This document discusses securing data in serverless applications and messaging services. It covers authentication using IAM users, roles and groups. It also covers authorization using identity-based and resource-based policies. Additionally, it discusses encrypting messages in transit using HTTPS and at rest using server-side encryption with AWS KMS customer master keys and data encryption keys. It provides examples of policies for Amazon SNS topics, SQS queues and KMS customer master keys.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Securing Data in Serverless
Applications and Messaging
Services
Otavio Ferreira
Software Development Manager
AWS Messaging
A P I 3 1 7 - R

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Agenda
Authentication
Authorization
Message encryption
Message privacy
Auditing

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Chalk talk repeats
Monday, November 26
Securing Data in Serverless Applications and Messaging Services
5:30 p.m. | Aria West, Level 3, Starvine 7
Tuesday, November 27
Securing Data in Serverless Applications and Messaging Services
1:45 p.m. | Venetian, Level 3, Murano 3302
Thursday, November 29
Securing Data in Serverless Applications and Messaging Services
3:15 p.m. | Mirage, Martinique A

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS serverless services used
Security, Identity & ComplianceNetworking & Content Delivery
Application Integration Compute ManagementDatabase

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identity
Powered by AWS IAM.
Root user is locked away for security.
Users and roles are created to identify requesters.
User Group Role

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Identity
IAM User:
Consists of a name, an AWS Management Console password, and AWS API access keys.
Used to identify a person or an application, and grant them access to AWS resources.
IAM Group:
Consists of a name and a collection of IAM users.
Used to attach IAM permission policies to multiple IAM users at one time.
IAM Role:
Similar to IAM user, but without credentials (password, access keys).
Assumed by an IAM user to temporarily take on different permissions.
Can be assigned to a federated user who signs in by using an external identity provider.

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Signature
API requests are signed with an AWS access key and secret key.
Signatures help secure API requests by…
Verifying the identity of the requester.
Protecting data in transit with a calculated hash.
Protecting against replay attacks within a 5-min timeframe.
Signatures can be set in the…
HTTP request header.
HTTP request query string.
Signatures are automatically added by AWS tools: SDK and CLI.
Recommended version: SigV4

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sample API request signed with SigV4
POST /BillingQueue HTTP/1.1
Host: sqs.us-east-1.amazonaws.com
Content-Type: application/x-www-form-urlencoded
Authorization: AWS4-HMAC-SHA256
Credential=AKIDEXAMPLE/20181126/us-east-1/sqs/aws4_request,
SignedHeaders=content-type;host;x-amz-date,
Signature=b97d918cfa904a5beff61c982a1b6f458b799221646efd99d3219ec94cdf2500
X-Amz-Date: 20181126T123600Z
Action=SendMessage
&MessageBody=Order-1234
&Version=2012-11-05

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Permission policies
Powered by AWS IAM, and used to restrict access to resources.
Identity-based policies:
Attached to an IAM user or role.
Specify what the user or role can do (their permissions).
Resource-based policies:
Attached to an AWS resource, such as an Amazon SNS topic or Amazon SQS queue.
Specify who has access to the resource and what actions they can perform on it.
Upon a request, identity-based and resource-based policies are evaluated
together for a final outcome (allow or deny access).

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sample identity-based policy in AWS IAM
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Allow IAM user to do messaging (SNS, SQS) and encryption (KMS)",
"Effect": "Allow",
"Action": [
"sns:Publish", "sqs:ReceiveMessage", "sqs:DeleteMessage”,
"kms:GenerateDataKey*", "kms:Decrypt"
],
"Resource": "*"
}]}

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Access permission in Amazon SNS
Resource-based policies in Amazon SNS are known as topic policies.
As examples, topic policies can be used for limiting…
the accounts, users or roles that can publish and subscribe to the topic.
the delivery protocols available to subscribers in the topic. For example, Amazon SQS only.
the event sources that can publish to the topic. For example, an AWS Lambda function.

