Skip to content

Serverless Identity Round

In this round you will be focused on improving the identity controls of the WildRydes serverless application (which is borrowed from aws-serverless-workshops and retrofitted for the purposes of this round). You will get exposed to different identity concepts through the use of a variety of services such as AWS IAM, Amazon S3, Amazon CloudFront, and Amazon Cognito. Upon completion you should have a better idea of how to use native AWS identity controls to improve the security posture of a serverless application.

AWS Service/Feature Coverage:

  • S3 Bucket Policies
  • S3 ACLs
  • CloudFront Origin Access Identities
  • Cognito User Pools
  • Cognito Hosted UI


This round is broken down into two tasks, both with a Build and Verify phase. The Build phase involves evaluating, implementing, and enhancing the identity controls of the WildRydes application based on a set of business level functional and non-functional requirements. The Verify phase involves putting on the hat of an end user and testing the controls you put in place to ensure the requirements were met. In addition you will also ensure that a systems administrator is still able to manage the resources.

  • Task 1 (40 min): Reduce the attack surface of the S3 origin
  • Task 2 (35 min): Set up application user management

Team or Individual Exercise

This workshop can be done as a team exercise or individually. The instructions are written with the assumption that you are working as part of a team but you could just as easily do the steps below individually. If done as part of an AWS sponsored event then you'll be split into teams of around 4-6 people. Each team will do the BUILD phase and then hand off their accounts to another team. Then each team will do the VERIFY phase.


Workshop Presentation Powerpoint

Environment setup

To setup your environment please expand one of the following dropdown sections (depending on how you're doing this workshop) and follow the instructions:

Click here if you're at an AWS event where the Event Engine is being used

Step 1 : Open the AWS Console

  1. Navigate to the Event Engine dashboard
  2. Enter your team hash code.
  3. Click AWS Console. The CloudFormation template for this round has already been prerun.
Click here if you're running this individually in your own AWS Account

Launch the CloudFormation stack below to setup the WildRydes application:

Region Deploy
US East 1 (N. Virginia) Deploy in us-east-1
  1. Click the Deploy to AWS button above (right click and open in a new tab). This will automatically take you to the console to run the template.

  2. Click Next on the Specify Template section.

  3. On the Specify Details step click Next.

  4. Click Next on the Options section.

  5. Finally, acknowledge that the template will create IAM roles under Capabilities and click Create.

This will bring you back to the CloudFormation console. You can refresh the page to see the stack starting to create. Before moving on, make sure the stack is in a CREATE_COMPLETE.

WildRydes identity overhaul

You just joined a new DevOps team who manages a suite of animal-based ride sharing applications. Given your security background you've been embedded on the team to take the lead on security related tasks, evangelize security best practices, and represent your team when interacting with your security organization. Recently, your team inherited a new application; WildRydes.

View your application

  1. Open the Amazon CloudFormation console (us-east-1)
  2. Click on the Identity-RR-Wksp-Serverless-Round stack or the module-a7932bd25ca64049a57fd5bb055782db stack (this is the stack name when created using Event Engine).
  3. Click on Outputs and click on WebsiteCloudFrontURL.

As part of the hand off to your team, the product team shared their vision for the application and stated that future iterations will include more dynamic features. After doing an evaluation of the architecture you determined that the WildRydes application is a static website hosted in an S3 bucket. There is a CloudFront Distribution setup to be used as a content delivery network and a Cognito User Pool for user management.

Current application architecture


After thoroughly evaluating the architecture and doing a threat modeling exercise your team has identified a number of broken features and misconfigurations. It looks as though someone started putting in place certain security controls but were not able to fully implement them. These reviews resulted in the creation of a couple tasks that were added to the backlog for your team and given a high priority.

Click Next to move on to Task 1!