SlideShare a Scribd company logo

Protecting Applications with Lambda@Edge and OAuth

Download as PPTX, PDF
Allan Denot, profile picture
Allan Denot

The document discusses solutions to maintain environment consistency in cloud applications using Lambda@Edge, highlighting issues with protecting API endpoints. It outlines two primary problems: inconsistent architectures between environments and the need for secure API access without using traditional authentication methods. Various solutions are proposed, including leveraging internal VPC structures and OAuth for secure communications.

Technology
1 of 17
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Protecting Applications with Lambda@Edge
Allan Denot ➔ 5 years working as DevOps and AWS ➔ Senior DevOps Engineer at amaysim ➔ Master in IT from University of Sydney ➔ Former Ansible “expert” ➔ Currently doing Docker, ECS, CI/CD and Serverless @denot allandenot.com
Protecting Applications with Lambda@Edge and OAuth
Problem #1
Environment Consistency (or lack thereof)
Environment Consistency (or lack thereof) Engineer Before Internal VPC Dev QA VPN Stakeholders? Mobile? Architecture not consistent with Production
Internal VPC Environment Consistency (or lack thereof) CloudFront Dev QA VPN Production CloudFrontCloudFrontCan’t be exposed to public
Environment Consistency Solution #1 Internal VPC CloudFront Dev QA VPN Production CloudFrontCloudFront with Lambda with Lambda
Problem #2 (caused by Solution #1)
Protecting API Endpoints
Protected API Endpoints Internal VPC QA CloudFront with Lambda API call 302 Redirect to OAuth Automate d test client Automate d test client
Protected API Endpoints Requirements ➔ Protected from public ➔ Can’t use API Tokens or header authentication - keep consistency with production ➔ Known sources should have direct access
Solution #2 Protected API Endpoints Internal VPC QA CloudFront with Lambda API call 200 OK Automate d test client Dynamo DB Automate d test client
How it works
302 Redirect to OAuth Endpoint Request CALLBACK_URL with client code 200 Allow and set cookie Stores IP 302 Redirect to CALLBACK_URL with client code Request Webpage Flow Client CloudFront Labda@Edge OAuth Provider Client Authenticates with OAuth Provider Can include multiple interactions Checks code is valid Dynamo DB Dynamo DBIP Exists?
Demo
Questions? Links github.com/amaysim-au/cloudfront-auth-whitelist branches: github and azure Original code: github.com/Widen/cloudfront-auth

More Related Content

PDF
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
Eric Smalling
 
PDF
use case ibm k8s_service+devops
Shoichiro Sakaigawa
 
PPTX
Continous Delivery and Continous Integration at IKERLAN
Angel Conde Manjon
 
PDF
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
Hui (Henry) Chen
 
PDF
Reactive Microservices with Quarkus
Niklas Heidloff
 
PDF
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Lacework
 
PDF
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
PDF
Securing containers by Breaking In - Liran Tal - DevSecCon Tel Aviv 2019
Liran Tal
 
LFX Nov 16, 2021 - Find vulnerabilities before security knocks on your door
Eric Smalling
 
use case ibm k8s_service+devops
Shoichiro Sakaigawa
 
Continous Delivery and Continous Integration at IKERLAN
Angel Conde Manjon
 
NYIT DSC/ Spring 2021 - Introduction to DevOps (CI/CD)
Hui (Henry) Chen
 
Reactive Microservices with Quarkus
Niklas Heidloff
 
Batten Down the Hatches: A Practical Guide to Securing Kubernetes - RMISC 2019
Lacework
 
The Future of Security and Productivity in Our Newly Remote World
DevOps.com
 
Securing containers by Breaking In - Liran Tal - DevSecCon Tel Aviv 2019
Liran Tal
 

What's hot (20)

PDF
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
PDF
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
PDF
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
Nico Meisenzahl
 
PDF
Visual Recognition with Anki Cozmo and TensorFlow
Niklas Heidloff
 
PDF
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Abdessamad TEMMAR
 
PPTX
Enterprise level cloud CI
SQUADEX
 
PDF
Jakarta Tech Talk: How to develop your first cloud-native Application with Java
Niklas Heidloff
 
PDF
Discovering and Fixing Dependency Vulnerabilities for Kubernetes apps with Sn...
Codefresh
 
