© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.

Brittany Doncaster, Solutions Architect, AWS

May 24, 2016

Deep Dive on Serverless Web Applications

Agenda

Overview of Serverless Architecture Anatomy of a Web Application Securing the Web Application Demo Other Options

Overview of Serverless ArchitecturesServerless? What’s that mean?

What is Serverless?

Provisioningand Utilization

Operations and Management

Scaling Availability and Fault Tolerance

Removes the need for….

Benefits of Serverless?

Provisioningand Utilization

Operations and Management

Scaling Availability and Fault Tolerance

Which leads to….

Low Cost Simple Low Latency Scalable Reliable

Platform of Serverless Products

Storage DatabaseCompute

Messaging and QueuesGateways

User Management

Internet of Things

Machine LearningStreaming Analytics

Real-time Processing

Streams

Files

ETL

IoT Backends

Web Application Serverless Architecture

Anatomy of a Web Application

What makes up a web application?Let’s break it down…

What makes up a web application?

What makes up a web application?

What makes up a web application?

Serverless Web Application

Where did all the servers go?

Static Website Hosting on S3 - refresher

Specify an index document (i.e. index.html) Specify an error document Objects publicly readable Supports redirects

All Requests Conditional

bucket with objects

API Gateway - refresher

Create Configure Publish

Maintain Monitor Secure

API Gateway – Stage Variables

Key/Value pairs used for configuration Used for different stages of API Specify a Lambda function name Pass to backend

Lambda

Serverless, event-driven compute Code is: NodeJS, Python, JVM based Specify memory allocated Determine what invokes the functions

API Gateway, S3, DynamoDB, Kinesis, SNS, SES, Cognito, Cloudwatch Logs, Cloudwatch Events, CloudFormation, Config, Scheduled Events

Lambda – Versioning and Aliases

Versioning ARN for each one (immutable) Versions of functions for Dev, Staging, Prod

Aliases Point to a version Have an ARN also Event sources point to Alias ARNs

Lambda – Dynamic Configuration

One option:

Pull Configs from DDB Write values to global vars Code uses global vars

Lambda Function

Amazon DynamoDB

DynamoDB - refresher

NoSQL database Keys: Hash Key and (optional) Range Key Tips:

Plan your keys Think about your queries

Serverless Web Application

…..but what’s missing from this architecture?

Authentication/Authorization

Securing your Serverless Web Application

AWS IAM and AWS STS

temporary security

credential

AWS STS

AWS cloud

client

1

2

permissionsrole

AWS IAM

OR

Amazon API Gateway

Action: [‘s3:*’,’sts:Get*’]Effect: AllowResource: *

Securing API Gateway

Cognito and STS

Authentication Options with Cognito

Federated Identity Providers• Amazon• Facebook• Google

Custom Developed Authentication System

Cognito Identity User Pools (Preview)

Unauthenticated vs Authenticated roles

Ability to define both in Cognito Start out unauthenticated switch to authenticated!

browsing a blogging site then log in to post or comment

Example IAM Policy for API Gateway{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "execute-api:Invoke" ], "Resource": [ "arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts", "arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts/*", "arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts/*/comments", "arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts/*/comments/*", "arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/POST/users", "arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/POST/login" ] } ]}

Cognito – Authentication Flow

Amazon API Gateway

AWSLambda

Other Security Features

IAM Roles for Lambda Functions Client-side Encryption library using KMS for DynamoDB

Demo

Demo App Architecture

AWS Lambda

Functions

web browser

Amazon S3

Call UnauthenticatedAPIs methods

Sta

tic C

onte

nt

Amazon DynamoDB

AmazonCognito

ObtainUser Credentials

Amazon API Gateway

encrypted user data

AWS Lambda

Functions

Amazon DynamoDB

Amazon API Gateway

Authentication APIs

Obtain AuthenticatedUser Credentials

AWS STS

AWS Lambda Functions –

Logic for POST Functions

Amazon DynamoDB

Amazon API Gateway –

POST Functions

Call AuthenticatedAPIs methods

3

2

4

5

6

1

AWS KMS

Other Options

Authentication Options

Cognito:• Federated Identity Providers (Amazon, Facebook, Google)• Cognito Identity User Pools

Federated Web Identities• Interact directly with STS and 3rd party identity providers

Authorization Options with API Gateway

API Gateway

Lambda Auth function

Client

Request w/ a bearer token

Policy is cached

Policy is evaluated

AWS Lambda functions

Endpoints on Amazon EC2

Context + TokenPrincipal + Policy

403 Denied

Allowed

Any other publicly accessible endpoint

Some Tidbits

Authorization failures to API Gateway get returned as a CORS error

Lambda Functions as stage variable values = manual permissions configuration

Architect to be Serverless

Fully Managed No provisioning Zero administration High availability

Developer Productivity Focus on the code that

matters Innovate rapidly Reduce time to market

Continuous Scaling Automatically Scale up and scale down

Q&A