re:Inforcing Serverless Security 🔒
Welcome to Issue #44 of Off-by-none. It’s so great that you’re here! 😎
Last week, we recapped ServerlessDays Milan and shared some great serverless reads. This week, we talk a bit about the inaugural edition of AWS re:Inforce and look at the broader AWS security ecosystem. And, as always, we have some amazing content from the serverless community.
Before we get started, Serverless, Inc, is running a State Of Serverless Community Survey. If you get a chance, fill it out and share your experience. It’s always great to see the results. Lots more stuff to get to this week, so let’s get right to it! 🎯
When you want to re:Inforce your serverless security… 🔐
This past week was the inaugural AWS re:Inforce conference. I was only able to make the second day, but from what I saw, it was very well-attended and quite successful. There were some great serverless security talks (like Securing Enterprise-Grade Serverless Applications – SDD401 with George Mao) and several others on more general AWS cloud security products and services. You can find all of the sessions in this post: Re:Inforce 2019 wrap-up and session links.
I also gave a Dev Chat titled Serverless Security: Best practices and mitigation strategies that sparked several post-talk discussions with lots of great questions. It was really quite eye-opening putting together a talk on serverless security. There was so much content to cover, with so many intersecting and overlapping AWS products and services, that I found it difficult to limit the talk to just 30 minutes (I actually went over by a few minutes 😬). But I found myself really just skimming the surface of a very complex subject.
This is something that we really need to think about as we develop our serverless applications. Even though the cloud providers are handling most of the heavy-lifting for us, there are still some important security requirements that must be properly implemented by developers. Many of these aren’t new, but as developers get closer to the infrastructure and start deploying their applications directly, not having an Ops person looking over their shoulder could possibly affect your overall security posture. Something to think about and train your developers on.
Serverless News & Product Announcements 🚀
Serverless Framework v1.46.0 – Extended ALB configurability, Support for external Websocket APIs, Local plugins via relative paths & more
The Serverless Framework has a new release, this time adding support for ALB conditions, shared WebSockets, and a new local plugin component.
Stackery CEO steps down as serverless technology startup seeks new leader for its next phase
Nate Taggart is stepping down to bring in an experienced CEO to grow the company. I’m a big fan of Stackery and their team, and I think this shows their true dedication to the serverless community. There is a real opportunity here to build a company that’ll be a major player in the cloud market. If they continue to focus on serverless, this will help to grow and better define the serverless ecosystem. Something about rising tides. ⛵️😉
Serverless Stories 📖
Mistakes we made adopting event sourcing (and how we recovered)
Nat Pryce has a great piece that outlines what his team learned when building an event-sourced application. Couple of big takeaways include the difference between event-sourced and event-driven architectures, and the benefits of using a hexagonal architecture for separating and testing business logic.
How this New South Wales transport agency built an analytics platform on AWS
Interesting story about a government agency implementing serverless to not only create a better service, but to save money as well.
Serverless Development Workflow
Guilherme Waess outlines his serverless development workflow for us. He needs a better way to deal with secrets, but overall a good approach.
Lambda Dependency Management using Serverless Plugins
Navarasu Muthu discusses the process his team at Francium Tech used to manage Python dependencies using the
serverless-python-requirements plugin for the Serverless Framework.
How to SSR in a serverless environment and make your visitors 400% happier!
Sven Al Hamad walks you through how Webiny implemented SSR with serverless to speed up page loads.
Serverless Use Cases 🗺
How to customize verification emails in Amazon Cognito? Use Lambdas!
This is a great use case. Use Lambda to customize emails sent from Cognito. Very cool.
Dynamic image resizing with Python and Serverless framework
This is one of those very common use cases that is “perfect” for serverless. Here’s another look at it using Python and the Serverless Framework.
Configuring user creation workflows with AWS Step Functions and AWS Managed
This is a really great automation workflow that can make everyone’s lives easier. One configuration change can kick off a whole series of events, and using Step Functions, we get retries and orchestration out of the box.
Step Functions as an ad-hoc scheduling mechanism
And speaking of Step Functions, Yan Cui goes into more detail about some of the benefits (and problems) with using Step Functions as a scheduling mechanism. The suggestion from David Wells to use DynamoDB TTLs alongside Step Functions is quite ingenious.
If you’re thinking about going serverless… 🤔
Serverless. You Keep Using That Word. I Do Not Think It Means What You Think It Means.
Hmm, did Allen Helton see my meme from ServerlessDays Milan? Anyway, here is another attempt at a comprehensive “definition” of serverless.
Serverless Microservices in a Team
Gareth McCumskey outlines a few best practices for teams building serverless microservices using the Serverless Framework.
AWS Lambda: how to share code between functions in a monorepo
A common question for those structuring their serverless applications. Yan Cui has some suggestions if you’re going down the monorepo route.
AWS Lambda – 7 things you might not know
John Demian from Dashbird outlines the top seven reasons AWS Lambda is a powerhouse your business should consider.