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sample topic policy in Amazon SNS
{
"Version": "2008-10-17",
"Statement": [{
"Sid": "Allow only one Lambda function to publish messages to the SNS topic",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::313276652320:user/Messenger"},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:us-east-1:313276652320:SalesTopic”,
"Condition": {"ArnEquals":
{"aws:SourceArn": "arn:aws:lambda:us-east-1:313276652320:function:PublisherFunction"}
}}]}

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sample topic policy in Amazon SNS
{
"Version": "2008-10-17",
"Statement": [{
"Sid": "Allow IAM user to subscribe to the SNS topic, using SQS as delivery protocol",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::313276652320:user/Messenger"},
"Action": "sns:Subscribe",
"Resource": "arn:aws:sns:us-east-1:313276652320:SalesTopic",
"Condition": {"StringEquals": {"sns:Protocol": "sqs"}}
}]
}

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Access permission in Amazon SQS
Resource-based policies in Amazon SQS are known as queue policies.
As examples, queue policies can be used for limiting…
the accounts, users, or roles that can send messages to the queue.
the accounts, users, or roles that can receive and delete messages from the queue.
the sources that can send messages to the queue. For example, an Amazon SNS topic.

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sample queue policy in Amazon SQS
{
"Version": "2008-10-17",
"Statement": [{
"Sid": "Allow only one SNS topic to send messages to the SQS queue",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::313276652320:user/Messenger"},
"Action": ["sqs:SendMessage"],
"Resource": "arn:aws:sns:us-east-1:313276652320:BillingQueue",
"Condition": {"ArnEquals": {"aws:SourceArn": "arn:aws:sns:us-east-1:313276652320:SalesTopic"}}
}]
}

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sample queue policy in Amazon SQS
{
"Version": "2008-10-17",
"Statement": [{
"Sid": "Allow only one Lambda function to receive and delete messages from the SQS queue",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::313276652320:user/Messenger"},
"Action": ["sqs:ReceiveMessage”, "sqs:DeleteMessage"],
"Resource": "arn:aws:sns:us-east-1:313276652320:BillingQueue",
"Condition": {"ArnEquals":
{"aws:SourceArn": "arn:aws:lambda:us-east-1:313276652320:function:BillingFunction"}
}}]}

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Message encryption in transit
Amazon SNS, Amazon SQS, and AWS Lambda provide HTTPS APIs that
encrypt all messages in transit.
HTTPS APIs are secured by Transport Layer Security (TLS) 1.2 certificates
issued by Amazon Trust Services (ATS) as Certificate Authority (CA), and
encrypt messages using a 256-bit SHA algorithm and 2048-bit RSA keys.
provisions, manages, deploys
TLS certificates

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Message encryption at rest
AWS encrypted message channels powered by AWS KMS:
Amazon SNS encrypted topics
Amazon SQS encrypted queues
Messages are encrypted using a 256-bit AES-GCM algorithm.
Messages are stored in encrypted form, in multiple availability zones (AZ).

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customer master key (CMK)
Managed in AWS KMS.
Used to generate, encrypt and decrypt your data encryption keys (DEK).
CMK
CreateKey

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Customer master key (CMK)
Can view Can manage Used only in my account
Customer-managed CMK Yes Yes Yes
AWS-managed CMK Yes No Yes
AWS-owned CMK No No No
Amazon SNS and Amazon SQS support both customer-managed and
AWS-managed CMK.

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Data encryption key (DEK)
Managed and used only outside of AWS KMS.
Used to encrypt and decrypt your application data.
CMK
GenerateDataKey
Plaintext DEK
Encrypted DEK

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Envelope encryption
The practice of encrypting plaintext data with a data key, and then
encrypting the data key under another key.
Amazon SNS and Amazon SQS rotate your DEK every 5 minutes.
Customer master
key (CMK)
Encryption data
key (DEK)
Application
encrypted data
encrypts encrypts

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Server-side encryption (SSE)
3. Encrypt(Plaintext Msg, Plaintext DEK)
4. Store(Encrypted Msg, Encrypted DEK)
6. Decrypt(Encrypted Msg, Plaintext DEK)
2. GenerateDataKey(CMK)
Plaintext DEK, Encrypted DEK
5. Decrypt(CMK, Encrypted DEK)
Plaintext DEK Plaintext Msg
11. ReceiveMessage()7. SendMessage(Plaintext Msg)1. Publish(Plaintext Msg)
8. GenerateDataKey(CMK)
Plaintext DEK, Encrypted DEK
12. Decrypt(CMK, Encrypted DEK)
Plaintext DEK
9. Encrypt(Plaintext Msg, Plaintext DEK)
10. Store(Encrypted Msg, Encrypted DEK)
13. Decrypt(Encrypted Msg, Plaintext DEK)

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Key policies
Determine who can use and manage a customer-managed CMK.
Used to allow or deny permissions on AWS KMS keys, based on either
AWS IAM identities (users, roles) or AWS service principals.

