Serverless Application Security with AWS Fargate
AWS Fargate is compatible with a variety of different products that enable container security for your application, protect secrets, and more. Read more below about some of these solutions, and learn how Samsung was able to build a secure developer portal with AWS Fargate and ECR.
Key products to learn more about include AWS Secrets Manger, Systems Manager Parameter Store, and Amazon API Gateway. Each of these work together, enabling you to secure credentials, specify sensitive data, and access private applications.
AWS Secrets Manager: Securing Credentials & Specifying Sensitive Data
AWS Fargate tasks have the ability to securely grab secrets from the secrets manager to ensure that they never are exposed - even in private configuration files.
This can be applied to reading information from Twitter - the Fargate task is capable of reading a stream of data from Twitter, can match the pattern in the messages, and then record information in DynamoDB. The function of AWS Secrets Manager, in this case and in the case of many external services that require login credentials, is to alleviate the risk of exposing information. The example here, written by Massimo Re Ferre, Principal Developer Advocate, AWS Container Services, demonstrates a simple example of securing credentials using AWS Secrets Manager with AWS Fargate in only a few simple steps, outlined in the diagram below:
Learn more about securing credentials with AWS Secrets Manager and read the full article here.
With the AWS Fargate launch type for ECS, it is also possible to specify sensitive data using AWS Secrets Manager or AWS Systems Manager Parameter Store. The secrets can be exposed to a container using both environmental variables and by referencing the sensitive information in the log configuration of the container.
The following is a snippet of a task definition showing the format when referencing a Secrets Manager secret:
The following is a snippet of a task definition showing the format when referencing a Systems Manager Parameter Store parameter:
Learn more about specifying sensitive data using AWS Secrets Manager and AWS Systems Manager Parameter Store here.
Amazon API Gateway & AWS PrivateLink: Access Private Applications
Using Amazon API Gateway and AWS PrivateLink makes it easy to expose an application running on Fargate in a private subnet in a VPC - you can enable access to HTTP and HTTPS resources without detailed knowledge of private network configurations or technology-specific appliances.
Deployment takes only four steps:
- Deploy an application on Fargate
- Set up an API Gateway private integration
- Deploy and test the API
- Clean up resources to avoid incurring future charges
For further information on this process step by step, learn more from a Solutions Architect here.
Customer Story: Samsung Builds a Secure Developer Portal with AWS Fargate and Amazon ECR
Samsung used Amazon ECR and AWS Fargate in order to create a secure developer portal with AWS Fargate and Amazon ECR.
The Samsung developer portal consist of three elements: the SmartThings portal for IoT developers, Bixby portal for Bixby capsule developers, and Rich Communication Services (RCS) for the next standard of mobile messaging.
Each of these currently use AWS Fargate, which was a result of a migration that began in 2018.
Learn more about how Samsung achieved the secure migration and development of their developer portal with AWS Fargate here.