Deconstructing Serverless Computing Part 4: Developing to infinity and beyond!
In the fourth part in his series, Lucian Toader discusses some things you should keep in mind when it comes to serverless development.
Make Data Acquisition Easy with AWS & Lambda (Python) in 12 Steps
Shawn Cochran gives you a brief introduction to AWS Lambda and building a fully serverless data pipeline using Python.
Serverless Tutorials 🏗
Getting Started with Lambda and Application Load Balancers
In this post, Gavin Lewis runs some experiments with ALBs using Lambda targets and discovers some use cases along the way.
How to create a highly scalable serverless GraphQL data-driven app in minutes
Gerard Sans teaches you how to build a GraphQL data-driven serverless app using Angular, AWS Amplify and AWS AppSync.
humank/EventStormingWorkShop: EventStorming workshop
A hands-on workshop that contains topics such as DDD, event storming, and specification by example. It uses Lambda, API Gateway, DynamoDB, X-Ray, and CloudWatch.
Building AWS Amplify Customized Authentication Forms for Serverless Vue.js
Wataru Oguchi’s tutorial is from the perspective of someone without a lot of AWS experience, but finds that AWS Amplify abstracts most of that away.
AWS Serverless App: Continuous Integration and Deployment
In this post, you’ll learn some steps to add continuous integration and deployment (CI/CD) to your serverless project.
Building Serverless Data Lake with AWS Glue DynamoDB and Athena
Yi Ai shows you how to build a serverless data lake solution using AWS Glue, DynamoDB, S3 and Athena.
Getting Started with AWS SES
Usama Yousuf walks you through the process of sending emails and creating configuration sets to publish email events like bounces, complaints, deliveries, sent emails, etc.
Building a real-time gaming leaderboard with Amazon ElastiCache for Redis
While this may not seem particularly “serverless”, it is a really great solution that still uses API Gateway and Lambda to power the API.
Increasing real-time stream processing performance with Amazon Kinesis Data Streams enhanced fan-out and AWS Lambda
Excellent post by Eric Johnson that shows you how to deal with huge volumes of streaming data.
Serverless Security 🔒
How to never have a public S3 bucket
Teri Radichel shows you how you can implement automated governance to prevent people from making mistakes when setting up S3 buckets.
Managing Secrets and Output Variables With Serverless Framework Enterprise
Maciej Skierkowski from Serverless, Inc. shows you how to protect your secrets using the new features of the Serverless Enterprise Framework.
Top 10 Security Blog posts in 2019 so far
Since we are talking about security in this issue, I figured I’d include this post from AWS that outlines their most popular security posts from this year.
Serverless Reads 🤓
How to FaaS like a pro: 12 uncommon ways to invoke your serverless functions on AWS [Part 2]
Alex Casalboni outlines four more uncommon ways to invoke Lambda functions. My favorite from this group is Aurora triggers. Interesting way to build event-sourced applications.
Chaos Engineering — Part 1
An amazing post by Adrian Hornsby that walks you through the art of implementing Chaos Engineering.
How to Design Your Serverless Apps for Massive Scale
George Mao has a short post on how to use intermediary buffers to compensate for downstream services that don’t scale as well as Lambda.
Analyzing the Cost of Your Serverless Functions Using Faast.js
Kyle Galbraith discusses some of the benefits of Faast.js, an open source project that streamlines invoking serverless functions.
Tackling API Gateway Lambda performance issues
Matt Billock from Lumigo outlines some of the performance pitfalls of API Gateway and how you might be able to get around them.
The Annoying State of Lambda Observability
Luke Demi from Coinbase outlines his frustrations with AWS’s current native observability offerings for Lambda functions.
AWS Lambda nodejs10.x = FIXED
The release of the NodeJS 10.x runtime for AWS Lambda was not without issues. And thanks to Michael Hart pointing out these problems, it appears that they’ve now been fixed!
When you prefer an audio/visual experience… 🎧
Serverless Chats – Episode #3: Serverless GraphQL using AWS AppSync with Marcia Villalba
In this episode, I chat with Marcia Villalba about the benefits of building applications with GraphQL, how to use AWS AppSync to build serverless applications with it, and some best practices for using it in your projects.
Deploying AppSync Using The Serverless Framework
Speaking of AppSync, Luke from Serverless Guru kicks off a video series on deploying it using the Serverless Framework.
Experimenting with chaos engineering in serverless applications
And speaking of Marcia Villalba, she has another video that completes her series on hunting for errors in serverless apps. In this video, she shows you how to create experiments for performing chaos engineering in your serverless applications.
Cloud Unfiltered – Ep84: The Serverless Framework, with Nick Gottlieb
Nick Gottlieb talks about the Serverless Framework, and the state of serverless.
When you want to know what the devs at AWS have been building… 👷♀️
Amazon API Gateway Now Supports Tag-Based Access Control and Tags on WebSocket APIs
You can now give permissions to WebSocket resources at various levels by creating policies based on tags.
