Celidor
  • Blog
  • About
  • People
  • News
  • TALKS
  • Contact

10 steps to Lambda security

20/10/2018

3 Comments

 
AWS Lambda, launched in 2015, is a service which allows customers to create event driven serverless functions of short duration.

Since then Lambda has become amazingly popular, Lambda functions are widely used for many different purposes ranging from low latency web applications and IoT, to AWS account operational and maintenance tasks.
Picture
Just like any other application in the cloud, a vulnerable or poorly configured Lambda function can lead to data loss, privilege escalation and even AWS account takeover, see for example this blog post.
​
I’ve created “10 steps to Lambda security” based on my experience of working with customers using AWS Lambda:
  1. Use environment variables for configuration details and encrypt with KMS
  2. Retrieve sensitive data from DynamoDB, Secrets Manager, or similar service
  3. Enable encryption helpers to protect data in transit
  4. Configure API Gateway custom domain with SSL cert for web access
  5. List minimum specific actions in role policies – not “*”
  6. Limit outbound access to Internet to prevent unauthorised data exfiltration
  7. Do not use /tmp for sensitive information
  8. Application security testing and source code analysis
  9. Ensure no vulnerable or unmaintained dependencies
  10. Monitor Lambda logs and investigate unusual behaviour
© 2018 Paul Schwarzenberger www.celidor.co.uk May be used with acknowledgement
3 Comments
Neil
12/5/2022 11:20:12 am

Hi, on step 6. Do you have any advice on how we might prevent outbound internet access from the lambda?

Reply
Paul link
12/5/2022 07:40:01 pm

Hi Neil, you can use Lambda VPC interface endpoints

Reply
Neil
12/5/2022 08:38:55 pm

Thanks Paul, I'll have a look at that.

Reply

Your comment will be posted after it is approved.


Leave a Reply.

    Author

    Paul Schwarzenberger is a Cloud Security Architect and Engineer

    Archives

    April 2025
    March 2025
    October 2024
    September 2024
    August 2024
    July 2024
    May 2024
    March 2024
    October 2023
    September 2023
    February 2023
    January 2023
    December 2022
    August 2022
    July 2022
    June 2022
    May 2022
    April 2022
    March 2022
    January 2022
    November 2021
    September 2021
    July 2021
    March 2021
    July 2020
    June 2020
    February 2020
    December 2019
    November 2019
    October 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    November 2018
    October 2018
    September 2018
    August 2018

    Categories

    All
    Cloud Security
    DevSecOps

    RSS Feed


Contact us via email at [email protected] 

© 2020 Celidor Limited. All Rights Reserved.

Celidor Limited

Company Number: 08870661


  • Blog
  • About
  • People
  • News
  • TALKS
  • Contact