LEARNING PATH: AWS Security

Attacking AWS Serverless Applications

Serverless applications function very differently from traditional ones, both when it comes to operation and the security measures they employ. The fact that serverless apps are structured as numerous small functions creates new opportunities for intruders to exploit the greater attack surface. This course will take both Red and Blue Team approaches to serverless security in AWS, so you’ll learn not just how to passively protect apps, but actively use attackers’ strategies against them.

This course on AWS Serverless App Security begins with a look at the top 10 vulnerabilities in serverless architectures, similar to the OWASP Top 10. In the Red Team section, you’ll learn how to exploit insecure applications using many of the most severe flaws present in serverless. 

The Blue Team approach will have us going through methods of securing serverless applications, including identity and access management, secrets management, and logging and monitoring functions. Finally, we’ll explore serverless vulnerability assessment for SAST, DAST and SCA, as well as CI/CD for serverless functions.

Every individual section in this course features extensive hands-on labs to showcase real-world scenarios and get you to practically try out everything you learn. Our material is a distillation of years of security testing experience, knowledge, and original research across our entire team. Once you’ve completed this course, you’ll be able to take what you’ve learned here and implement it directly in a modern AWS serverless stack.

Attacking AWS Serverless Applications
Proficiency Intermediate
Audience Cloud Security
Course Duration​ 4
Lessons​ 22
Cloud Labs​ 2
Proficiency

Intermediate

Audience

Cloud Security Expert

Course duration

4

Lessons

16

Cloud Labs

2

    • Understanding Serverless and FAAS(Function-As-A-Service)
    • Introduction to AWS Lambda, S3, Open-FAAS and other Serverless options
    • Introduction to the Architecture of Serverless Deployments
    • Hands-on: Deploying a Serverless application
    • Serverless Architectures Security Top 10 – A Project similar to OWASP Top 10 for Serverless Apps
    • Hands-on Labs – Function Data Event Injection (Multiple Sources)
    • Other Injection and Remote Code Execution attacks against Serverless Apps
    • Hands-on: Attacking Stateless Authentication and Authorization (JSON Web Tokens)
      • Algorithm Confusion
      • Inherent JWT flaws – none signed token, etc
    • Attacking Identity and Access Management through Serverless Implementations
      • Hands-on: Attacking with DynamoDB Injection + IAM Permissions creep
    • Hands-on: Extracting Secrets from FaaS Implementations
    • Hands-on: Leveraging Vulnerabilities like ReDOS to perform Resource Exhaustion Attacks
    • Hands-on: Exploiting Function Execution Order for fun and profit!
    • Identity and Access Management
    • Secret management
      • Hands-on Secrets Management with AWS Secret Manager + Rotation
    • Logging and Monitoring Functions
      • Hands-on: Security Practices for Logging Serverless Functions
    • Static Code Analysis[SCA]
    • Static Application Security Testing[SAST]
  • Event Injection with XXE
  • Insecure Deserialization in Serverless Apps
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking "Accept" you consent to the use of All the cookies