A Primer on Securing Serverless Apps in AWS

The importance of security

Project Source Code

Get the project source code below, and follow along with the lesson material.

Download Project Source Code

To set up the project on your local machine, please follow the directions provided in the README.md file. If you run into any issues with running the project source code, then feel free to reach out to the author in the course's Discord channel.

Table of Contents

This lesson preview is part of the Serverless Django with Zappa course and can be unlocked immediately with a \newline Pro subscription or a single-time purchase. Already have access to this course? Log in here.

This video is available to students only
Unlock This Course

Get unlimited access to Serverless Django with Zappa, plus 70+ \newline books, guides and courses with the \newline Pro subscription.

Thumbnail for the \newline course Serverless Django with Zappa

  • [00:00 - 01:03] Up to this point in the course, we've been learning the basics of how to create , configure, and deploy a serverless Django project using Zappa. As is often the case when adding security to our deployment, things get more complex, so we've saved these details for this module. Some familiarity with how networking works in AWS will be necessary, and we'll cover those concepts here. The goal of this lesson is to ensure both the AWS Lambda functions and the RDS database instances involved in your Zappa project are protected and secure in order to create a secure environment. The RDS instance should be secure from the internet. In addition, any Zappa Lambda instances should be able to connect to the RDS instance and make database queries. Optionally, the Zappa Lambda instances may need to access the internet to accomplish various tasks as part of fulfilling the web requests.

    [01:04 - 02:11] For example, if it needs to access a third-party API. In order to accomplish this, we're going to leverage the AWS secure networking services. We're going to create a virtual private cloud or VPC to contain all the resources of our Zappa project. We are going to divide this virtual private cloud into a number of subnets. We're going to have two private subnets for Lambda execution for increased robustness. We're going to have one database subnet for our RDS instance, and optionally, we're going to add a public subnet for outbound internet access. If you're a visual learner, we've created a diagram to visualize the flow of the web requests. Down here at the lower left is the user making a web request. That gets sent directly to our API gateway that Zappa has instantiated for you. The API gateway will then invoke Lambda containers to run your Django project.

    [02:12 - 02:46] Your Django project will run either in the private subnet one or in the private subnet two. We have two private subnets so that we have redundancy in case there's trouble at the AWS data center. And one subnet isn't working at full capacity. This doesn't impact the cost of our Zappa project, so it's an extra bonus. Once our Django code is running, it can then make queries to the database. So we want to be able to have another subnet where we can access our RDS instance.

    [02:47 - 03:18] And optionally, we can have a public subnet shown here in the lower right. That allows our Django code to access the internet in case there are third party APIs or other interactions that it depends on to fulfill a web request. I've highlighted this public subnet as optional, since it will have additional costs to your Zappa deployment. Now that we have a mental overview of what we're trying to accomplish, we can move forward.

    [03:19 - 03:36] In order to move forward building our VPC, we need to clean up our current Z appa project. We'll need to redeploy our Zappa project once we've created the VPC and all the associated subnets.

    [03:37 - 04:07] So for now, we need to delete all the progress we've made thus far. Don't be discouraged. It'll be a quick redeployment since we've already done this before. Now log into the AWS console and go to the AWS Lambda service. You'll see your function name here. This is where all your Django code lives. We need to delete this and later recreate it in the VPC. So select your function and click on delete.

    [04:08 - 04:56] Next, go to the API Gateway service. You'll see your API gateway that funnels web requests to your AWS Lambda. Go to custom domain and we're going to have to delete both our custom domains here. I got a too many requests error. We may have to wait just a bit to delete this.

    [04:57 - 05:35] There we go. Now we can move on. Now click on APIs. Select our API Gateway and click delete. Under actions, select delete. Now go to the RDS service. We're going to select our RDS instance and select delete from the actions menu. Since we are going to recreate this database and it doesn't have a lot of information in it anyway, we're not going to create a final snapshot.

    [05:36 - 06:12] And we're acknowledging that we potentially are losing data. Fortunately, we know that we've created this database for this course and we don't need this data anymore. As you can see, the database is being deleted. It may take a few minutes for the database to be completely removed. And just as a check, if we try to access zappa guide, it is now offline.

    [06:13 - 06:22] Great. We've cleaned up our zappa project in AWS and now we can start fresh using VPC in the next lesson.