AWS Partner Network (APN) Blog
Enhancing Security for AWS Lambda Functions with Fastly’s Next-Gen WAF
By Bennett Borofka, Partner Solutions Architect – AWS
By James Nguyen, Staff Product Manager – Fastly
 |
| Fastly |
 |
In serverless application architectures, Amazon Web Services (AWS) customers focus more on value-add benefits for their customers and less on infrastructure management.
Today’s businesses that build serverless applications on AWS are able to:
- Get their products to market faster.
- Lower total cost of ownership (TCO).
- Leverage high performance and scalability.
- Implement the highest level of security and isolation.
An integral component to most serverless architectures is AWS Lambda, the compute service that lets you run code for virtually any type of application without provisioning or managing servers. All combined, AWS customers invoke trillions of Lambda functions per month.
In response to customers wanting increased integration with Lambda functions and other tools for monitoring, observability, security, and governance, AWS released Lambda Extensions which allow for other tools to deeply integrate with the Lambda environment.
You can read more about Lambda Extensions, including a list of AWS Lambda Ready partner tools released that utilize Extensions. You can also check out this AWS blog post that describes how to build Extensions in more detail.
Fastly is an AWS Partner that has extended its Next-Gen WAF (web application firewall) to Lambda functions, supporting customers looking to embed additional layers of security into their serverless workloads. Fastly’s Next-Gen WAF supports numerous other deployment scenarios including virtual machines (Amazon EC2), containers (Kubernetes and Amazon ECS), web servers (NGINX, Apache), and more.
Lambda Extensions API
The Lambda Extensions API allows for two type of Extensions—internal and external. Internal extensions run as a separate thread in the runtime process and can be integrated using environment variables and wrapper scripts.
Alternatively, external extensions such as Fastly’s Next-Gen WAF run as an independent process in the execution environment. These can be written in another language from the function, but it’s recommended to implement external extensions using a compiled language so they can be used across multiple runtimes.
As is the case with Fastly’s Next-Gen WAF, the extension is a self-contained binary that’s deployed as a layer for your Lambda functions.
The Lambda execution environment lifecycle includes three phases:
- Init: Creating or unfreezing an execution environment with configured resources and extensions; happens during first invocation (or in advance if you have provisioned concurrency enabled).
- Invoke: Invocation of the function handler, after which Lambda prepares to handle another function invocation.
- Shutdown: Shutting down of the runtime; alerts any extensions to stop cleanly, and then remove the environment.
During the invoke phase, external extensions run in parallel with the function and may continue running after the function has completed. It’s in this phase where an event payload is sent to the runtime (and the Lambda function) that carries the entire request, headers, and payload associated with the event.
The event payload is an area of focus for customers looking to increase serverless security, as this action is capable of including malicious content associated with distributed denial-of-service (DDoS) incidents, Open Worldwide Application Security Project (OWASP) injection incidents, and other types of anomalies.
Metadata about the event payload (type, timeout value, request Id) are sent to each extension during the invoke phase. To access more details about the event body, developers use the in-runtime software developer kit (SDK) to send the payload to the extension. This allows for tools and agents, such as Fastly’s Next-Gen WAF, to inspect the event payload for each and every invocation, and to allow or block the invoke phase to continue.
Fastly Next-Gen WAF
The Fastly Next-Gen WAF agent for AWS Lambda is the latest integration point in Fastly’s comprehensive security solution for web applications. Fastly’s flexible deployment options allow for wide support of architectures, languages, and platforms with full feature parity.
Whether your applications run exclusively through Lambda or you have a distributed architecture that spans on-premises, cloud-hosted, and serverless functions, Fastly protects your Layer 7 assets from OWASP-style incidents with the same level of protection, features, and operational performance no matter how it’s deployed.
Operationally, the Next-Gen WAF agent analyzes requests and makes quick decisions about whether or not to allow or block that request based on intelligence from a cloud engine. The entire local decisioning process happens in milliseconds, adding minimal amount of latency to the request flow for the breadth of protection that is provided.
