Serverless Security Workshop
WARNING: The purpose of the workshop is to provide a starter API which does NOT follow many security best practices on purpose. The tutorial modules guide you to identify security gaps in the starter app, and implement protection measures for them.
Furthermore, the modules do not cover ALL the security measures that should be applied. After completing all modules, we recommend you to explore additional protections, such as ensuring the principle of least privilege. See the Extra Credit section for more details.
In this workshop, you will learn techniques to secure a serverless application built with AWS Lambda, Amazon API Gateway and RDS Aurora. We will cover AWS services and features you can leverage to improve the security of a serverless applications in 5 domains:
- identity & access management
- logging & monitoring
You'll start by deploying a simple serverless application that allows third party companies to submit unicorn customizations. This will help Wild Rydes receive ad revenue and allow third party companies to market their brand leveraging Wild Rydes's popularity.
The simple serverless application has the below architecture to start with:
However, this simple serverless application is not very secure, and we need your help to implement measures to protect this serverless API from attackers.
By following different modules covering various aspects of security, you will help improve the security of the simple serverless application.
You can find the presentation slides in the
slides branch of this git repo, under the
Note: The workshop is designed so you don't have to complete all the modules in order, with the exception of module 0: You must start with module 0 before you work on other modules!
Click on the link to module 0 below to get started deploying the simple serverless application that you will spend the rest of the workshop securing!
Here's an overview of the modules in this workshop and how they map to different areas of security:
Identity & Access
||Logging & Monitoring
Due to time constraints, the modules do not cover all the security best practices that we should apply to our API. What other security measures can you identify that our app setup is missing?
Click below to go to the resource cleanup steps:
The documentation is made available under the Creative Commons Attribution-ShareAlike 4.0 International License. See the LICENSE file.
The sample within this documentation is made available under a modified MIT license. See the LICENSE-SAMPLECODE file.