AWS Lambda Security

Leveraging AWS Lambda cloud-native technology makes development time quicker and security more streamlined. With all of its benefits and native security it place, it can be difficult for even the most seasoned developers to have a complete picture of the potential risk within the code itself when hundreds of functions are deployed. The AWS Lambda security best practice guidelines help to alleviate risk and create greater synergies within the security and development teams.

AWS Lambda

Apply Perimeter Security at the Function Level for AWS Lambda Security

The fragmentation of your application to smaller components, coupled with the use of triggers from diverse sources (such as storage, message queues, and databases), means attackers have more targets and more attack vectors. Keep using your WAF and API Gateway, but another serverless security best practice is to apply perimeter security at the function level as well.

Protego’s technology is designed to help your organization embrace AWS Lambda – securely, while freeing application developers to move at the speed of serverless, offering:

  • Application hardening and governance within your existing pipeline
  • Automated code analysis in AWS Lambda before and after deployment
  • Minimization of attack surface to maximize your application security posture

Wrap Security Tightly with Least Privilege

Moving to smaller microservices enables you to do more fine-grained IAM around each function; meaning that if there is a vulnerability in one of your functions, and attacker will only get access to the limited capabilities in that function. You must ensure security is tightly wrapped around your applications in AWS Lambda and applied correctly, specifically to each resource, function, S3 bucket, etc. Targeted IAM roles are critical in ensuring your application is as secure as possible, and enforces a differentiation of privilege within each part of the AWS Lambda application in a way that will limit what users can do based on privilege level.

Protego’s code analysis technology detects configuration risks and automatically generates least-privilege function permissions within AWS Lambda.

Shorten Function Timeouts

Functions execute for a short period of time, making it a challenge for attackers. By making AWS Lambda function timeouts as short as possible, you will have the increased benefit of making many attacks nearly impossible. Instead of setting the timeout to the maximum, developers must consider the configured timeout versus the actual timeout to ensure optimal security. Since the function does not live long, your application becomes more secure.

Protego’s technology solutions allows you to simply define custom policies at the function level and enforce these behaviors.

Secure Application Dependencies in AWS Lambda

Functions often include dependencies, pulled in from npm (Node.js), PyPI (Python), Maven (Java) or other relevant repositories. Unfortunately, these application dependencies are prevalent and frequently vulnerable. The nature of serverless makes managing third party dependencies manually particularly challenging.

Securing application dependencies requires access to a good database and automated tools to continuously prevent new vulnerable packages from being used and getting alerted for newly disclosed issues. Additionally, minimize the impact of vulnerable libraries by ensuring proper segmentation of the application into disparate services; scrupulously applying the principle of least privilege.

The Protego security solution for AWS Lambda provides:

  • A unified, security-focused view of your entire serverless ecosystem (functions, triggers, third party libraries, etc.)
  • Continuous scans of functions within AWS Lambda for known vulnerabilities and embedded secrets ensuring your applications are not exposed to attacks

Stay Vigilant

Serverless deployments, with their diverse triggers and infinite scaling can even mean that the smallest of code errors can quickly turn into a self-inflicted denial-of-service attack from within your application. With a more exposed attack surface, bugs can more easily turn into security liabilities. Be sure developers are regularly, and adequately trained. Code reviews will help as well. Mostly, though, monitor your code and configuration using tools to test configuration.

Protego provides AppSec teams with seamless run-time application security, as it continuously scans your serverless infrastructure, code, and runtime environment. Utilizing machine-based analysis and deep learning algorithms, Protego builds a model of normal application and function behavior, including automatic creation of a white list of actions on a resource level. The Protego’s Function Self Protection detects, alerts, and stops application layer attacks such as the OWASP Serverless Top 10, allowing organizations to remain vigilant while not slowing down development–further securing AWS Lambda applications.

AWS Lambda Best Practices

Read the book on securing AWS Lambda

Serverless deployments create efficiency, flexibility, freedom for developers. Help security partners in your organization experience the same by reading and sharing this ebook that covers these simple guidelines:

  • A checklist of best practices for maximizing the security of AWS Lambda apps
  • Tactics unique to serverless
  • How to wrap security tightly with least privilege

Download your copy here.

Sign-up for a free trial today, and secure AWS Lambda functions in minutes!

Automated to provide a continuous serverless security posture, dynamic serverless intelligence, and elastic defense, Protego’s solution for AWS Lambda security can help you stay in control. Don’t delay, your free trial starts here.

AWS Lambda Security
Serverless Security

Top 6 Serverless Security Challenges

Download our Serverless Security eBook and learn the top 6 security challenges along with solutions for mitigation. Subscribe to our email updates to continue learning about serverless security.