Requests with interesting details (malicious, anomalous, met predefined conditions) or personally identifiable information (PII) are redacted and sent to the cloud engine for consolidation, reporting, and analysis.
Fastly’s proprietary threat feed aggregates information across your individual environment as well as incident behavior across tens of thousands of distributed software agents across the customer base. For privacy reasons, the aggregated data used for decisions will not have details of who was attacked or how, but shows any negative activity from that data on your site.
The Next-Gen WAF agent for Lambda follows the same architecture as other deployment models (and reliance of the cloud engine for decisions), but is designed to be easily called upon to inspect requests in any of your Lambda functions. The agent can be deployed to a Lambda function as either a custom layer or by specifying a layer Amazon Resource Name (ARN) published by Fastly.
Read more about configuring Lambda layers. You can also check out the install guide for Lambda functions, which is available in the Fastly documentation.
Figure 1 – Fastly Next-Gen WAF and AWS Lambda architecture.
Fastly’s Next-Gen WAF supports any Lambda function on AWS deployed in any AWS region.
The agent acts as an HTTP proxy between the Lambda service and runtime, and allows or blocks traffic after inspecting the JSON payload of the event payload sent to the Lambda runtime. It’s designed to make quick, effective protection decisions with minimal latency, and gracefully follows the fluid lifespan of Lambda functions.
Figure 2 – The agent inspects the invoke phase of the Lambda execution environment lifecycle.
Fastly employs other AWS technologies to secure the deployment of the Next-Gen WAF Lambda agent, including the use of AWS Identity and Access Management (IAM) and AWS Secrets Manager to control agent key management.
Once deployed and configured, Fastly provides complete protection for your apps and APIs with low false positives, coverage that expands beyond the OWASP top 10 (including bots, ATOs, DDoS), and high performance.
A key differentiator of the Next-Gen WAF from other web application firewalls is that it detects and blocks malicious traffic without rules tuning, leaving your application security teams to focus on bigger problems.
This is possible because of SmartParse, a highly-accurate detection method that evaluates the context of each request and how it would execute, to determine if there are malicious or anomalous payloads in requests. SmartParse enables near-zero tuning and the ability to start detecting threats immediately.
Providing the detection data into an adaptable console experience is key to adoption at all levels of a company. The console is built to provide protection stories at a glance and appease power users who want to dive into details and fine-tune traffic flow. This flexibility gives security teams tools to look for overall trends, and allows for drill-down into request metadata and build infinitely specific rules to handle traffic as they wish.
Figure 3 – Next-Gen WAF hosted dashboard.
Customers choose Fastly’s Next-Gen WAF for the variety of infrastructure types supported and ease of configuration. For example, a leading video platform needed a solution that would work seamlessly with their AWS infrastructure without extensive tooling or upkeep, and looked to Fastly to prevent prevalent attacks like XSS, SQLi, API abuse, and account takeover.
Conclusion
With the additional capabilities introduced with the AWS Lambda Extensions API, customers and partners are able to integrate monitoring, observability, governance, and security more deeply into serverless workloads.
As more organizations shift or migrate their applications to event-driven, serverless architectures on AWS, the need for security tooling, visibility, best practices, and compliance have become increasingly important to build and maintain trust with customers.
Additional features like Amazon Inspector support for AWS Lambda functions allow customers to monitor and report actionable security findings for deployed Lambda functions and layers, based on common vulnerabilities and exposures (CVE).
Fastly’s Next-Gen WAF product and support are offered in multiple tiers. Interested customers are invited to explore the product further and request a demo to evaluate further.
.
.
Fastly – AWS Partner Spotlight
Fastly is an AWS Partner that helps businesses make great digital experiences happen quickly, securely, and reliably by processing and serving customers’ applications at the edge, as close to end-users as possible.