Blog Archives

10 steps to Lambda security

20/10/2018

AWS Lambda, launched in 2015, is a service which allows customers to create event driven serverless functions of short duration.

Since then Lambda has become amazingly popular, Lambda functions are widely used for many different purposes ranging from low latency web applications and IoT, to AWS account operational and maintenance tasks.

Just like any other application in the cloud, a vulnerable or poorly configured Lambda function can lead to data loss, privilege escalation and even AWS account takeover, see for example this blog post.

I’ve created “10 steps to Lambda security” based on my experience of working with customers using AWS Lambda:

Use environment variables for configuration details and encrypt with KMS
Retrieve sensitive data from DynamoDB, Secrets Manager, or similar service
Enable encryption helpers to protect data in transit
Configure API Gateway custom domain with SSL cert for web access
List minimum specific actions in role policies – not “*”
Limit outbound access to Internet to prevent unauthorised data exfiltration
Do not use /tmp for sensitive information
Application security testing and source code analysis
Ensure no vulnerable or unmaintained dependencies
Monitor Lambda logs and investigate unusual behaviour

3 Comments

Building continuous cloud compliance

13/10/2018

0 Comments

Continuous cloud compliance is essential to maintain the security of applications and systems in the cloud. At DevSecCon London next week I'll be talking about my experiences in this area, and how an effective solution needs to include prevention, detection and remediation elements.

In my talk "A journey to continuous cloud compliance", I'll give a live demonstration of techniques and approaches with a system I've built in AWS using Capital One's open source Cloud Custodian project, combined with Lambda functions and other AWS services to provide customised notifications via email and Slack.

Click on the read more link to see other examples of alerts and automated remediation.

0 Comments

a DevSecOps toolkit

6/10/2018

0 Comments

As I was developing the course DevSecOps Hands-On I realised the need for a DevSecOps Framework - covered in my earlier blog post - and a DevSecOps Toolkit.

The DevSecOps Toolkit illustrates the spectrum of tools which can be used for various purposes (columns) across the primary system components (rows). The named open source projects and vendors are examples - it's not possible to be completely comprehensive in a single diagram.

An organisation can use the toolkit to help assess their DevSecOps maturity - ideally there should be at least one tool in each area.

This is a very fast moving field – for example “SOAR” – Security Orchestration, Automation and Response – is a new category created in late 2017.

0 Comments

10 steps to Lambda security

Building continuous cloud compliance

a DevSecOps toolkit

Author

Archives

Categories