10 steps to Lambda security

20/10/2018

AWS Lambda, launched in 2015, is a service which allows customers to create event driven serverless functions of short duration.

Since then Lambda has become amazingly popular, Lambda functions are widely used for many different purposes ranging from low latency web applications and IoT, to AWS account operational and maintenance tasks.

Just like any other application in the cloud, a vulnerable or poorly configured Lambda function can lead to data loss, privilege escalation and even AWS account takeover, see for example this blog post.

I’ve created “10 steps to Lambda security” based on my experience of working with customers using AWS Lambda:

Use environment variables for configuration details and encrypt with KMS
Retrieve sensitive data from DynamoDB, Secrets Manager, or similar service
Enable encryption helpers to protect data in transit
Configure API Gateway custom domain with SSL cert for web access
List minimum specific actions in role policies – not “*”
Limit outbound access to Internet to prevent unauthorised data exfiltration
Do not use /tmp for sensitive information
Application security testing and source code analysis
Ensure no vulnerable or unmaintained dependencies
Monitor Lambda logs and investigate unusual behaviour

3 Comments

Neil

12/5/2022 11:20:12 am

Hi, on step 6. Do you have any advice on how we might prevent outbound internet access from the lambda?

Paul link

12/5/2022 07:40:01 pm

Hi Neil, you can use Lambda VPC interface endpoints

12/5/2022 08:38:55 pm

Thanks Paul, I'll have a look at that.

Your comment will be posted after it is approved.

10 steps to Lambda security

Leave a Reply.

Author

Archives

Categories