PDF
You Want to Kubernetes? You MUST Know Containers!
VMware Tanzu
 
PPTX
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
PPTX
Test coverage development
bo wang bo wang
 
PPTX
Deploy multi-environment application with Azure DevOps
Andrea Tosato
 
PPTX
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
PDF
Docker
Diego Pacheco
 
PDF
Node.js Security Done Right - Tips and Tricks They Won't Teach You In School
Liran Tal
 
PDF
Emulators as an Emerging Best Practice for API Providers
Cisco DevNet
 
PPTX
DevSecCon Boston2018 - advanced mobile security automation with bdd
Davide Cioccia
 
PDF
Continuous Integration from server to cloud
Paolo D'Incau
 
PPTX
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
PDF
Developing Serverless Applications with Apache OpenWhisk
Niklas Heidloff
 
Bridging the Security Testing Gap in Your CI/CD Pipeline
DevOps.com
 
Security in CI/CD Pipelines: Tips for DevOps Engineers
DevOps.com
 
GitLab Commit: Enhance your Compliance with Policy-Based CI/CD
Nico Meisenzahl
 
Visual Recognition with Anki Cozmo and TensorFlow
Niklas Heidloff
 
Sec4dev 2021 - Catch Me If You can : Continuous Delivery vs. Security Assurance
Abdessamad TEMMAR
 
Enterprise level cloud CI
SQUADEX
 
Jakarta Tech Talk: How to develop your first cloud-native Application with Java
Niklas Heidloff
 
Discovering and Fixing Dependency Vulnerabilities for Kubernetes apps with Sn...
Codefresh
 
You Want to Kubernetes? You MUST Know Containers!
VMware Tanzu
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon
 
Test coverage development
bo wang bo wang
 
Deploy multi-environment application with Azure DevOps
Andrea Tosato
 
Software Composition Analysis Deep Dive
Ulisses Albuquerque
 
Docker
Diego Pacheco
 
Node.js Security Done Right - Tips and Tricks They Won't Teach You In School
Liran Tal
 
Emulators as an Emerging Best Practice for API Providers
Cisco DevNet
 
DevSecCon Boston2018 - advanced mobile security automation with bdd
Davide Cioccia
 
Continuous Integration from server to cloud
Paolo D'Incau
 
Continuous Security Testing with Devops - OWASP EU 2014
Stephen de Vries
 
Developing Serverless Applications with Apache OpenWhisk
Niklas Heidloff
 
Ad

Similar to Protecting Applications with Lambda@Edge and OAuth (6)

PDF
Basic authentication with lambda@edge, Juho Rautio, Webscale Oy
Juho Rautio
 
PDF
Securing Serverless Architectures - AWS Serverless Web Day
AWS Germany
 
PPTX
AWS Lambda Security Inside & Out
PureSec
 
PDF
Serverless security: defense against the dark arts
Yan Cui
 
PDF
Serverless Security: A How-to Guide @ SnowFROC 2019
James Wickett
 
PDF
Serverless security: defence against the dark arts
Yan Cui
 
Basic authentication with lambda@edge, Juho Rautio, Webscale Oy
Juho Rautio
 
Securing Serverless Architectures - AWS Serverless Web Day
AWS Germany
 
AWS Lambda Security Inside & Out
PureSec
 
Serverless security: defense against the dark arts
Yan Cui
 
Serverless Security: A How-to Guide @ SnowFROC 2019
James Wickett
 
Serverless security: defence against the dark arts
Yan Cui
 
Ad

Recently uploaded (20)

PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PPTX
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
PPTX
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
PDF
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Akar16
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Teaching material agriculture food technology
LiaRayya
 
NewMind AI Weekly Chronicles - August'25-Week II
NewMind AI
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Cloud computing and distributed systems.
kkkkkhan
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
VMware vSphere Foundation How to Sell Presentation-Ver1.4-2-14-2024.pptx
blackmambaettijean
 
Machine Learning_overview_presentation.pptx
kondavamsidharreddy2
 
MIND Revenue Release Quarter 2 2025 Press Release
MIND CTI
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Chapter 3 Spatial Domain Image Processing.pdf
Getnet Tigabie Askale -(GM)
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Approach and Philosophy of On baking technology
30anthuong17
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 

Protecting Applications with Lambda@Edge and OAuth