AWS Lambda Security
Leveraging AWS Lambda cloud-native technology makes development time quicker and security more streamlined. With all of its benefits and native security it place, it can be difficult for even the most seasoned developers to have a complete picture of the potential risk within the code itself when hundreds of functions are deployed. The AWS Lambda security best practice guidelines help to alleviate risk and create greater synergies within the security and development teams.
Apply Perimeter Security at the Function Level for AWS Lambda Security
The fragmentation of your application to smaller components, coupled with the use of triggers from diverse sources (such as storage, message queues, and databases), means attackers have more targets and more attack vectors. Keep using your WAF and API Gateway, but another serverless security best practice is to apply perimeter security at the function level as well.
Protego’s technology is designed to help your organization embrace AWS Lambda – securely, while freeing application developers to move at the speed of serverless, offering:
- Application hardening and governance within your existing pipeline
- Automated code analysis in AWS Lambda before and after deployment
- Minimization of attack surface to maximize your application security posture
Wrap Security Tightly with Least Privilege
Moving to smaller microservices enables you to do more fine-grained IAM around each function; meaning that if there is a vulnerability in one of your functions, and attacker will only get access to the limited capabilities in that function. You must ensure security is tightly wrapped around your applications in AWS Lambda and applied correctly, specifically to each resource, function, S3 bucket, etc. Targeted IAM roles are critical in ensuring your application is as secure as possible, and enforces a differentiation of privilege within each part of the AWS Lambda application in a way that will limit what users can do based on privilege level.
Protego’s code analysis technology detects configuration risks and automatically generates least-privilege function permissions within AWS Lambda.
Shorten Function Timeouts
Functions execute for a short period of time, making it a challenge for attackers. By making AWS Lambda function timeouts as short as possible, you will have the increased benefit of making many attacks nearly impossible. Instead of setting the timeout to the maximum, developers must consider the configured timeout versus the actual timeout to ensure optimal security. Since the function does not live long, your application becomes more secure.
Protego’s technology solutions allows you to simply define custom policies at the function level and enforce these behaviors.
Secure Application Dependencies in AWS Lambda
Functions often include dependencies, pulled in from npm (Node.js), PyPI (Python), Maven (Java) or other relevant repositories. Unfortunately, these application dependencies are prevalent and frequently vulnerable. The nature of serverless makes managing third party dependencies manually particularly challenging.
Securing application dependencies requires access to a good database and automated tools to continuously prevent new vulnerable packages from being used and getting alerted for newly disclosed issues. Additionally, minimize the impact of vulnerable libraries by ensuring proper segmentation of the application into disparate services; scrupulously applying the principle of least privilege.
The Protego security solution for AWS Lambda provides:
- A unified, security-focused view of your entire serverless ecosystem (functions, triggers, third party libraries, etc.)
- Continuous scans of functions within AWS Lambda for known vulnerabilities and embedded secrets ensuring your applications are not exposed to attacks
Serverless deployments, with their diverse triggers and infinite scaling can even mean that the smallest of code errors can quickly turn into a self-inflicted denial-of-service attack from within your application. With a more exposed attack surface, bugs can more easily turn into security liabilities. Be sure developers are regularly, and adequately trained. Code reviews will help as well. Mostly, though, monitor your code and configuration using tools to test configuration.
Protego provides AppSec teams with seamless run-time application security, as it continuously scans your serverless infrastructure, code, and runtime environment. Utilizing machine-based analysis and deep learning algorithms, Protego builds a model of normal application and function behavior, including automatic creation of a white list of actions on a resource level. The Protego’s Function Self Protection detects, alerts, and stops application layer attacks such as the OWASP Serverless Top 10, allowing organizations to remain vigilant while not slowing down development–further securing AWS Lambda applications.