Securing AWS Lambda
Serverless can be daunting to some Security Pro’s as it’s a complete shift from the ‘norm’, the norm in AWS being running Windows and Linux server Operating systems on EC2 instances, maybe with a few Docker containers orchestrated with ECS or EKS.
At Cyber Security Specialists we have always embraced advances in technology which can benefit our clients and work effortlessly to ensure that the security of their workloads is maintained. So, as Lambda was becoming more popular amongst our client base we performed a tech deep dive so we can understand the security considerations that should be made.
Let’s start at the beginning, what is Lambda?
AWS Lambda lets customers run code without provisioning or managing servers, hence the term ‘serverless’. You pay only for the compute time you consume – there is no charge when your code is not running! So customers love it – as it can provide cost savings of up to 80% in comparison to running EC2 server instances.
What are some of the security advantages?
Some of the quick security wins of Lambda are that it actually creates a reduced attack surface i.e the Lambda worker node (temporary server) is only actually running when the function (your code) is being executed, after that it’s gone. This is very different to EC2 servers and Containers which are often running 24/7/365 – and therefore available to attackers 24/7/365.
The other little bonus is Operating System patching is taken care of automatically by AWS behind the scenes. No need for customers to worry about O/S level vulnerabilities and maintenance windows with Lambda – it’s all dealt with by Amazon.
What are the main security considerations?
If you are reading this and thinking I want to use Lambda right now – make sure you read and take note of our list of 10 Serverless security best practices:
- Follow secure coding practices and inspect your code for vulnerabilities
- Patch code dependencies (e.g OWASP dependency check is a great open source tool)
- Adopt the principle of least privilege
- Maintain isolated function perimeters
- Sanitize event input to avoid injection
- Employ API gateways as a security buffer
- Log and Alert all functions
- Secure all data in transit (TLS v1.2) and at rest (AES256)
- Manage secrets in secure storage (e.g AWS Secrets Manager)
- Deploy functions in minimal granularity
Finally, Skyscanner released an awesome open source auditing tool which is designed to review Lambda functions against security best practices and highlight any misconfigurations and weaknesses. Click here to read more about LambdaGuard.
If you need help with Lambda or the secure design of your AWS workloads please contact a member of the Cyber Security Specialists team on 0161 706 0244 or email firstname.lastname@example.org
Thank you for reading!