June 2024.pdf
Summer24-ReleaseOverviewDeck - Stephen Stanley 27 June 2024.pdf
 
this resume for sadika shaikh bca student
this resume for sadika shaikh bca studentthis resume for sadika shaikh bca student
this resume for sadika shaikh bca student
 
Product Listing Optimization Presentation - Gay De La Cruz.pdf
Product Listing Optimization Presentation - Gay De La Cruz.pdfProduct Listing Optimization Presentation - Gay De La Cruz.pdf
Product Listing Optimization Presentation - Gay De La Cruz.pdf
 
Supplier Sourcing Presentation - Gay De La Cruz.pdf
Supplier Sourcing Presentation - Gay De La Cruz.pdfSupplier Sourcing Presentation - Gay De La Cruz.pdf
Supplier Sourcing Presentation - Gay De La Cruz.pdf
 
Research Directions for Cross Reality Interfaces
Research Directions for Cross Reality InterfacesResearch Directions for Cross Reality Interfaces
Research Directions for Cross Reality Interfaces
 
Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024Details of description part II: Describing images in practice - Tech Forum 2024
Details of description part II: Describing images in practice - Tech Forum 2024
 

Securing Serverless Workloads with Cognito and API Gateway Part I - AWS Security Day

  • 1. Securing Serverless Applications Part 1 Karthi Thyagarajan Enterprise Solutions Architect Using Amazon API Gateway, AWS Lambda and Amazon Cognito
  • 2. Imagine for a minute… Being able to develop a mobile backend API that: • Requires no infrastructure • Scales automatically to meet demand • Has granular costs that grow with usage
  • 3. The services we are going to use Amazon API GatewayAWS Lambda Amazon Cognito Amazon DynamoDB Host the API and route API calls Execute our app’s business logic Generate temporary AWS credentials Data store
  • 4. What to Expect from the Session 1. Start with a basic 3-tier web app • Pure serverless 2. Add authentication with Amazon Cognito • Integrate with Cognito • Login by leveraging BYOI (bring your own identity) 3. Authorization with AWS IAM 4. Segue to part 2
  • 5. Key takeaways AWS Lambda + Amazon API Gateway means no infrastructure to manage – we scale for you Security is important, and complex – make the most of AWS Identity and Access Management by leveraging Cognito Flexibility – API Gateway, Lambda and Cognito give you choices for authentication and authorization
  • 7. High performance at any scale; Cost-effective and efficient No Infrastructure to manage Pay only for what you use: Lambda automatically matches capacity to your request rate. Purchase compute in 100ms increments. Bring Your Own Code Lambda functions: Stateless, trigger-based code execution Run code in a choice of standard languages. Use threads, processes, files, and shell scripts normally. Focus on business logic, not infrastructure. You upload code; AWS Lambda handles everything else. AWS Lambda Overview
  • 8. AWS Lambda Console Develop, test and publish your Lambda functions either by the AWS Management Console, AWS CLI or our SDKs. Or use community frameworks such as serverless.com, gosparta.io and more…
  • 10. Amazon API Gateway overview Manage deployments to multiple versions and environments Define and host APIs Leverage Identity and Access Management to authorize access to your cloud resources Leverage AWS Auth DDoS protection and request throttling to safeguard your back end Manage network traffic
  • 11. Your Feedback Managing multiple versions and stages of an API is difficult Monitoring 3rd party developers’ access is time consuming Access authorization is a challenge Traffic spikes create operational burden What if I don’t want servers at all?
  • 12. Host multiple versions and stages of your APIs Create and distribute API Keys to developers Authenticate and authorise API consumers Throttle and monitor requests to protect your backend Utilizes AWS Lambda Introducing Amazon API Gateway
  • 13. Introducing Amazon API Gateway Managed cache to store API responses Reduced latency and DDoS protection through CloudFront SDK Generation for iOS, Android and JavaScript Swagger import and export support Request / Response data transformation and API mocking
  • 14. Serverless 3-tier Web Architecture Amazon API Gateway AWS Lambda Amazon DynamoDB Data tier App tier Presentation tier Amazon S3 Amazon CloudFront
  • 17. Amazon Cognito overview Manage authenticated and guest users across identity providers Identity management Synchronize users’ data across devices and platforms via the cloud Data synchronization Securely access AWS services from mobile devices and platforms Secure AWS access
