OWASP Serverless Top 10 #6: Security Misconfiguration

Unused pages are replaced with unlinked triggers, unprotected files and directories are changed to public resources, like public buckets. Attackers will try to identify misconfigured functions with long timeout or low concurrency limit in order to cause a Denial of Service (DoS). Additionally, functions which contain unprotected secrets like keys and token in the code or the environment could eventually result in sensitive information leakage.

Security Weakness and Impact

Serverless reduces the need to to patch the environment, since we do not control the infrastructure. However, in many cases the biggest weakness is human error. Secrets could be accidentally uploaded to the github repo, put it on a public bucket, or even used hardcoded in the function.

Additionally, functions with long timeout configuration give an attacker the opportunity to make their exploit last longer or just cause an increased charge for the function execution. Moreover, functions with low concurrency limit could lead into a DoS attack, while functions with high concurrency limit could result in a Denial of Wallet.

Misconfiguration could lead to sensitive information leakage, money loss, DoS, or in severe cases, unauthorized access to cloud resources.

How to Prevent

  • Scan cloud accounts to identify public resources. Use built-in services available from the provider such as AWS Trusted Advisor which provides security checks (some for free).
  • Review cloud resources and verify that they enforce access control.
  • Follow providers security best practices: How to secure AWS S3 Resources, Azure Storage security guide, Best Practices for Google Cloud Storage and IBM Data Security.
  • Check for functions with unlinked triggers. Look for resources that appear in their policy but are not linked back to the function.
  • Set timeouts to the minimum required by the function.
  • Follow the provider’s function configuration suggestions: AWS configuring Lambda functions, Azure functions best practices, Google functions Tricks & Tips.
  • Use automatic tools that detect security misconfigurations in serverless applications.

Serverless Top 10

Read more about the OWASP Serverless Top 10.