Roman Sachenko

Serverless (AWS)

Things I wish I knew

Static

Live

  • Software engineer at DA-14 Corp
  • Team Lead
  • Weird jokes maker
  • Beer drinker
  • Metallica band fan
  • "I used to play in a heavy metal band" dude
  • Ex "this metal band is not true" dude

Contents

Application designs that incorporate third-party “Backend as a Service” (BaaS) services, and/or that include custom code run in managed, ephemeral containers on a “Functions as a Service” (FaaS) platform. (https://martinfowler.com)




1
 Advanced issues found
 
0
 Advanced issues found
 

Serverless as a thing

Applications that run in stateless compute containers that are event-triggered, ephemeral, and fully managed by a third party.

(https://martinfowler.com)

Serverless as a thing

Benefits

  • Reduced operational cost

Serverless as a thing

Benefits

  • Reduced operational cost
  • BaaS: reduced development cost

Serverless as a thing

Benefits

  • Reduced operational cost
  • BaaS: reduced development cost
  • FaaS: scaling costs

Serverless as a thing

Benefits

  • Reduced operational cost
  • BaaS: reduced development cost
  • FaaS: scaling costs
  • Easier operational management

Serverless as a thing

Benefits

  • Reduced operational cost
  • BaaS: reduced development cost
  • FaaS: scaling costs
  • Easier operational management
  • "Greener" computing

Serverless as a thing

Drawbacks:

  • Vendor control

 

Serverless as a thing

Drawbacks:

  • Vendor control
  • Security concerns

 

1
 Advanced issues found
 

Serverless as a thing

Drawbacks:

  • Vendor control
  • Security concerns
  • Repetition of logic

 

1
 Advanced issues found
 

Serverless as a thing

Drawbacks:

  • Vendor control
  • Security concerns
  • Repetition of logic
  • Configuration

 

1
 Advanced issues found
 

Serverless as a thing

Drawbacks:

  • Vendor control
  • Security concerns
  • Repetition of logic
  • Configuration
  • Testing

 

1
 Advanced issues found
 

Serverless as a thing

Drawbacks:

  • Vendor control
  • Security concerns
  • Repetition of logic
  • Configuration
  • Testing
  • Debugging

... and more

1
 Advanced issues found
 

Serverless as a thing

Technology Stack

Technology Stack

Configuration and Deployment

Technology Stack

CloudFormation (Serverless.yml)

 

Configuration and Deployment

resources:
  Resources:
    CognitoUserPool: 
        ${file(./cognito-user-pool.yml)}
    CognitoUserPoolClient: 
        ${file(./cognito-user-pool-client.yml)}

Technology Stack

Benefits:

  • what you set is what you get
  • consistency

 

 

Configuration and Deployment

Technology Stack

Drawbacks:

hard to maintain relations between

resources

 

0
 Advanced issues found
 
 

Configuration and Deployment

Technology Stack

Configuration and Deployment

# DB Campaign Table
Type: AWS::DynamoDB::Table
  StreamSpecification:
    StreamViewType: NEW_AND_OLD_IMAGES


# DB Sync to Search Engine
  DbSyncToSearchEngineCampaign:
    handler: src/lambdas/dbStreams.syncCampaign
    events:
      - stream: ${env:DB_STREAM_CAMPAIGN}

Technology Stack

Configuration and Deployment

Resources:
  CognitoUserPool:
    Type: AWS::Cognito::UserPool

Technology Stack

Configuration and Deployment

Resources:
  CognitoUserPoolClient:
    Type: AWS::Cognito::UserPoolClient
    Properties:
      ClientName: #client name
      UserPoolId:
        Ref: CognitoUserPool

Outputs:
  UserPoolId:
    Value:
      Ref: CognitoUserPool

Technology Stack

Configuration and Deployment

Messy resources

This is Messi

Technology Stack

Configuration and Deployment

Technology Stack

Configuration and Deployment

Technology Stack

Configuration and Deployment

Technology Stack

Configuration and Deployment

Solution:

Create AWS  sub-accounts

Technology Stack

WTFs

Technology Stack

WTFs

AWS Cognito

  • recreates pool in case of changes in config
  • impossible to set custom attributes as required via serverless.yml
 
 
 
 

Technology Stack

WTFs

Stack Limits

Maximum number of resources per stack - 200

 
 
 
 
 

Technology Stack

WTFs

Stack Limits: Create an additional stack

 
 
 
 
 
custom:
  additionalStacks:
    databaseEntities:
      Resources:
        DbTableAppSettings: ${file(./dynamodb-app-settings.yml)}
        DbTableAccountRole: ${file(./dynamodb-account-role.yml)}
        DbTableAccountInvitattion: ${file(./dynamodb-account-invitation.yml)}

Technology Stack

WTFs

Stack Limits: additional stack has own limitations

10 resources per deployment (per try)

 
 
 
 
 

Technology Stack

WTFs

Serverless framework

Won't tell you if some libraries that you use are not installed

 
 
 
 
 

Technology Stack

WTFs

Environment

What you see locally is not what you get remotely

 
 
 
 
 

Technology Stack

Security

Technology Stack

Security

More permissions to manage

- lots of independent functions

- own set of services and responsibilities

- individual storage and state management system

Technology Stack

Security

Solutions:

- determine ACL for functions

- the rule of least privilege

Technology Stack

Security

my-function-name:
    handler: myFunction.handler
    iamRoleStatements:
      - Effect: Allow
        Action: dynamodb:scan
        Resource: //ARN RESOURCE

Technology Stack

Security

More third-party dependencies

- dependencies of functions that rely on third-party software 

- extremely challenging to monitor them

 

 

 

Technology Stack

Security

Solutions:

- use package locks

- dependency scanners

 

Technology Stack

Security

Technology Stack

Security

More data in storage and transit

- functions interact with each other

- functions interact with third-party services

 

 
 

Technology Stack

Security

Solutions:

- credentials should be temporary or encrypted

- stricter constraints on allowed input and output messages

- automatic encryption of sensitive data in transit

- use HTTPS

 
 

Technology Stack

Security

More hustle with authentication

Multiple entry points

 

 

 
 
 

Technology Stack

Security

Solutions:

- access management services (Microsoft’s Azure AD, Auth0, AWS Cognito)

- keep access privileges  to a minimum

 
 
 

Technology Stack

Security

More wallet-busting attacks

All about autoscaling

 

 

 
 
 
 

Technology Stack

Security

Solutions:

- budget limits 

-  API requests limits

- use DDOS protection tools (Cloudflare)

 
 
 
 

Technology Stack

Helpfull

Helpfull

Questions?

Email: 

Skype:

Facebook: 

Twitter: 

Github: 

Blog: 

 
 
 
 
Made with Slides.com