Embed Size (px)
Citation preview
© 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved.
Angelo Carvalho, Solutions Architect, AWS
22 de Setembro de 2016
Como construir suas aplicacões escaláveis sem servidores
Agenda
§ Overview of Serverless Architecture§ Anatomy of a Web Application§ Securing the Web Application§ Demo§ Other Options
Overview of ServerlessArchitecturesServerless? What’s that mean?
What is Serverless?
Provisioningand Utilization
Operations and Management
Scaling Availability and Fault Tolerance
Removes the need for….
Benefits of Serverless?
Provisioningand Utilization
Operations and Management
Scaling Availability and Fault Tolerance
Which leads to….
Low Cost Simple Low Latency Scalable Reliable
Platform of Serverless Products
Storage DatabaseCompute
Messaging and QueuesGateways
User Management
Internet of Things
Machine LearningStreaming Analytics
Real-time Processing
Streams
Files
ETL
IoT Backends
Web Application Serverless Architecture
Anatomy of a Web Application
What makes up a web application?Let’s break it down…
What makes up a web application?
What makes up a web application?
What makes up a web application?
Serverless Web Application
Where did all the servers go?
Static Website Hosting on S3 - refresher
§ Specify an index document (i.e. index.html) § Specify an error document§ Objects publicly readable§ Supports redirects
§ All Requests§ Conditional
bucket with objects
API Gateway - refresher
Create Configure Publish
Maintain Monitor Secure
API Gateway – Stage Variables
§ Key/Value pairs used for configuration§ Used for different stages of API§ Specify a Lambda function name§ Pass to backend
Lambda
§ Serverless, event-driven compute§ Code is: NodeJS, Python, JVM based§ Specify memory allocated§ Determine what invokes the functions
§ API Gateway, S3, DynamoDB, Kinesis, SNS, SES, Cognito, Cloudwatch Logs, Cloudwatch Events, CloudFormation, Config, Scheduled Events
Lambda – Versioning and Aliases
Versioning§ ARN for each one (immutable) § Versions of functions for Dev, Staging, Prod
Aliases§ Point to a version§ Have an ARN also§ Event sources point to Alias ARNs
Lambda – Dynamic Configuration
One option:
§ Pull Configs from DDB § Write values to global vars§ Code uses global vars
Lambda Function
Amazon DynamoDB
DynamoDB - refresher
§ NoSQL database§ Keys: Hash Key and (optional) Range Key§ Tips:
§ Plan your keys§ Think about your queries
Serverless Web Application
…..but what’s missing from this architecture?
Authentication/Authorization
Securing your ServerlessWeb Application
AWS IAM and AWS STS
temporary security
credential
AWS STS
AWS cloud
client
1
2
permissionsrole
AWS IAM
OR
Amazon API Gateway
Action: [‘s3:*’,’sts:Get*’]Effect: AllowResource: *
Securing API Gateway
Cognito and STS
Authentication Options with Cognito
Federated Identity Providers• Amazon• Facebook• Google
Custom Developed Authentication System
Cognito Identity User Pools (Preview)
Unauthenticated vs Authenticated roles
§ Ability to define both in Cognito
§ Start out unauthenticated switch to authenticated!§ browsing a blogging site then log in to post or comment
Example IAM Policy for API Gateway{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"execute-api:Invoke"
],
"Resource": [
"arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts",
"arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts/*",
"arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts/*/comments",
"arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/GET/posts/*/comments/*",
"arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/POST/users",
"arn:aws:execute-api:us-east-1:acctId:apigatewayID/*/POST/login"
]
}
]
}
Cognito – Authentication Flow
Amazon API Gateway
AWSLambda
Other Security Features
§ IAM Roles for Lambda Functions§ Client-side Encryption library using KMS for DynamoDB
Demo
Demo App Architecture
AWS Lambda Functions
web browser
Amazon S3
Call UnauthenticatedAPIs methods
Stat
ic C
onte
nt
Amazon DynamoDB
AmazonCognito
ObtainUser Credentials
Amazon API Gateway
encrypted user data
AWS Lambda Functions
Amazon DynamoDB
Amazon API Gateway
Authentication APIs
Obtain AuthenticatedUser Credentials
AWS STS
AWS Lambda Functions –
Logic for POST Functions
Amazon DynamoDB
Amazon API Gateway –
POST Functions
Call AuthenticatedAPIs methods
3
2
4
5
6
1
AWS KMS
Other Options
Authentication Options
Cognito:• Federated Identity Providers (Amazon, Facebook, Google)• Cognito Identity User Pools
Federated Web Identities• Interact directly with STS and 3rd party identity providers
Authorization Options with API Gateway
API Gateway
Lambda Authfunction
Client
Request w/ a bearer token
Policy is cached
Policy is evaluated
AWS Lambda functions
Endpoints on Amazon EC2
Context + TokenPrincipal + Policy
403 Denied
Allowed
Any other publicly accessible endpoint
Some Tidbits
§ Authorization failures to API Gateway get returned as a CORS error
§ Lambda Functions as stage variable values = manual permissions configuration
Architect to be Serverless
Fully Managed§ No provisioning§ Zero administration§ High availability
Developer Productivity§ Focus on the code that
matters§ Innovate rapidly§ Reduce time to market
Continuous Scaling§ Automatically§ Scale up and scale down
Q&A
