19 May 2023
Block operates a service mesh with SPIFFE-compatible identity for backend workloads.
We recently implemented a system to onboard acquisitions to connect with the service mesh: Connecting Block Business Units with AWS API Gateway.
07 Aug 2021
Last week I was able to present at Black Hat USA about infrastructure security work supporting Lambda.
Abstract and slides are available here.
The talk is partially based on two posts on the Square developer blog: Providing mTLS Identities to Lambdas and Expanding Secrets Infrastructure to AWS Lambda.
Update: talk video available
08 Oct 2020
AWS Lambdas have recently been extended with a new feature that adds a runtime environment before a Lambda is executed: Lambda extesions.
We have published a writeup on the Square Developer blog how we trialed this technology before it was generally available to prefetch secrets from Secrets Manager: Using AWS Lambda Extensions to Accelerate AWS Secrets Manager Access.
This work has also been covered in the AWS Compute Blog.
27 Aug 2020
AWS Lambdas have no built-in mechanism for mutual TLS identity - so at Square we built a system that issues SPIFFE-compatible identity to them so they can connect to our service mesh.
The writeup is hosted on the Square Developer blog: Providing mutual TLS Identities to AWS Lambdas.