If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!
Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.
<p>This talk will be the first public anatomy of an attack on a server-less application deployed to AWS Lambda and AWS API Gateway. It'll be useful for any application developer looking to build a server-less application, and for any hacker who's come up against this interesting new class of application.</p>
<p>First, we'll take a look at the current state of server-less architectures and show some common deployment patterns and how they're used in production, comparing the advantages and trade offs against traditional monolithic servers.</p>
<p>Next, we'll explore the attack surface of a server-less application, showing that where Satan closes a door, he opens a window. Using exploitables in common server-less patterns, we'll use cloud event sources as a vector for delivering our obfuscated payload.</p>
<p>Then, we'll use some undocumented features in AWS Lambda to persist our malware, explore the Lambda environment looking for secret keys and other buried treasures, and pillage a remote database.</p>
<p>Finally, we'll use a few more tricks to sneak out of the VPC with our precious data in tow! And, of course, we'll tidy up after ourselves leaving the DevOps team none-the-wiser.</p>