Roman Sachenko
Serverless (AWS)
Things I wish I knew
Static
Live
- Software engineer at DA-14 Corp
- Team Lead
- Weird jokes maker
- Beer drinker
- Metallica band fan
- "I used to play in a heavy metal band" dude
- Ex "this metal band is not true" dude
Contents
Application designs that incorporate third-party “Backend as a Service” (BaaS) services, and/or that include custom code run in managed, ephemeral containers on a “Functions as a Service” (FaaS) platform. (https://martinfowler.com)
Serverless as a thing
Applications that run in stateless compute containers that are event-triggered, ephemeral, and fully managed by a third party.
Serverless as a thing
Benefits
- Reduced operational cost
Serverless as a thing
Benefits
- Reduced operational cost
- BaaS: reduced development cost
Serverless as a thing
Benefits
- Reduced operational cost
- BaaS: reduced development cost
- FaaS: scaling costs
Serverless as a thing
Benefits
- Reduced operational cost
- BaaS: reduced development cost
- FaaS: scaling costs
- Easier operational management
Serverless as a thing
Benefits
- Reduced operational cost
- BaaS: reduced development cost
- FaaS: scaling costs
- Easier operational management
- "Greener" computing
Serverless as a thing
Drawbacks:
- Vendor control
Serverless as a thing
Drawbacks:
- Vendor control
- Security concerns
Serverless as a thing
Drawbacks:
- Vendor control
- Security concerns
- Repetition of logic
Serverless as a thing
Drawbacks:
- Vendor control
- Security concerns
- Repetition of logic
- Configuration
Serverless as a thing
Drawbacks:
- Vendor control
- Security concerns
- Repetition of logic
- Configuration
- Testing
Serverless as a thing
Drawbacks:
- Vendor control
- Security concerns
- Repetition of logic
- Configuration
- Testing
- Debugging
... and more
Serverless as a thing
Technology Stack
Technology Stack
Configuration and Deployment
Technology Stack
CloudFormation (Serverless.yml)
Configuration and Deployment
resources:
Resources:
CognitoUserPool:
${file(./cognito-user-pool.yml)}
CognitoUserPoolClient:
${file(./cognito-user-pool-client.yml)}Technology Stack
Benefits:
- what you set is what you get
- consistency
Configuration and Deployment
Technology Stack
Drawbacks:
hard to maintain relations between
resources
Configuration and Deployment
Technology Stack
Configuration and Deployment
# DB Campaign Table
Type: AWS::DynamoDB::Table
StreamSpecification:
StreamViewType: NEW_AND_OLD_IMAGES
# DB Sync to Search Engine
DbSyncToSearchEngineCampaign:
handler: src/lambdas/dbStreams.syncCampaign
events:
- stream: ${env:DB_STREAM_CAMPAIGN}
Technology Stack
Configuration and Deployment
Resources:
CognitoUserPool:
Type: AWS::Cognito::UserPool
Technology Stack
Configuration and Deployment
Resources:
CognitoUserPoolClient:
Type: AWS::Cognito::UserPoolClient
Properties:
ClientName: #client name
UserPoolId:
Ref: CognitoUserPool
Outputs:
UserPoolId:
Value:
Ref: CognitoUserPoolTechnology Stack
Configuration and Deployment
Messy resources
This is Messi
Technology Stack
Configuration and Deployment
Technology Stack
Configuration and Deployment
Technology Stack
Configuration and Deployment
Technology Stack
Configuration and Deployment
Solution:
Create AWS sub-accounts
Technology Stack
WTFs
Technology Stack
WTFs
AWS Cognito
- recreates pool in case of changes in config
- impossible to set custom attributes as required via serverless.yml
Technology Stack
WTFs
Stack Limits
Maximum number of resources per stack - 200
Technology Stack
WTFs
Stack Limits: Create an additional stack
custom:
additionalStacks:
databaseEntities:
Resources:
DbTableAppSettings: ${file(./dynamodb-app-settings.yml)}
DbTableAccountRole: ${file(./dynamodb-account-role.yml)}
DbTableAccountInvitattion: ${file(./dynamodb-account-invitation.yml)}Technology Stack
WTFs
Stack Limits: additional stack has own limitations
10 resources per deployment (per try)
Technology Stack
WTFs
Serverless framework
Won't tell you if some libraries that you use are not installed
Technology Stack
WTFs
Environment
What you see locally is not what you get remotely
Technology Stack
Security
Technology Stack
Security
More permissions to manage
- lots of independent functions
- own set of services and responsibilities
- individual storage and state management system
Technology Stack
Security
Solutions:
- determine ACL for functions
- the rule of least privilege
Technology Stack
Security
my-function-name:
handler: myFunction.handler
iamRoleStatements:
- Effect: Allow
Action: dynamodb:scan
Resource: //ARN RESOURCETechnology Stack
Security
More third-party dependencies
- dependencies of functions that rely on third-party software
- extremely challenging to monitor them
Technology Stack
Security
Solutions:
- use package locks
- dependency scanners
Technology Stack
Security
Technology Stack
Security
More data in storage and transit
- functions interact with each other
- functions interact with third-party services
Technology Stack
Security
Solutions:
- credentials should be temporary or encrypted
- stricter constraints on allowed input and output messages
- automatic encryption of sensitive data in transit
- use HTTPS
Technology Stack
Security
More hustle with authentication
Multiple entry points
Technology Stack
Security
Solutions:
- access management services (Microsoft’s Azure AD, Auth0, AWS Cognito)
- keep access privileges to a minimum
Technology Stack
Security
More wallet-busting attacks
All about autoscaling
Technology Stack
Security
Solutions:
- budget limits
- API requests limits
- use DDOS protection tools (Cloudflare)
Technology Stack
Helpfull
Architecture itself: https://martinfowler.com/articles/serverless.html
Serverless Framework Middlewares: https://github.com/middyjs/middy
Learned things:
https://read.acloud.guru/six-months-of-serverless-lessons-learned-f6da86a73526
Hidden Costs of serverless:
https://medium.com/@amiram_26122/the-hidden-costs-of-serverless-6ced7844780b
Helpfull
Questions?
roman.sachenko@gmail.com
roman.sachenko
https://facebook.com/rsachenko
Email:
Skype:
Facebook:
Twitter:
Github:
Blog: