Study Guide: Threat Modeling for Modern Application Architectures
Different threat models based on application architecture
Study Guide: Threat Modeling for Modern Application Architectures
This guide explores how different application architectures in AWS—from monolithic to edge computing—alter the security landscape and necessitate specific threat modeling strategies.
Learning Objectives
By the end of this guide, you should be able to:
- Differentiate between the five primary application architectures (Monolithic, Microservices, Serverless, Containerized, and Edge).
- Identify the primary focus areas for threat modeling in each architecture.
- Recognize common security threats such as APTs, cryptojacking, and account hijacking within a cloud context.
- Develop a strategy for evaluating and updating threat models as applications evolve.
Key Terms & Glossary
- Advanced Persistent Threat (APT): Long-term, targeted attacks intended to steal data or disrupt operations over an extended period, often by sophisticated actors.
- Cryptojacking: The unauthorized use of a victim's computing resources to mine cryptocurrency, leading to performance degradation and high costs.
- Service Mesh: A dedicated infrastructure layer for facilitating service-to-service communication between microservices, often using a sidecar proxy.
- Edge Computing: Decentralized architecture where compute resources are located close to the end-users to reduce latency.
- Account Hijacking: An attacker gaining unauthorized access to a user's account through methods like phishing or brute-force.
The "Big Idea"
[!IMPORTANT] Security is not a static "add-on." The architecture of an application defines its attack surface. As we move from monolithic "all-in-one" servers to dispersed "serverless functions," our security focus shifts from securing the operating system to securing the code, configurations, and identity-based access controls.
Formula / Concept Box
| Architecture Type | Primary Threat Modeling Focus | Key Mitigation Tooling |
|---|---|---|
| Monolithic | OS Hardening, SQL Injection, Privilege Escalation | AWS WAF, Inspector, Patch Manager |
| Microservices | Service-to-service communication, API vulnerabilities | App Mesh, IAM Roles for Tasks |
| Serverless | Function code, Event triggers, IAM permissions | Lambda Env variables, API Gateway |
| Containerized | Container Image security, K8s cluster networking | Amazon ECR (Scanning), GuardDuty |
| Edge | DDoS, Data Exfiltration at the perimeter | AWS Shield, CloudFront, WAF |
Hierarchical Outline
- Introduction to Threat Modeling
- Definition: Identifying and mitigating potential threats based on specific architecture.
- Evaluation: Requires reviewing infrastructure, libraries, APIs, and services.
- Architectural Archetypes
- Monolithic Architecture: Tightly coupled, often on a single EC2 instance. Focus: OS, Middleware, Databases.
- Microservices Architecture: Discrete components interacting via APIs. Focus: Service mesh, API security.
- Serverless Architecture: Event-driven functions. Focus: Code vulnerabilities, configurations, access controls.
- Containerized Architecture: Packaged components (Kubernetes). Focus: Images, cluster security, inter-container network.
- Edge Computing Architecture: Close to users. Focus: DDoS, unauthorized access, data exfiltration.
- Common Security Threats
- External Threats: APTs, malware, account hijacking.
- Internal/Resource Threats: Insider threats, cryptojacking.
- Implementation Threats: Misconfigured security controls, data breaches.
Visual Anchors
Architecture to Threat Focus Flow
The Shifting Perimeter
This TikZ diagram illustrates the conceptual "radius" of security focus. In a monolith, it is a single deep circle. In modern architectures, it is a series of smaller, interlocking circles (microservices/functions).
\begin{tikzpicture} \draw[thick] (0,0) circle (1.5cm); \node at (0,0) {Monolith (OS)}; \draw[dashed] (0,-2) -- (0,-3); \begin{scope}[shift={(4,0)}] \draw[thick] (0,1) circle (0.5cm); \draw[thick] (1,0) circle (0.5cm); \draw[thick] (-1,0) circle (0.5cm); \draw[thick] (0,-1) circle (0.5cm); \node at (0,0) {Microservices}; \end{scope} \draw[->, >=stealth] (1.7,0) -- (2.3,0) node[midway, above] {Evolution}; \end{tikzpicture}
Definition-Example Pairs
- Insider Threat: A risk posed by an authorized user who intentionally or unintentionally harms the system.
- Example: A disgruntled developer leaking production database credentials on a public GitHub repository.
- Data Exfiltration: The unauthorized transfer of data from a computer or other device.
- Example: An attacker exploiting a misconfigured Edge resource to siphon user PII (Personally Identifiable Information) before it ever reaches the central AWS Region.
- Privilege Escalation: Gaining a higher level of access than intended by exploiting a bug or configuration error.
- Example: An attacker using a web-vulnerability to gain 'root' access on an EC2 instance running a monolithic application.
Worked Examples
Scenario 1: Transitioning from Monolith to Serverless
Problem: A retail company is moving its billing module from a large EC2-based monolith to AWS Lambda. How does the threat model change?
Step-by-Step Breakdown:
- Identity the Monolith Threats: Focus was on patching the Linux OS and preventing SQL injection on the large instance.
- Identify the Serverless Threats: The OS is now managed by AWS. The new threat model focuses on the Lambda Function Code and the IAM Role assigned to that function.
- Mitigation Strategy: Implement "Least Privilege" for the Lambda execution role so it can only access the specific DynamoDB table it needs, rather than the entire database.
Scenario 2: Securing a Containerized App
Problem: A Kubernetes cluster is deployed on EKS. Traffic flows between 50 different containers.
Analysis: Unlike a monolith, the threat is no longer just the "front door." The threat model must account for "East-West" traffic (inter-container). Solution: Use AWS App Mesh to encrypt traffic between containers and implement Network Policies to restrict which containers can talk to each other.
Checkpoint Questions
- What is the primary focus of a threat model in a microservices architecture?
- How does cryptojacking impact an organization's AWS bill and performance?
- Which architecture is most susceptible to DDoS at the network edge?
- Why should threat models be updated regularly rather than being a one-time task?
▶Click to see answers
- The service mesh and API vulnerabilities.
- It slows down infrastructure and incurs high costs for compute resources used by the attacker.
- Edge Computing Architecture.
- Because the threat landscape changes and application code is updated frequently.
Muddy Points & Cross-Refs
- OS vs. Code Security: Many students struggle to realize that in Serverless, you can't "patch the server." You must cross-reference this with the AWS Shared Responsibility Model—AWS patches the server; you secure the code.
- API Gateway vs. WAF: While both protect APIs, WAF (Web Application Firewall) focuses on Layer 7 attacks (SQLi, XSS), whereas API Gateway focuses on authentication and throttling. They should be used together.
Comparison Tables
Threat Landscape Comparison
| Feature | Monolith | Microservices | Serverless | Containerized |
|---|---|---|---|---|
| Coupling | High | Low | None (Event-driven) | Medium |
| Primary Host | EC2 / Physical | Multiple Instances | AWS Managed | Kubernetes / EKS |
| Main Threat | OS Vulnerability | API Proliferation | Insecure Config | Image Vulnerability |
| Visibility | High (Single point) | Complex (Mesh req.) | Limited (Ephemeral) | Medium (Logs/Metrics) |
[!TIP] Use Amazon Inspector to automate workload security assessments and identify vulnerabilities in application software regardless of architecture type.