Amazon CloudWatch Events Now Supports Amazon CloudWatch Logs as a Target and Tagging of CloudWatch Events Rules
You can now use CloudWatch Logs to store, monitor, and analyze CloudWatch Events that are triggered in your environment. Very meta.
Introducing Amazon EC2 Instance Connect
Amazon EC2 Instance Connect is a simple and secure way to connect to your instances using Secure Shell (SSH). While I would definitely prefer to never have to SSH to a machines, I still have plenty that I need to, so this is a great feature.
AWS Security Hub is now generally available
AWS announced the general availability of AWS Security Hub, a new security service that provides customers a comprehensive view of both their compliance with the security standards and their high priority AWS security alerts, or findings. Not specific to serverless, but a great way to get an overview of your security posture.
AWS Control Tower is now generally available
Managing multiple accounts in AWS has become the standard for environment isolation, so having a new tool to implement all your guardrails and policies automatically was much needed. It only works for new accounts (with no organization) right now, but they also announced plans to provide support for migrations as well.
Serverless Tools 🛠
Func.Farm – Browser extension to create serverless functions from snippets
This is an interesting Chrome extension that allows you to create functions in multiple languages and in multiple clouds right from your browser.
Releasing AWS Lambda Haskell Runtime v2
The Agile Monkeys have an update to their Haskell custom runtime for Lambda.
Reduce Complexity and Quickly Search Amazon CloudFront Logs in Amazon S3
Chaosearch looks like an interesting tool that allows you to search through preprocessed CloudFront access logs. Haven’t tried it yet, but I like tools that solve common serverless problems.
Common Serverless Errors
This is a great resource put together by the team over at Seed.run. It lists the most common Serverless Framework AWS errors and how to fix them.
Thoughts from Twitter 🐦
I don’t assign required reading very often, but it’s time for another. If you are responsible for any AWS account(s), set aside 45 minutes and watch this recent AWS #reInforce presentation by @bjohnso5y about Attribute-Based Access Control (ABAC). ~ Eric Hammond
Eric’s recommendation is spot on. This session from re:Inforce on Attribute-Based Access Control is definitely worth the watch. Brigid Johnson does an excellent job presenting this very powerful and flexible access control method.
The future of #serverless is not stateful compute. It’s computeful state. ~ Ben Kehoe
Ben offers another glimpse into how he thinks about the future of serverless. Having changes in state drive collocated computations could be an interesting way to solve a number of latency problems with current models.
Upcoming Serverless Events 🗓
There are a lot of upcoming serverless events, webinars, livestreams, and more. If you have an event you’d like me to mention, please email me.
July 8, 2019 – Thundra – Happier Customers with Serverless and Observability (webinar)
July 9, 2019 – Epsagon: Modern Apps on AWS: Challenges and Solutions (webinar)
July 11, 2019 – ServerlessDays London
July 11, 2019 – AWS Summit New York (I’m doing a Dev Chat on building event-driven serverless applications)
July 17, 2019 – IOpipe: Charting a Course for Serverless with Matson (webinar)
July 17, 2019 – Aqua Security: Serverless Runtime Protection – How to Create the Optimal Balance Between Performance and Risks (webinar)
August 27, 2019 – ServerlessDays Sydney
August 29, 2019 – ServerlessDays Melbourne
September 4-6, 2019 – Production-ready Serverless Workshop – Full Stack Fest
Serverless Star of the Week ⭐️
There is a very long list of people that are doing #ServerlessGood and contributing to the Serverless community. These people deserve recognition for their efforts. So each week, I will mention someone whose recent contribution really stood out to me. I love meeting new people, so if you know someone who deserves recognition, please let me know.
This week’s star is Nader Dabit (@dabit3). Nader is a Senior Developer Advocate at AWS that works with projects like AWS AppSync and AWS Amplify. He produces a mountain of content, including several great posts on Amplify, serverless, and GraphQL, as well as hosting the GraphQL Patterns Podcast, regularly speaking at conferences, and authoring both React Native in Action and (the soon to be released) Full Stack Serverless books. Nader’s focus is more on the mobile side, but his writing, teaching, and contributions to the serverless ecosystem are incredibly helpful and very much appreciated. Thanks for what you do, Nader! 🙌
Final Thoughts 🤔
It’s been a busy few weeks, and the serverless community and ecosystem are going strong. My biggest takeaway from this week is to stress the importance of cloud security when building your serverless applications. It’s not just about application security best practices, but also about understanding proper configuration, secrets management, scalability behavior and much more. Serverless makes it very easy for us to build, deploy and tests applications quickly, and even though these applications are much more secure by default, spending some time to learn best practices should be a mandatory investment.
I hope you enjoyed this issue of Off-by-none. Please send me your feedback and suggestions as they help to make this newsletter better each week. You can reach me via Twitter, LinkedIn, Facebook, or email and let me know your thoughts, criticisms, or (perhaps) even how you’d like to contribute to Off-by-none.
If you like this newsletter, and think others would too, please do me the honor of sharing it with friends and coworkers who are interested in serverless.
See you next time,