  • 19. Unauthenticated API call flows Clients AWS Lambda lambdaHandler Register Login API Gateway Authenticated Clients AWS Lambda lambdaHandler ListNotes CreateNote API Gateway Assume Role Etc.. Sigv4 Invoke with caller credentials Authorized by IAM
  • 21. The API definition • POST • Receives a user name and password • Encrypts the password and creates the user account in DynamoDB • Calls Amazon Cognito to generate credentials • Returns the user + its credentials /users • POST • Receives a user name and password • Authenticates the user against the DynamoDB database • Calls Amazon Cognito to generate credentials • Returns a set of temporary credentials /login
  • 22. Retrieving temporary AWS credentials Call Login API, no auth required Client API Gateway Backend /login Login action User accounts database Credentials verified Get OpenID token for developer identity Receives credentials to sign API calls Identity ID + token Get credentials for identity Access key + secret key + session token /login 1. 2. 3.
  • 23. Demo – login with Cognito
  • 25. The Pets resources require authorization • POST • Receives a Pet model • Saves it in DynamoDB • Returns the new Pet ID • GET • Returns the list of Pets stored in DynamoDB /pets • GET • Receives a Pet ID from the path • Uses mapping templates to pass the path parameter to the Lambda function • Loads the Pet from DynamoDB • Returns a Pet model /pets/{petId}
  • 26. Using the caller credentials credentials: arn:aws:iam::*:user/* Using the console Using Swagger
  • 27. The IAM role defines access permissions { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:Scan", "lambda:InvokeFunction", "execute-api:invoke" ], "Resource": [ "arn:aws:dynamodb:us-east-1:xxxxxx:table/notes", "arn:aws:lambda:us-east-1:xxxxx:function:NotesGet”, "arn:aws:execute-api:us-east-1:xxxx:API_ID/*/POST/notes" ] } ] } The role allows calls to: • DynamoDB • API Gateway • Lambda The role can access specific resources in these services
  • 28. One step further: Fine-grained access permissions Internet Client API Gateway AWS Lambda functions Amazon CloudFront DynamoDB CognitoId2 … "Condition": { "ForAllValues:StringEquals": { "dynamodb:LeadingKeys": [”${cognito- identity.amazonaws.com:sub}"], "dynamodb:Attributes": [ "UserId","GameTitle","Wins","Losses", "TopScore","TopScoreDateTime” ] }, "StringEqualsIfExists": { "dynamodb:Select": "SPECIFIC_ATTRIBUTES” } } … Executes with this role UserID Wins Losses cognitoId1 3 2 cognitoId2 5 8 cognitoId3 2 3 The credentials and context (Cognito ID) are passed along Both AWS Lambda & DynamoDB will follow the access policy
  • 29. Authenticated flow in depth Clients AWS Lambda lambdaHandler API Gateway Sigv4 Invoke with caller credentials Service calls are authorized using the IAM role Learn more about fine-grained access permissions http://amzn.to/1YkxcjR DynamoDB
  • 31. Benefits of using AWS auth & IAM • Separation of concerns – our authorization strategy is delegated to a dedicated service • We have centralized access management to a single set of policies • Roles and credentials can be disabled with a single API call
  • 32. AWS credentials on the client
  • 33. 1-click SDK generation from the console
  • 34. The client SDK declares all methods
  • 35. The AWSCredentialsProvider We implement the AWSCredentialsProvider interface The refresh() method is called whenever the SDK needs new credentials
  • 36. Generated SDK benefits The generated client SDK knows how to: • Sign API calls using AWS signature version 4 • Handle-throttled responses with exponential back-off • Marshal and unmarshal requests and responses to model objects
  • 37. Options for authentication and authorization
  • 38. Options • Cognito facilitates BYOI • Google, FB, etc… • Roll your own • Cognito User Pools • Authorization options – facilitated by API Gateway • AWS IAM • Custom Authorizer
  • 39. Manage authenticated and guest users’ access to your AWS resources Federated Identities Add sign-up and sign- in with a fully managed user directory Your User Pool GuestYour own auth Amazon Cognito Identity Amazon Cognito Identity
  • 40. What have we learned? AWS Lambda + Amazon API Gateway means no infrastructure to manage – we scale for you Security is important, and complex – make the most of AWS Identity and Access Management by leveraging Cognito Flexibility – API Gateway, Lambda and Cognito give you choices for authentication and authorization