
Roman Sachenko
Serverless (AWS)
Things I wish I knew



Static
Live

- Software engineer at DA-14 Corp
- Team Lead
- Weird jokes maker
- Beer drinker
- Metallica band fan
- "I used to play in a heavy metal band" dude
- Ex "this metal band is not true" dude


Contents





Application designs that incorporate third-party “Backend as a Service” (BaaS) services, and/or that include custom code run in managed, ephemeral containers on a “Functions as a Service” (FaaS) platform. (https://martinfowler.com)
Serverless as a thing


Applications that run in stateless compute containers that are event-triggered, ephemeral, and fully managed by a third party.
Serverless as a thing


Benefits
- Reduced operational cost
Serverless as a thing

Benefits
- Reduced operational cost
- BaaS: reduced development cost
Serverless as a thing

Benefits
- Reduced operational cost
- BaaS: reduced development cost
- FaaS: scaling costs
Serverless as a thing

Benefits
- Reduced operational cost
- BaaS: reduced development cost
- FaaS: scaling costs
- Easier operational management
Serverless as a thing

Benefits
- Reduced operational cost
- BaaS: reduced development cost
- FaaS: scaling costs
- Easier operational management
- "Greener" computing
Serverless as a thing


Drawbacks:
- Vendor control
Serverless as a thing

Drawbacks:
- Vendor control
- Security concerns
Serverless as a thing

Drawbacks:
- Vendor control
- Security concerns
- Repetition of logic
Serverless as a thing

Drawbacks:
- Vendor control
- Security concerns
- Repetition of logic
- Configuration
Serverless as a thing

Drawbacks:
- Vendor control
- Security concerns
- Repetition of logic
- Configuration
- Testing
Serverless as a thing

Drawbacks:
- Vendor control
- Security concerns
- Repetition of logic
- Configuration
- Testing
- Debugging
... and more
Serverless as a thing


Technology Stack







Technology Stack

Configuration and Deployment


Technology Stack

CloudFormation (Serverless.yml)
Configuration and Deployment
resources:
Resources:
CognitoUserPool:
${file(./cognito-user-pool.yml)}
CognitoUserPoolClient:
${file(./cognito-user-pool-client.yml)}
Technology Stack

Benefits:
- what you set is what you get
- consistency
Configuration and Deployment

Technology Stack

Drawbacks:
hard to maintain relations between
resources
Configuration and Deployment

Technology Stack

Configuration and Deployment
# DB Campaign Table
Type: AWS::DynamoDB::Table
StreamSpecification:
StreamViewType: NEW_AND_OLD_IMAGES
# DB Sync to Search Engine
DbSyncToSearchEngineCampaign:
handler: src/lambdas/dbStreams.syncCampaign
events:
- stream: ${env:DB_STREAM_CAMPAIGN}
Technology Stack

Configuration and Deployment
Resources:
CognitoUserPool:
Type: AWS::Cognito::UserPool
Technology Stack

Configuration and Deployment
Resources:
CognitoUserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName: #client name
UserPoolId:
Ref: CognitoUserPool
Outputs:
UserPoolId:
Value:
Ref: CognitoUserPool
Technology Stack

Configuration and Deployment
Messy resources


This is Messi
Technology Stack

Configuration and Deployment

Technology Stack

Configuration and Deployment

Technology Stack

Configuration and Deployment



Technology Stack

Configuration and Deployment
Solution:
Create AWS sub-accounts

Technology Stack

WTFs

Technology Stack

WTFs
AWS Cognito
- recreates pool in case of changes in config
- impossible to set custom attributes as required via serverless.yml

Technology Stack

WTFs
Stack Limits
Maximum number of resources per stack - 200

Technology Stack

WTFs
Stack Limits: Create an additional stack
custom:
additionalStacks:
databaseEntities:
Resources:
DbTableAppSettings: ${file(./dynamodb-app-settings.yml)}
DbTableAccountRole: ${file(./dynamodb-account-role.yml)}
DbTableAccountInvitattion: ${file(./dynamodb-account-invitation.yml)}
Technology Stack

WTFs
Stack Limits: additional stack has own limitations
10 resources per deployment (per try)

Technology Stack

WTFs
Serverless framework
Won't tell you if some libraries that you use are not installed

Technology Stack

WTFs
Environment
What you see locally is not what you get remotely

Technology Stack

Security

Technology Stack

Security
More permissions to manage
- lots of independent functions
- own set of services and responsibilities
- individual storage and state management system
Technology Stack

Security
Solutions:
- determine ACL for functions
- the rule of least privilege
Technology Stack

Security
my-function-name:
handler: myFunction.handler
iamRoleStatements:
- Effect: Allow
Action: dynamodb:scan
Resource: //ARN RESOURCE
Technology Stack

Security
More third-party dependencies
- dependencies of functions that rely on third-party software
- extremely challenging to monitor them
Technology Stack

Security
Solutions:
- use package locks
- dependency scanners
Technology Stack

Security


Technology Stack

Security
More data in storage and transit
- functions interact with each other
- functions interact with third-party services
Technology Stack

Security
Solutions:
- credentials should be temporary or encrypted
- stricter constraints on allowed input and output messages
- automatic encryption of sensitive data in transit
- use HTTPS
Technology Stack

Security
More hustle with authentication
Multiple entry points
Technology Stack

Security
Solutions:
- access management services (Microsoft’s Azure AD, Auth0, AWS Cognito)
- keep access privileges to a minimum
Technology Stack

Security
More wallet-busting attacks
All about autoscaling
Technology Stack

Security
Solutions:
- budget limits
- API requests limits
- use DDOS protection tools (Cloudflare)
Technology Stack

Helpfull
Architecture itself: https://martinfowler.com/articles/serverless.html
Serverless Framework Middlewares: https://github.com/middyjs/middy
Learned things:
https://read.acloud.guru/six-months-of-serverless-lessons-learned-f6da86a73526
Hidden Costs of serverless:
https://medium.com/@amiram_26122/the-hidden-costs-of-serverless-6ced7844780b
Helpfull

Questions?
roman.sachenko@gmail.com
roman.sachenko
https://facebook.com/rsachenko
Email:
Skype:
Facebook:
Twitter:
Github:
Blog:
Serverless (AWS) - Things I wish I knew
By Roman Sachenko
Serverless (AWS) - Things I wish I knew
Ups and downs, life hacks and things to get rid of.
- 1,074