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sample key policy in AWS KMS
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Allow IAM user to generate and decrypt KMS data keys, using this CMK",
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::313276652320:user/Messenger"},
"Action": ["kms:GenerateDataKey*", "kms:Decrypt"],
"Resource": "*"
}]
}

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sample key policy in AWS KMS
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "Allow SNS to generate KMS data keys, using this CMK, when delivering messages to SQS",
"Effect": "Allow",
"Principal": {”Service": ”sns.amazonaws.com"},
"Action": ["kms:GenerateDataKey*", "kms:Decrypt"],
"Resource": "*"
}]
}

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC endpoints
Powered by AWS PrivateLink.
Messages are published privately from an Amazon VPC subnet to Amazon
SNS topics, without traversing the public Internet.
Internet gateway (IGW)
Network address translation (NAT)
Virtual private network (VPN)

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
VPC
Private subnet 1
AWS Cloud
Availability zone 1
AWS Region
SNS
topic
Lambda
function
Private subnet 2
Availability zone 2
Lambda
function
VPC
endpoint
Internet
Transit VPC
VPC
Lambda
function
KMS
data key
TLS
cert

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
API usage auditing
Powered by AWS CloudTrail.
Logs when AWS KMS operations are executed, and Amazon VPC
endpoints are accessed.

37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sample AWS KMS event logged in AWS CloudTrail
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAJ7PQSU42LKEHOPNEC:john-smith",
"arn": "arn:aws:sts::453276652360:assumed-role/Admin/john-smith",
"accountId": "313276652360",
"accessKeyId": "ASIAIS7TEZ35KHNWG5JQ",
"sessionContext": {…},
"invokedBy": "sns.amazonaws.com”
},
"eventID": "ab1sdfb9-54e0-4f64-b771-45032136e7cd",
"eventType": "AwsApiCall",
"eventTime": "2018-11-17T20:08:01Z",
"eventSource": "kms.amazonaws.com",
"eventName": "GenerateDataKey",
"awsRegion": "eu-west-3",
"sourceIPAddress": "sns.amazonaws.com",
"userAgent": "sns.amazonaws.com",
"errorCode": "AccessDenied",
"errorMessage": "User is not authorized to perform kms:GenerateDataKey",
"requestParameters": null,
"responseElements": null,
"requestID": "a809006a-5daf-46d1-81d5-6445dd62047d",
"recipientAccountId": ”453276652360”
}

38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Sample Amazon VPC event logged in AWS CloudTrail
{
"eventVersion": "1.05",
"userIdentity": {
"type": "AssumedRole",
"principalId": "AROAJ7PQSU42LKEHOPNEC:otaviof-Isengard",
"arn": "arn:aws:sts::313276652360:assumed-role/Admin/otavio",
"accountId": "313276652360",
"accessKeyId": "ASIAUR4F6LNEG2HZO5LL",
"sessionContext": {…}
},
"eventID": "c7f665e7-a585-4466-8785-d2c35de2ce3d",
"eventType": "AwsApiCall",
"eventTime": "2018-11-19T07:06:49Z",
"eventSource": "ec2.amazonaws.com",
"eventName": "CreateVpcEndpoint",
"awsRegion": "eu-west-3",
"sourceIPAddress": "52.46.80.17",
"userAgent": "console.ec2.amazonaws.com",
"requestParameters": {…},
"responseElements": {…},
"requestID": "71c2084d-f8b8-4df9-8850-c5cbee23efc0",
"recipientAccountId": "313276652360”
}

39. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Otavio Ferreira
https://aws.amazon.com/messaging

40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.